SMS: Access Account Security on Distribution Points May Be Applied Incorrectly in a Multiple-Domain Environment

ID: Q244409

The information in this article applies to:
  • Microsoft Systems Management Server versions 2.0, 2.0 SP1

SYMPTOMS

In a multiple-domain environment, package security may be applied incorrectly on distribution points. Specifically, the NTFS permissions of the package folder are set to a local group rather than the intended global group from a trusted domain, even though the account was properly prefixed when it was added by using the SMS Administrator console. This problem occurs only if there is a group with the same name in the domain in which the distribution point resides. For example:

A Systems Management Server (SMS) administrator defines AccountDomain\TestGroup under Access Accounts. The targeted distribution server is a part of a domain named ResourceDomain, which trusts AccountDomain. The ResourceDomain domain also contains a group named TestGroup. Distribution Manager adds permissions to the distribution point using the TestGroup group from the ResourceDomain domain, instead of TestGroup from AccountDomain. However, if TestGroup does not exist in the ResourceDomain domain, Distribution Manager adds permissions using AccountDomain\TestGroup.


RESOLUTION

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Systems Management Server service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp
The English-language version of this fix should have the following file attributes or later: 

   Date      Time   Version          Size     File name    Platform
   ----------------------------------------------------------------
   10/14/99  7:58pm 2.00.1380.1055   232,288  Abnwcli.dll  i386
   10/01/99  1:22pm 2.00.1380.1051   256,864  Bindclin.dll i386
   09/10/99  6:49pm 2.00.1380.1023   158,544  Ccim32.dll   i386
   10/20/99  2:14pm                1,325,586  Ccmcore.exe  i386
   10/20/99  2:14pm                3,214,201  Clicore.exe  i386
   10/01/99  1:22pm 2.00.1380.1051   157,536  Falclin.dll  i386
   10/20/99  2:07pm 2.00.1380.1056   337,248  Mslmclin.dll i386
   10/20/99  2:07pm 2.00.1380.1056   334,688  Mslmsvrn.dll i386
   10/01/99  1:22pm 2.00.1380.1051   266,592  Ndsclin.dll  i386
   10/14/99  7:59pm 2.00.1380.1055   409,360  Abnwcli.dll  Alpha
   09/10/99  6:49pm 2.00.1380.1023   253,200  Ccim32.dll   Alpha
   10/20/99  2:16pm                1,934,748  Ccmcore.exe  Alpha
   10/20/99  2:14pm                4,236,546  Clicore.exe  Alpha
   10/01/99  1:22pm 2.00.1380.1051   285,968  Falclin.dll  Alpha
   10/20/99  2:08pm 2.00.1380.1056   576,784  Mslmclin.dll Alpha
   10/20/99  2:08pm 2.00.1380.1056   573,200  Mslmsvrn.dll Alpha
   10/20/99  2:16pm                       67  Compver.ini
NOTE: Due to file dependencies, the most recent hotfix or feature that contains the above files may also contain additional files.



WORKAROUND

To work around this problem, use any of the following methods:

  • Use unique user group names that do not exist in other domains.


  • If the intended user group is a global group and the same-named user group is a local group, add the global group to the local group of the appropriate domain.


  • Apply permissions to distribution points manually after Distribution Manager finishes its process.



STATUS

Microsoft has confirmed this to be a problem in Systems Management Server version 2.0.


MORE INFORMATION

To install the hotfix, perform the following steps at the SMS site server:

  1. Stop the SMS_EXECUTIVE and SMS_SITE_COMPONENT_MANAGER services.


  2. Replace the Ccmcore.exe file in the SMS_root\Inboxes\Clicomp.src\Base\Platform folder with the version obtained from the hotfix.


  3. Replace the Clicore.exe file in the SMS_root\Inboxes\Clicomp.src\Base\Platform folder with the version obtained from the hotfix.


  4. Replace the Compver.ini file in the SMS_root\Inboxes\Clicomp.src\Base folder with the version obtained from the hotfix.


  5. Replace the Abnwcli.dll file in the SMS_root\Bin\Platform folder with the version obtained from the hotfix.


  6. Replace the Ccim32.dll file in the SMS_root\Bin\Platform folder with the version obtained from the hotfix.


  7. Replace the Falclin.dll file in the SMS_root\Bin\Platform folder with the version obtained from the hotfix.


  8. Replace the Mslmclin.dll file in the SMS_root\Bin\Platform folder with the version obtained from the hotfix.


  9. Replace the Mslmsvrn.dll file in the SMS_root\Bin\Platform folder with the version obtained from the hotfix.


  10. Start the SMS_EXECUTIVE and SMS_SITE_COMPONENT_MANAGER services.


  11. Allow the updated Compver.ini, Clicore.exe, and Ccmcore.exe files to be propagated to all Logon Points and/or Client Access Points (CAPS) in the site.


NOTE: The default Client Configuration Installation Manager (CCIM) Polling interval is 23 hours. Therefore, it may take up to 23 hours for the hotfix files to be propagated to the clients. To speed up this process, use any of the following methods:
  • Stop and restart the SMS Client service on each client. For Microsoft Windows NT, stop and restart the service. For Microsoft Windows 95 or Microsoft Windows 98, a restart is required.


  • Create a software distribution for one of the Resource Kit tools (Setevnt.exe or Cliutils.exe), along with the appropriate parameters to start a CCIM work cycle. The tools are located on Systems Management Server (SMS) 2.0 CD-ROM.

    For Setevnt.exe, the syntax is:


    • setevnt /q
    For Cliutils.exe, the syntax is:
    Cliutils KICK "Client Configuration Installation Manager"
  • If you have the Networking Logon Client Installation option enabled, have users log off and back on.


  • Have users run SMSMan manually.


NOTE: Windows 95/98 clients may require a restart after the hotfix files have been installed to receive full hotfix functionality. To verify this, review the Clicore.log file after the update. If a restart is required, the entry listed below is logged. Because of the nature of this hotfix, Microsoft recommends that a mandatory restart policy be used for all Windows 95-based and Windows 98-based computers after the hotfix has been applied.
Reboot required - disabling component until reboot
WARNING: This hotfix contains files for the SMS Client Base component that have a version of 2.00.1380.1056. Before applying this hotfix, you should verify that your current SMS Client Base component version is earlier than 2.00.1380.1056.

Additional query words: prodsms

Keywords : kbSMS200 kbSMS200bug kbSoftwareDist
Version : winnt:2.0,2.0 SP1
Platform : winnt
Issue type : kbbug


Last Reviewed: November 25, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.