DOCUMENT:Q232653 25-JUN-2000 [sms] TITLE :SMSCliToknAcct& Locked Out When Hardware Inventory Is Enabled PRODUCT :Microsoft Systems Management Server PROD/VER:winnt:2.0 OPER/SYS: KEYWORDS:kbnetwork kbClient kbSecurity kbServer kbsms200 kbsms200bug kbInventory kbSoftwareDist ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Systems Management Server version 2.0 ------------------------------------------------------------------------------- SYMPTOMS ======== After you add clients to a Systems Management Server site and enable the hardware inventory client component, administrators may observe the following symptoms involving account lockouts and/or software distribution failure: - Software distribution fails to connect because the SMSCliToknAcct& account is locked out. - The SMSCliToknAcct& is continually locked out in the domain accounts database or in individual local accounts databases of Systems Management Server Clients. This issue only occurs on sites which have enabled the hardware inventory agent. CAUSE ===== When enumerating the Win32_LogicalDisk class for hardware inventory the SMSCliToknAcct& local account is used to access network drives. The remote system has the SMSCliToknAcct& if it is a client, but may have a different password. This causes a password failure and eventually locks the account. RESOLUTION ========== To resolve this problem, obtain the latest service pack for Systems Management Server version 2.0. For additional information, please see the following article in the Microsoft Knowledge Base: Q236325 How to Obtain the Latest Systems Management Server 2.0 Service Pack WORKAROUND ========== There are also two possible workarounds for this issue: - Disable account lockouts on the domain and on individual site systems that are not domain controllers to prevent the lockouts from occurring. - Disable enumeration of the Win32_LogicalDisk class in the SMS_DEF.MOF file for the site. For more information on how to do this see chapter 10 of the Microsoft Systems Management Server Administrator's Guide. STATUS ====== Microsoft has confirmed this to be a problem in Systems Management Server version 2.0. This problem was first corrected in Systems Management Server version 2.0 Service Pack 2. MORE INFORMATION ================ To install the pre-SP1 version of this hotfix, perform the following steps on the Systems Management Server site server: 1. Stop the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE services. 2. Copy the updated Inhinv32.exe file to the following folder: \SMS\Inboxes\Clicomp.src\Hinv\ 3. Copy the updated Wbemsdk.exe file to the following folder: \SMS\Inboxes\Clicomp.src\Wbem\ 4. Copy the updated Sms_def.mof file to the following folder: \SMS\Inboxes\Clifiles.src\Hinv 5. Copy the updated Compver.ini file to the following locations: - \SMS\Inboxes\Clicomp.src\Hinv - \SMS\Inboxes\Clicomp.src\Wbem 6. Copy the updated Hinv32.exe file to the following folder: \SMS\Bin\ NOTE: The Hinv32.exe file is not included as a separate file, it is embedded in the Inhinv32.exe file. To extract it, run "inhinv32.exe /x" (without the quotation marks) and select the file to extract. 7. Start the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE services. NOTE: Once the SMS Inbox Manager component updates the Client Access Points (CAP), the client will be able to access the updated files. The default Client Configuration Installation Manager (CCIM) polling interval is 23 hours. Therefore, it may take up to 23 hours for the hotfixed files to be propagated to the clients. To speed up this process, you can stop and restart the SMS Client Service on each client. You can also create a software distribution for one of the Resource Kit tools Setevnt.exe or Cliutils.exe along with the appropriate parameter(s) to start a CCIM work cycle. For information on the proper syntax to use with these tools, see the Resource Kit documentation. To install the Post-SP1 hotfix, perform the following steps on the Systems Management Server site server: 1. Stop the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE services. 2. Copy the updated Compver.ini file to the following folder: \SMS\Inboxes\Clicomp.src\Hinv 3. Copy the updated Inhinv32.exe file to the following folder: \SMS\Inboxes\Clicomp.src\Hinv\ 4. Copy the updated Sms_def.mof file to the following folder: \SMS\Inboxes\Clifiles.src\Hinv NOTE: If the existing Sms_def.mof file has been modified to change the information gathered by the 32-bit hardware inventory agent, those changes have to be made to the replacement Sms_def.mof file to obtain the same inventory information after you apply this fix. 5. Copy the updated Hinv32.exe file to the following folder: \SMS\Bin\ NOTE: The Hinv32.exe file is not included as a separate file, it is embedded in the Inhinv32.exe file. To extract it, run "inhinv32.exe /x" (without the quotation marks) and select the file to extract. 6. Start the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE services. NOTE: The default Client Configuration Installation Manager (CCIM) polling interval is 23 hours. Therefore, it may take up to 23 hours for the hotfixed files to be propagated to the clients. To speed up this process, you can stop and restart the SMS Client Service on each client. You can also create a software distribution for one of the Resource Kit tools Setevnt.exe or Cliutils.exe along with the appropriate parameter(s) to start a CCIM work cycle. For information on the proper syntax to use with these tools, see the Resource Kit documentation. All Systems Management Server clients have the SMSCliToknAcct& account in the local accounts database while all Domain Controllers share a single SMSCliToknAcct& from the domain accounts database. The SMSCliToknAcct& account is used to launch installations in several specific situations: - The "Run with administrative rights" option is enabled for a program that isn't also configured to use the Windows NT client software installation account. - The program is set to run "Whether or not a user is logged on" and the program isn't configured to use the Windows NT client software installation account. - The program is set to run "Only when no user is logged on" and isn't configured to use the Windows NT client software installation account. Additional query words: prodsms ====================================================================== Keywords : kbnetwork kbClient kbSecurity kbServer kbsms200 kbsms200bug kbInventory kbSoftwareDist kbsms200sp1fix kbsms200sp2fix kbfixlist Technology : kbSMSSearch kbSMS200 Version : winnt:2.0 Issue type : kbbug Solution Type : kbfix ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2000.