SMS: Site Configuration Manager service locks trusted service account (171005)

SYMPTOMS

When Site Configuration Manager (SCMAN) does global user group enumeration, a Systems Management Server service account for another Systems Management Server site may be locked out in the process.

The Scman.log file will have entries similar to the following:

   ~Domain (DOMAINA) user groups previously enumerated
   $$<SMS_SITE_CONFIG_MANAGER><Wed Jun 18

   15:49:57 1997~><thread=12E>
   ~Trusted domain: DOMAINB   $$<SMS_SITE_CONFIG_MANAGER><Wed Jun 18
   15:49:57

   1997~><thread=12E>
   ~NetServerGetInfo server: SERVER return: 5
   $$<SMS_SITE_CONFIG_MANAGER><Wed Jun 18

   15:50:03 1997~><thread=12E>

CAUSE

This problem occurs if the two domains have Systems Management Server service accounts that have the same user name, but different passwords. When the domain for the site where SCMAN is running is trusted by the other site's domain, Site Configuration Manager attempts to enumerate the user groups of the trusted domain using its service account. Because the passwords do not match, an error 5 (access denied) occurs. If account lockout is set at the trusted domain, this may result in the trusted domain's Systems Management Server service account being locked out.

WORKAROUND

To work around this problem, do either of the following:

Change the Systems Management Server Service Account name on the trusted domain.

-or-
If the trusted domain is not using Program Group Control (PGC), use the SETGUG utility to shut off global user group enumeration.

STATUS

Microsoft has confirmed this to be a problem in Systems Management Server versions 1.0, 1.1, and 1.2. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.