The Systems Management Server 2003 Advanced Client components stop functioning and do not become fully functional until the SMS Agent Host service is restarted on a Windows 2000 Server-based computer (917678)


The information in this article applies to:

  • Microsoft Systems Management Server 2003, when used with:
    • Microsoft Windows 2000 Server
    • Microsoft Windows 2000 Advanced Server
    • Microsoft Windows 2000 Datacenter Server
Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.

SYMPTOMS

The Systems Management Server 2003 Advanced Client components stop functioning and do not become fully functional again until the SMS Agent Host service (Ccmexec.exe) is restarted. Additionally, the Scheduler.log file may contain entries that resemble the following:
Failed to open to WMI namespace '\\.\root\ccm\Scheduler' (80041006) $$<Scheduler><DateTime><thread=thread number> Error sending trigger message for schedule 'computer name/{computer GUID}' (0x80041006) $$<Scheduler><DateTime><thread number>
Scheduler DateTime 3144 (0x0C48) PersistScheduleHistory(m_spHistory), HRESULT=80041003
Note Code 80041003 indicates that you received an "access denied" error message from Windows Management Instrumentation (WMI).

CAUSE

This problem occurs because of a known problem with WMI and Microsoft Windows 2000 Server.

WORKAROUND

Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.To work around this problem, use one of the following methods:
  • Upgrade to Microsoft Windows Server 2003.
  • Change permissions on the client computers by granting both full write permissions and partial write permissions to the "root\ccm" namespace in the Everyone group.
  • Implement a solution where the Ccmexec.exe utility periodically starts. For example, implement a script that stops and restarts the service one time a day or more frequently as required.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

SMS processes establish a persistent WMI connection to a namespace by using an account that has full write permissions to the namespace. When a user who lacks full write permissions to the namespace connects to WMI, the restricted namespace permissions of the new low rights connection are also applied to the original, persistent SMS connection. Then, the persistent SMS connection loses the full write permissions to the namespace.

Additionally, when the SMS process tries to write a static instance of a class to the WMI repository, you receive the "access denied" error message because the connection no longer has full write permissions to the namespace.

The only way to regain the required permissions is to reconnect to the namespace. Although several factors can cause this problem, the two main causes are as follows:
  • The SMS connection to WMI is persistent.
  • A script is connecting to WMI by using a non-administrative account.
Modification Type:MinorLast Reviewed:6/2/2006
Keywords:kbBug kbtshoot kbSMSClients kbprb KB917678 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.