SMS: SMSCliToknAcct& and/or SMSCliSvcAcct Accounts Locked Out on Site Systems or Domain (231399)


The information in this article applies to:

  • Microsoft Systems Management Server 2.0
This article was previously published under Q231399

SYMPTOMS

After adding clients to a Systems Management Server site, administrators may observe the following symptoms involving account lockouts and/or software distribution failure:
  • Software distribution fails to domain controllers because the SMSCliToknAcct& domain account is locked out.
  • Software distribution fails to site systems that are not domain controllers because the SMSCliToknAcct& is locked out in the local accounts database.
  • The Systems Management Server Client Service fails to start on site systems that are not domain controllers because the SMSCliSvcAcct& account has been locked out.
  • The SMSCliToknAcct& in the domain is continually locked out.
  • The SMSCliToknAcct& on individual site systems that are not domain controllers is continually locked out.
  • The SMSCliSvcAcct& on individual site systems that are not domain controllers is continually locked out.
To work around this problem, disable account lockouts on the domain and on individual site systems that are not domain controllers.

Custom inventory data, such as Group Classes, that is created by a NOIDMIF may not appear in Resource Explorer.

CAUSE

The Systems Management Server Client services incorrectly attempts to use the local SMSCliToknAcct& and the local SMSCliSvcAcct& credentials when attempting to connect to site systems such as client access points (CAPs) or distribution points.

On site systems that happen to be Systems Management Server clients and are not domain controllers, both the SMSCliToknAcct& and SMSCliSvcAcct& accounts exist in the local accounts database but have different passwords than those similarly named accounts in the client's local accounts database. The continual attempts by individual clients to connect with the client-specific accounts can cause these two accounts to get locked out on the site systems as a result of logon failures.

On site systems that are domain controllers, only one account with the same name exists, the SMSCliToknAcct& account, which is shared among all the domain controllers. If any of the domain controllers for a given domain are configured as a client access point or distribution point, clients may incorrectly attempt to use the local account credentials to access these site systems. This can result in logon failures due to the password mismatch. Successive logon failures can cause lockouts of the SMSCliToknAcct& domain account.

WORKAROUND

To resolve this problem, obtain the latest service pack for Systems Management Server 2.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

236325 SMS: How to obtain and install Systems Management Server 2.0 Service Pack 2

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date        Time         Size      File name    Platform
   --------------------------------------------------------

   08-Jun-1999 18:12          67    Compver.ini    
   08-Jun-1999 18:09     199,008   Mslmcli9.dll   Intel
   08-Jun-1999 18:09     336,224   Mslmclin.dll   Intel
   06-Apr-1999 18:11     228,704    Abnwcli.dll   Intel
   08-Jun-1999 11:52     264,544    NdsCliN.dll   Intel
   08-Jun-1999 18:09     334,176   Mslmsvrn.dll   Intel
   19-May-1999 13:03      69,488    Clisvcl.exe   Intel
   08-Jun-1999 18:12   1,172,311    CCMCore.exe   Intel
   08-Jun-1999 18:18   3,118,422    CliCore.exe   Intel
   08-Jun-1999 18:10     575,248   Mslmclin.dll   Alpha
   05-Apr-1999 18:13     403,728    Abnwcli.dll   Alpha
   08-Jun-1999 18:10     571,152   Mslmsvrn.dll   Alpha
   08-Jun-1999 18:18  4,085,128    Clicore.exe   Alpha
   08-Jun-1999 18:18   1,667,169    CCMCore.exe   Alpha
   19-May-1999 13:03     101,648    Clisvcl.exe   Alpha

STATUS

Microsoft has confirmed that this is a problem in Systems Management Server 2.0. This problem was first corrected in Systems Management Server 2.0 Service Pack Service Pack 1.

MORE INFORMATION

The SMSCliToknAcct& account is used to launch installations in several specific situations:
  • The Run with administrative rights option is enabled for a program that isn't also configured to use the Windows NT client software installation account.
  • The program is set to run Whether or not a user is logged on and the program isn't configured to use the Windows NT client software installation account.
  • The program is set to run only when no user is logged on and is not configured to use the Windows NT client software installation account.
The Systems Management Server client service runs under the SMSCliSvcAcct& account on Windows NT-based clients that are not domain controllers. On domain controllers the client service runs under the context of a machine-specific domain account named SMS&_<servername>. The SMSCliSvcAcct& account lockout does not occur when using domain controllers as site systems because there is not an account named SMSCliSvcAcct& automatically created on domain controller clients.

This issue will not affect the majority of client systems in a site, only those which are site systems or domain controllers.
Modification Type:MajorLast Reviewed:4/7/2006
Keywords:kbQFE KBHotfixServer kbBug kbCAP kbfix kbSecurity kbServer kbSoftwareDist KB231399
©2004 Microsoft Corporation. All rights reserved.