SMS: PCM May Cause Account Lockouts in a High-Security Domain

• Microsoft Systems Management Server version 1.2

SYMPTOMS

In a high-security domain where password expiration and account lockout are enabled, if users remain logged on their Windows NT computers and do not change their passwords within the required time, Package Command Manager (PCM) continually attempts to connect to servers using the expired passwords. This causes high CPU utilization by the local security authority (Lsass.exe) on the primary domain controller (PDC) of the validating domain.

The new version of PCM provided in the hotfix described below will detect when the account it is using to connect to a server is locked out or has a bad or expired password. When this occurs, PCM will suspend its connection attempts for a period of three days or until it is restarted. The errors that PCM receives from its connection attempts are written to the log file and PCMWIN32 displays a connection error message to the logged-on user:

Security violation: access denied

CAUSE

Every account validation attempt for a locked-out account is sent to the PDC for verification.

RESOLUTION

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Systems Management Server service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp

   Date      Time       Version           Size    File name      Platform
   ----------------------------------------------------------------------

   5/6/99   6:30pm   1.2(build 786)     469,936   Pcmwin32.exe   x86
   5/6/99   6:30pm   1.2(build 786)     270,832   Pcmsvc32.exe   x86
   5/6/99   6:30pm   1.2(build 786)   1,175,312   Pcmwin32.exe   alpha
   5/6/99   6:34pm   1.2(build 786)     801,040   Pcmsvc32.exe   alpha 

WORKAROUND

If password expiration and account lockout policies are in effect, users should be directed to log off their computers instead of simply locking them.

STATUS

Microsoft has confirmed this to be a problem in Systems Management Server version 1.2.

MORE INFORMATION

To install the hotfix, perform the following procedures at the Systems Management Server site server.

1. Replace the Pcmsvc32.exe file in the SMS_root\Site.srv\Platform.bin directory with the version obtained from the hotfix.



2. Reset the site. This is necessary to copy the updated file to all servers managed by the Site Configuration Manager. Windows NT workstation computers running PCMSVC32 can be updated using RSERVICE.



3. Replace the Pcmwin32.exe file in the SMS_root\Site.srv\Maincfg.box\Client.src\Platform.bin directory with the version provided in the hotfix.



4. Maintenance Manager will replicate the updated file to the Systems Management Server logon servers on its next work cycle. To update the clients running PCMWIN32, either manually run Upgrade.bat on each client or follow the instructions in the following article in the Microsoft Knowledge Base:
   

   Q166771 SMS: How to Force Site-Wide Client Updates

Additional query words: prodsms lock out locked

Keywords : kbnetwork kbSMS120 kbSMS120bug kbPCM
Version : winnt:1.2
Platform : winnt
Issue type : kbbug