SMS: SMSCliToknAcct& Locked Out When Hardware Inventory Is Enabled

ID: Q232653

The information in this article applies to:
  • Microsoft Systems Management Server version 2.0

SYMPTOMS

After you add clients to a Systems Management Server site and enable the hardware inventory client component, administrators may observe the following symptoms involving account lockouts and/or software distribution failure:

  • Software distribution fails to connect because the SMSCliToknAcct& account is locked out.


  • The SMSCliToknAcct& is continually locked out in the domain accounts database or in individual local accounts databases of Systems Managment Server Clients.


This issue only occurs on sites which have enabled the hardware inventory agent.


CAUSE

When enumerating the Win32_LogicalDisk class for hardware inventory the SMSCliToknAcct& local account is used to access network drives. The remote system has the SMSCliToknAcct& if it is a client, but may have a different password. This causes a password failure and eventually locks the account.


RESOLUTION

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Systems Management Server service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp
The English language version of this software update earlier than Service Pack 1 should have the following file attributes or later: 

   Date      Time    Size        File name   
   ------------------------------------------
   06/21/99 07:11p          67   COMPVER.INI
   06/21/99 08:13p     320,491   inhinv32.EXE
   06/21/99 06:24p      74,531   sms_def.mof
   06/11/99 02:04p   3,809,058   wbemsdk.exe
The English language version of this software update included in Service Pack 1 should have the following file attributes or later: 

   Date      Time    Size      File name   
   ----------------------------------------
   07/27/99 01:55p        67   COMPVER.INI
   07/27/99 01:48p   321,701   inhinv32.EXE
   07/21/99 06:12p    73,694   sms_def.mof
   06/25/99 12:00a   151,424   hinv32.exe
NOTE: Due to file dependencies, the most recent hotfix or feature that contains the above files may also contain additional files.



WORKAROUND

There are also two possible workarounds for this issue:

  • Disable account lockouts on the domain and on individual site systems that are not domain controllers to prevent the lockouts from occurring.


  • Disable enumeration of the Win32_LogicalDisk class in the SMS_DEF.MOF file for the site. For more information on how to do this see chapter 10 of the Microsoft Systems Management Server Administrator's Guide.



    • STATUS

    Microsoft has confirmed this to be a problem in Systems Management Server version 2.0.


    MORE INFORMATION

    To install the pre-SP1 version of this hotfix, perform the following steps on the Systems Management Server site server:

    1. Stop the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE services.


    2. Copy the updated Inhinv32.exe file to the following folder:


      3. \SMS\Inboxes\Clicomp.src\Hinv\<Platform>
    3. Copy the updated Wbemsdk.exe file to the following folder:


      4. \SMS\Inboxes\Clicomp.src\Wbem\<Platform>
    4. Copy the updated Sms_def.mof file to the following folder:


      5. \SMS\Inboxes\Clifiles.src\Hinv
    5. Copy the updated Compver.ini file to the following locations:


      • \SMS\Inboxes\Clicomp.src\Hinv
      • \SMS\Inboxes\Clicomp.src\Wbem


    6. Copy the updated Hinv32.exe file to the following folder:
      \SMS\Bin\<Platform>
      NOTE: The Hinv32.exe file is not included as a separate file, it is embedded in the Inhinv32.exe file. To extract it, run inhinv32.exe /x and select the file to extract.


    7. Start the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE services.


    NOTE: Once the SMS Inbox Manager component updates the Client Access Points (CAP), the client will be able to access the updated files. The default Client Configuration Installation Manager (CCIM) polling interval is 23 hours. Therefore, it may take up to 23 hours for the hotfixed files to be propagated to the clients. To speed up this process, you can stop and restart the SMS Client Service on each client. You can also create a software distribution for one of the Resource Kit tools Setevnt.exe or Cliutils.exe along with the appropriate parameter(s) to start a CCIM work cycle. For information on the proper syntax to use with these tools, see the Resource Kit documentation.

    To install the Post-SP1 hotfix, perform the following steps on the Systems Management Server site server:
    1. Stop the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE services.


    2. Copy the updated Compver.ini file to the following folder:


      3. \SMS\Inboxes\Clicomp.src\Hinv
    3. Copy the updated Inhinv32.exe file to the following folder:


      4. \SMS\Inboxes\Clicomp.src\Hinv\<Platform>
    4. Copy the updated Sms_def.mof file to the following folder:
      \SMS\Inboxes\Clifiles.src\Hinv
      NOTE: If the existing Sms_def.mof file has been modified to change the information gathered by the 32-bit hardware inventory agent, those changes have to be made to the replacement Sms_def.mof file to obtain the same inventory information after you apply this fix.


    5. Copy the updated Hinv32.exe file to the following folder:
      \SMS\Bin\<Platform>
      NOTE: The Hinv32.exe file is not included as a separate file, it is embedded in the Inhinv32.exe file. To extract it, run inhinv32.exe /x and select the file to extract.


    6. Start the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE services.


    NOTE: The default Client Configuration Installation Manager (CCIM) polling interval is 23 hours. Therefore, it may take up to 23 hours for the hotfixed files to be propagated to the clients. To speed up this process, you can stop and restart the SMS Client Service on each client. You can also create a software distribution for one of the Resource Kit tools Setevnt.exe or Cliutils.exe along with the appropriate parameter(s) to start a CCIM work cycle. For information on the proper syntax to use with these tools, see the Resource Kit documentation.


    All Systems Management Server clients have the SMSCliToknAcct& account in the local accounts database while all Domain Controllers share a single SMSCliToknAcct& from the domain accounts database.

    The SMSCliToknAcct& account is used to launch installations in several specific situations:
    • The "Run with administrative rights" option is enabled for a program that isn't also configured to use the Windows NT client software installation account.


    • The program is set to run "Whether or not a user is logged on" and the program isn't configured to use the Windows NT client software installation account.


    • The program is set to run "Only when no user is logged on" and isn't configured to use the Windows NT client software installation account.


    Additional query words: prodsms

    Keywords : kbnetwork kbClient kbSecurity kbServer kbSMS200 kbSMS200bug kbInventory kbSoftwareDist kbSMS200sp1fix
    Version : winnt:2.0
    Platform : winnt
    Issue type : kbbug


    Last Reviewed: January 7, 2000
    © 2000 Microsoft Corporation. All rights reserved. Terms of Use.