Microsoft KB Archive/826871

= Client accounts that are used in software distribution in Systems Management Server 2003 =

Article ID: 826871

Article Last Modified on 5/8/2007

-

APPLIES TO


 * Microsoft Systems Management Server 2003

-





INTRODUCTION
This article describes the Microsoft Systems Management Server 2003 (SMS 2003) client accounts for the SMS 2003 Advanced client and the SMS 2003 Legacy client.



Overview of the Systems Management Server 2003 client
SMS 2003 clients on computers that are running Microsoft Windows NT 4.0, Windows 2000, Windows XP, or Windows Server 2003 can run programs in one of the following security contexts:
 * User account
 * Service account

For the SMS 2003 Legacy client, the SMS 2003 Software Installation account has administrative rights on the SMS 2003 Legacy client computer. You can use this account to run advertised programs on client computers and to have access to specific non-SMS network resources when no user is logged on or the current logged-on user does not have administrative permissions to run the advertised program.

The SMS 2003 Legacy Client Software Installation account must have the following attributes:
 * Access to the required network resources.
 * Access to the SMS 2003 distribution point share and directories for the package.

The SMS 2003 client components grant certain user rights and membership in the local Administrators group to the Legacy Client Software Installation account when a client runs a program that requires administrative rights. This membership and the user rights are removed when the program is completed. To access packages, clients can use one of the following methods:
 * User account in user context.
 * Network Installation account otherwise on the Advanced client.
 * Legacy Client Software Installation account otherwise on the Legacy client.

Note For security reasons, do not grant the Legacy Client Software Installation account any rights on client computers directly or through group membership.

Advertisements
Advertisements that are intended to run in the context of the logged-on user have only the credentials of the user. Such advertisements use the user's credentials to connect to the distribution point. If the user does not have administrative credentials, advertisements that require administrator credentials run in a security context that is similar to a service account with the Client User Token account on Legacy clients. The Client User Token account is dynamically added to the local Administrators group as required and has the Act as part of the operating system right. If the Client User Token account was added, it is removed when the task is completed.

Distribution points
To access distribution points, an SMS 2003 Legacy client uses the Network abstraction layer (NAL) to find an existing connection to the package share on a distribution point. If a connection exists, the client uses the connection regardless of what credentials were provided.

For both the SMS 2003 Legacy and the SMS 2003 Advanced clients, if the client cannot find an existing connection to the server and the share, the client tries to use the security context of the user who is logged on to the client computer to connect to the distribution point.

If the client cannot connect to the distribution point by using the context of the user account, the SMS 2003 client tries to connect by using all the SMS Client Connection accounts that are available for the site for the Legacy client, or by using the Advanced Client Network Access account for the Advanced client.

Note When you turn on the Download program from distribution point option for the advertised package, the program is downloaded to the SMS 2003 Advanced client computer. Anyone can run the program if the package remains in the download cache. Also, a user can copy the files to a folder or share that other users can use. If unauthorized people must not be able to use the files, do not turn on the Download program from distribution point option for the Advertised program for those packages.

Package installation
 ==== Advanced Client ====

With the SMS 2003 Advanced Client, a client program can open in only two user contexts:  The Local System account is used when the program is configured as Run with Administrative Rights. The User Account of the logged in user is used to install the package when the program is configured as Run with User's Rights.

Note The SMS 2003 Software Installation account must be used with the Legacy Client when installation processes require access to remote shares other than the SMS Distribution Point. This is necessary because the token accounts are local accounts that are created on the computer where package installation is run. When the Software Installation is selected, the package installation is opened and run on the Legacy Client computer in the context of this account.  ==== Legacy Client ====

With the SMS 2003 Legacy Client, a client program can open in the following user contexts:  The SMSCliToknAcct&/SMSCliToknLocalAcct& account is used by the Legacy Client in SMS 2003 when the program is configured as Run with Administrative Rights. The Software Installation Account cal also be selected for package installation when the program is configured to run as Run with Administrative Rights.</li> The User Account of the logged in user is used to install the package when the program is configured to Run with User's Rights.

Note The SMS 2003 Network Access account is used with the Advanced Client when installation processes requires access to remote shares other than the SMS Distribution Point. This is necessary when the system account or the logged on user account does not have access to the remote shares needed to perform package installation. Using this account with the Advanced Client is automatic and does not have to be manually selected like the Software Installation Account. Unlike the Software Installation account, the Network Access account is used only to access remote shares. The account is not used to open or run package installation processes on the Advanced Client computer.</li></ul> </li></ul>

For both the SMS 2003 Legacy client and the SMS 2003 Advanced client that run Windows Installer packages that require administrative rights, SMS 2003 uses the Windows Installer elevated rights to install the program on the client.

Keywords: kbinfo KB826871

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.