SMS: SMSCliToknAcct& and/or SMSCliSvcAcct Accounts Locked Out on Site Systems or Domain
ID: Q231399
|
The information in this article applies to:
-
Microsoft Systems Management Server version 2.0
SYMPTOMS
After adding clients to a Systems Management Server site, administrators may observe the following symptoms involving account lockouts and/or software distribution failure:
- Software distribution fails to domain controllers because the SMSCliToknAcct& domain account is locked out.
- Software distribution fails to site systems that are not domain controllers because the SMSCliToknAcct& is locked out in the local accounts database.
- The Systems Management Server Client Service fails to start on site systems that are not domain controllers because the SMSCliSvcAcct& account has been locked out.
- The SMSCliToknAcct& in the domain is continually locked out.
- The SMSCliToknAcct& on individual site systems that are not domain controllers is continually locked out.
- The SMSCliSvcAcct& on individual site systems that are not domain controllers is continually locked out.
To work around this problem, disable account lockouts on the domain and on individual site systems that are not domain controllers.
CAUSE
The Systems Management Server Client services incorrectly attempts to use the local SMSCliToknAcct& and the local SMSCliSvcAcct& credentials when attempting to connect to site systems such as client access points (CAPs) or distribution points.
On site systems that happen to be Systems Management Server clients and are not domain controllers, both the SMSCliToknAcct& and SMSCliSvcAcct& accounts exist in the local accounts database but have different passwords than those similarly named accounts in the client's local accounts database. The continual attempts by individual clients to connect with the client-specific accounts can cause these two accounts to get locked out on the site systems as a result of logon failures.
On site systems that are domain controllers, only one account with the same name exists, the SMSCliToknAcct& account, which is shared among all the domain controllers. If any of the domain controllers for a given domain are configured as a client access point or distribution point, clients may incorrectly attempt to use the local account credentials to access these site systems. This can result in logon failures due to the password mismatch. Successive logon failures can cause lockouts of the SMSCliToknAcct& domain account.
WORKAROUND
To resolve this problem, obtain the latest service pack for Systems Management Server 2.0. For additional information, please see the following article in the
Microsoft Knowledge Base:
Q236325 SMS: How to Obtain the Latest Systems Management Server 2.0 Service Pack
The English version of this fix should have the following file attributes or later:
Date Time Size File name Platform
--------------------------------------------------------
06/08/99 06:12pm 67 Compver.ini
06/08/99 06:09pm 199,008 Mslmcli9.dll Intel
06/08/99 06:09pm 336,224 Mslmclin.dll Intel
04/06/99 06:11pm 228,704 Abnwcli.dll Intel
06/08/99 11:52am 264,544 NdsCliN.dll Intel
06/08/99 06:09pm 334,176 Mslmsvrn.dll Intel
05/19/99 01:03pm 69,488 Clisvcl.exe Intel
06/08/99 06:12pm 1,172,311 CCMCore.exe Intel
06/08/99 06:18pm 3,118,422 CliCore.exe Intel
06/08/99 06:10pm 575,248 Mslmclin.dll Alpha
04/06/99 06:13pm 403,728 Abnwcli.dll Alpha
06/08/99 06:10pm 571,152 Mslmsvrn.dll Alpha
06/08/99 06:18pm 4,085,128 Clicore.exe Alpha
06/08/99 06:18pm 1,667,169 CCMCore.exe Alpha
05/19/99 01:03pm 101,648 Clisvcl.exe Alpha
STATUS
Microsoft has confirmed this to be a problem in Systems Management Server 2.0. This problem was first corrected in Systems Management Server 2.0 Service Pack Service Pack 1.
MORE INFORMATION
The SMSCliToknAcct& account is used to launch installations in several specific situations:
- The Run with administrative rights option is enabled for a program that isn't also configured to use the Windows NT client software installation account.
- The program is set to run Whether or not a user is logged on and the program isn't configured to use the Windows NT client software installation account.
- The program is set to run Only when no user is logged on and isn't configured to use the Windows NT client software installation account.
The Systems Management Server client service runs under the SMSCliSvcAcct& account on Windows NT-based clients that are not domain controllers. On domain controllers the client service runs under the context of a machine-specific domain account named SMS&_<servername>. The SMSCliSvcAcct& account lockout doesn't occur when using domain controllers as site systems because there is not an account named SMSCliSvcAcct& automatically created on domain controller clients.
This issue will not affect the majority of client systems in a site, only those which are site systems or domain controllers.
Additional query words:
prodsms
Keywords : kbSecurity kbServer kbSMS200 kbSMS200bug kbSMS120 kbSMS120bug kbCAP kbSoftwareDist
Version : winnt:2.0
Platform : winnt
Issue type : kbbug