DOCUMENT:Q278660 06-AUG-2002 [sms] TITLE :SMS: SMSCliToknAcct May Be Locked Out PRODUCT :Microsoft Systems Management Server PROD/VER::2.0,2.0 SP1,2.0 SP2,2.0 SP3 OPER/SYS: KEYWORDS:kbinterop kbnetwork kbClient kbConfig kbSecurity kbServer kbsms200 kbNetMon kbNetTrace ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Systems Management Server versions 2.0, 2.0 SP1, 2.0 SP2, 2.0 SP3 ------------------------------------------------------------------------------- SYMPTOMS ======== The Client User Token account (SMSCliToknAcct&) may be locked out of your domain. CAUSE ===== This issue can occur if the Systems Management Server (SMS) client workstation contains certain third-party drivers. This issue is not caused by SMS; instead, this issue is caused by drivers that attempt to access resources across the network. These drivers attempt to locate files on the local computer. If the files cannot be found, the drivers continue to search the location that the system path variable points to. If the system path contains references to any network locations, these locations are searched as well. This issue can also occur if an account lockout policy is enabled in the domain. In this case, the \SMSCliToknAcct& account is locked out because the local and domain accounts have different passwords. WORKAROUND ========== To work around this issue, capture network traffic, frames, or packets to determine which files the drivers are attempting to locate. You can also use Network Monitor to perform a trace. For additional information about how to use Network Monitor, click the article numbers below to view the articles in the Microsoft Knowledge Base: Q148942 How to Capture Network Traffic with Network Monitor Q232247 Using Network Monitor to Capture Traffic Using a Remote Agent MORE INFORMATION ================ The following audio drivers have been reported to cause this issue: - Crystal Audio - Yamaha - Creative - ESS NOTE: Not all versions of these drivers exhibit this issue. For additional information about how audio drivers are used with the SMSCliToknAcct account, click the article number below to view the article in the Microsoft Knowledge Base: Q248880 SMS: SMSCliToknAcct Account Accesses Network from Computers with Compaq's Auddrive.sys Driver Installed You can use the SMSCliToknAcct& account to create user tokens on client computers. On computers that are not domain controllers, SMS grants permissions to this account as they are needed and deletes these permissions immediately after they are used. On domain controllers, the permissions for this account persist as long as the SMS client services exist in the site. This account is used to start installations in several specific situations: - If the "Run with administrative rights" option is enabled for a program that is not also configured to use the Microsoft Windows NT 4.0 client software installation account. - If the program is set to run even if the user is not logged on and the program is not configured to use the Windows NT client software installation account. - If the program is set to run only when users are not logged on and the program is not configured to use the Windows NT client software installation account. Additional query words: netmon prodsms ====================================================================== Keywords : kbinterop kbnetwork kbClient kbConfig kbSecurity kbServer kbsms200 kbNetMon kbNetTrace Technology : kbSMSSearch kbSMS200 kbSMS200SP1 kbSMS200SP2 kbSMS200SP3 Version : :2.0,2.0 SP1,2.0 SP2,2.0 SP3 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.