Microsoft KB Archive/278660

= The domain SMSCliToknAcct& account is locked out in SMS 2.0 =

Article ID: 278660

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft Systems Management Server 2.0 Standard Edition

-



This article was previously published under Q278660



SYMPTOMS
The domain SMSCliToknAcct& account may become locked out in Microsoft Systems Management Server (SMS) 2.0.



CAUSE
This issue may occur if an SMS client computer has third-party hardware drivers installed. Some third-party hardware drivers, including some sound card drivers, try to locate certain files on the local computer. If the files cannot be found, the drivers continue to search by using the locations that are defined by the system path variable. If the system path variable contains references to any network locations, or if the client computer is attached to a networked drive, the network locations are searched. Third-party drivers may run as the SMSCliToknAcct& account if the driver connects to various drives while an SMS client process is running.

The SMSCliToknAcct& account password is randomly generated for each SMS client computer. If a domain account lockout policy is turned on, the domain SMSCliToknAcct& account is locked out because the SMS client and domain accounts have different passwords.



RESOLUTION
To resolve this issue, contact the hardware manufacture to obtain the latest drivers for your hardware.

For information about how to contact third-party manufacturers, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:

65416 Hardware and Software Third-Party Vendor Contact List, A-K

60781 Hardware and Software Third-Party Vendor Contact List, L-P

60782 Hardware and Software Third-Party Vendor Contact List, Q-Z



WORKAROUND
To work around this issue, use Network Monitor to determine which files the third-party drivers try to locate, and then copy these files to a local folder on the client computer.

For additional information about how to use Network Monitor, click the following article numbers to view the articles in the Microsoft Knowledge Base:

148942 How to capture network traffic with Network Monitor

232247 Using Network Monitor to capture traffic using a remote agent



MORE INFORMATION
The SMSCliToknAcct& account creates user tokens on client computers. On client computers that are not domain controllers, SMS grants the SMSCliToknAcct& account the required permissions, and then removes the permissions immediately after use. On domain controllers, the permissions for the SMSCliToknAcct& account remain as long as the SMS client services are installed on the domain controller. The SMSCliToknAcct& account is used to install software on client computers when any one of these conditions are true:
 * The Run with administrative rights option is turned on in the program properties, but the Use Windows NT client software installation account option is turned off.
 * The program is configured to run regardless of whether a user is logged on, but the Use Windows NT client software installation account option is turned off.
 * The program is configured to run only when no user is logged on, but the Use Windows NT client software installation account option is turned off.

Some audio drivers that are manufactured by the following companies are reported to cause this issue:
 * Crystal Audio
 * Yamaha
 * Creative
 * ESS

For additional information about how audio drivers are used with the SMSCliToknAcct& account, click the following article number to view the article in the Microsoft Knowledge Base:

248880 SMS: SMSCliToknAcct& account accesses network from computers with Compaq's Auddrive.sys driver installed

Additional query words: netmon prodsms

Keywords: kbclient kbconfig kbinterop kbnettrace kbnetwork kbprb kbsecurity kbserver KB278660

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.