Microsoft KB Archive/839512

= &quot;Failed to save accounts&quot; error message when you assign a new Systems Management Server 2003 Client Push Installation account on Windows Server 2003 =

PSS ID Number: 839512

Article Last Modified on 5/8/2004

-

The information in this article applies to:

 Microsoft Systems Management Server 2003, when used with:  Microsoft Windows Server 2003, Standard Edition

 Microsoft Windows Server 2003, Enterprise Edition

 Microsoft Windows Server 2003, Datacenter Edition

 Microsoft Windows Server 2003, 64-Bit Enterprise Edition</li></ul>

 Microsoft Windows Server 2003, 64-Bit Datacenter Edition</li></ul> </li></ul>

-

<div class="notice_section">

<div class="symptoms_section">

SYMPTOMS
On a computer that is running Microsoft Windows Server 2003, when you install Microsoft Systems Management Server 2003 by using Standard Security, if you try to use the Systems Management Server 2003 administrator console to add a new Client Push Installation account, the operation may fail, and you may receive an error message that is similar to the following:

Failed to save accounts

Additionally, if you use the Systems Management Server 2003 administrator console to change the Systems Management Server Service account, the operation may fail, and you may receive an error message that is similar to the following:

Failed to encrypt SMS Service Account

<div class="cause_section">

CAUSE
Typically, this problem occurs when one of the following conditions is true:  The user account that is running the Systems Management Server 2003 administrator console is a member of the Administrators group on the Systems Management Server 2003 site server and the &quot;System objects: Default owner for objects created by the Administrators group&quot; policy is set to Object creator in the security policy on the Windows Server 2003-based computer.

By default, the &quot;System objects: Default owner for objects created by the Administrators group&quot; policy on Windows Server 2003 is set to Administrators group. When the &quot;System objects: Default owner for objects created by the Administrators group&quot; policy is set to Object creator, the user who is running the Systems Management Server 2003 administrator console may not have permission to access the Systems Management Server 2003 key file.

Note The Systems Management Server 2003 key file is located in the following folder:

\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

</li> The user account that is running the Systems Management Server 2003 administrator console is not a member of the Administrators group on the Systems Management Server 2003 site server and the &quot;System objects: Default owner for objects created by the Administrators group&quot; policy is set to Administrators group in the security policy on the Windows Server 2003-based computer.

When the &quot;System objects: Default owner for objects created by the Administrators group&quot; policy is set to Administrators group, both the Administrators group and the local system account can access the Systems Management Server 2003 key file. However, the user account must be a member of the Administrators group to access the Systems Management Server 2003 key file.</li></ul>

<div class="resolution_section">

RESOLUTION
To resolve this problem, use one of the following methods:  If the &quot;System objects: Default owner for objects created by the Administrators group&quot; policy setting in the security policy on the Windows Server 2003-based computer is set to Object creator, you must change the policy setting to Administrators group. You must also delete the corresponding Systems Management Server 2003 key file in the \Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder, and then restart the SMS_EXECUTIVE service. To do this, follow these steps: <ol> Click Start, point to Settings, and then click Control Panel.</li> In Control Panel, click Administrative Tools, and then double-click Local Security Policy.</li> In the left pane of the Local Security Settings console, expand Local Policies, and then click Security Options.</li> In the right pane of the Local Security Settings console, double-click System objects: Default owner for objects created by members of the Administrators group.</li> In the System objects: Default owner for objects created by members of the Administrators group properties dialog box, click Administrators group, and then click OK.</li> In Windows Explorer, locate the following folder:

\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

The MachineKeys folder contains the key file that contains the Systems Management Server 2003 key. The MachineKeys folder also contains other key files that contain the keys for other products.</li> To determine which key file contains the Systems Management Server 2003 key, open the key files in a text editor such as Notepad. The key file data is not in plain text. However, sufficient clear text data exists in the key to help identify the correct key file.

The key file that contains the Systems Management Server 2003 key contains the string &quot;Microsoft Systems Management Server.&quot; Typically, the file name of the correct key file starts with &quot;ca6f80c6495f318cbd7dddd0d9102cc2.&quot;</li> Right-click the key file that contains the Systems Management Server 2003 key, and then click Delete.</li></ol> </li> Manually grant the Systems Management Server 2003 Administrators group (SMS Admins) full access to the key file in the MachineKeys folder. To do this, follow these steps: <ol> <li>In Windows Explorer, locate the following folder:

\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

The MachineKeys folder contains the key file that contains the Systems Management Server 2003 key. The MachineKeys folder also contains other key files that contain the keys for other products.</li> <li>To determine which key file contains the Systems Management Server 2003 key, open the key files in a text editor such as Notepad. The key file data is not in plain text. However, sufficient clear text data exists in the key to help identify the correct key file.

The key file that contains the Systems Management Server 2003 key contains the string &quot;Microsoft Systems Management Server.&quot; Typically, the file name of the correct key file starts with &quot;ca6f80c6495f318cbd7dddd0d9102cc2.&quot;</li> <li>Right-click the key file that contains the Systems Management Server 2003 key, and then click Properties.</li> <li>In the Properties dialog box, click the Security tab.</li> <li>On the Security tab, click Add.</li> <li>In the Select Users, Computers, or Groups dialog box, type SMS Admins in the Enter object names to select field.</li> <li>Click Check Names to verify the group name, and then click OK.</li></ol> </li></ul>

<div class="status_section">

STATUS
This behavior is by design.

<div class="references_section">