Microsoft KB Archive/232653

= SMS: SMSCliToknAcct& Locked Out When Hardware Inventory Is Enabled =

Article ID: 232653

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft Systems Management Server 2.0 Standard Edition

-



This article was previously published under Q232653



SYMPTOMS
After you add clients to a Systems Management Server site and enable the hardware inventory client component, administrators may observe the following symptoms involving account lockouts and/or software distribution failure:
 * Software distribution fails to connect because the SMSCliToknAcct& account is locked out.
 * The SMSCliToknAcct& is continually locked out in the domain accounts database or in individual local accounts databases of Systems Management Server Clients.

This issue only occurs on sites which have enabled the hardware inventory agent.



CAUSE
When enumerating the Win32_LogicalDisk class for hardware inventory the SMSCliToknAcct& local account is used to access network drives. The remote system has the SMSCliToknAcct& if it is a client, but may have a different password. This causes a password failure and eventually locks the account.



RESOLUTION
To resolve this problem, obtain the latest service pack for Systems Management Server version 2.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

236325 How to Obtain the Latest Systems Management Server 2.0 Service Pack



WORKAROUND
There are also two possible workarounds for this issue:

Disable account lockouts on the domain and on individual site systems that are not domain controllers to prevent the lockouts from occurring.Disable enumeration of the Win32_LogicalDisk class in the SMS_DEF.MOF file for the site. For more information on how to do this see chapter 10 of the Microsoft Systems Management Server Administrator's Guide.



STATUS
Microsoft has confirmed this to be a problem in Systems Management Server version 2.0 This problem was first corrected in Systems Management Server version 2.0 Service Pack 2..



MORE INFORMATION
To install the pre-SP1 version of this hotfix, perform the following steps on the Systems Management Server site server:  Stop the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE services. Copy the updated Inhinv32.exe file to the following folder:

\SMS\Inboxes\Clicomp.src\Hinv\

 Copy the updated Wbemsdk.exe file to the following folder:

\SMS\Inboxes\Clicomp.src\Wbem\

 Copy the updated Sms_def.mof file to the following folder:

\SMS\Inboxes\Clifiles.src\Hinv

</li> Copy the updated Compver.ini file to the following locations: <ul> \SMS\Inboxes\Clicomp.src\Hinv</li> \SMS\Inboxes\Clicomp.src\Wbem</li></ul>

</li> Copy the updated Hinv32.exe file to the following folder:

\SMS\Bin\<Platform>

NOTE: The Hinv32.exe file is not included as a separate file, it is embedded in the Inhinv32.exe file. To extract it, run inhinv32.exe /x and select the file to extract.</li> Start the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE services.</li></ol>

NOTE: Once the SMS Inbox Manager component updates the Client Access Points (CAP), the client will be able to access the updated files. The default Client Configuration Installation Manager (CCIM) polling interval is 23 hours. Therefore, it may take up to 23 hours for the hotfixed files to be propagated to the clients. To speed up this process, you can stop and restart the SMS Client Service on each client. You can also create a software distribution for one of the Resource Kit tools Setevnt.exe or Cliutils.exe along with the appropriate parameter(s) to start a CCIM work cycle. For information on the proper syntax to use with these tools, see the Resource Kit documentation.

To install the Post-SP1 hotfix, perform the following steps on the Systems Management Server site server: <ol> Stop the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE services.</li> Copy the updated Compver.ini file to the following folder:

\SMS\Inboxes\Clicomp.src\Hinv

</li> Copy the updated Inhinv32.exe file to the following folder:

\SMS\Inboxes\Clicomp.src\Hinv\<Platform>

</li> Copy the updated Sms_def.mof file to the following folder:

\SMS\Inboxes\Clifiles.src\Hinv

NOTE: If the existing Sms_def.mof file has been modified to change the information gathered by the 32-bit hardware inventory agent, those changes have to be made to the replacement Sms_def.mof file to obtain the same inventory information after you apply this fix.</li> Copy the updated Hinv32.exe file to the following folder:

\SMS\Bin\<Platform>

NOTE: The Hinv32.exe file is not included as a separate file, it is embedded in the Inhinv32.exe file. To extract it, run inhinv32.exe /x and select the file to extract.</li> Start the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE services.</li></ol>

NOTE: The default Client Configuration Installation Manager (CCIM) polling interval is 23 hours. Therefore, it may take up to 23 hours for the hotfixed files to be propagated to the clients. To speed up this process, you can stop and restart the SMS Client Service on each client. You can also create a software distribution for one of the Resource Kit tools Setevnt.exe or Cliutils.exe along with the appropriate parameter(s) to start a CCIM work cycle. For information on the proper syntax to use with these tools, see the Resource Kit documentation.

All Systems Management Server clients have the SMSCliToknAcct& account in the local accounts database while all Domain Controllers share a single SMSCliToknAcct& from the domain accounts database.

The SMSCliToknAcct& account is used to launch installations in several specific situations:
 * The "Run with administrative rights" option is enabled for a program that isn't also configured to use the Windows NT client software installation account.
 * The program is set to run "Whether or not a user is logged on" and the program isn't configured to use the Windows NT client software installation account.
 * The program is set to run "Only when no user is logged on" and isn't configured to use the Windows NT client software installation account.

For additional information about accounts, click the article number below to view the article in the Microsoft Knowledge Base:

231399 SMS: SMSCliToknAcct& and/or SMSCliSvcAcct& accounts locked out on site systems or domain

Additional query words: prodsms

Keywords: kbqfe kbhotfixserver kbbug kbclient kbfix kbinventory kbnetwork kbsecurity kbserver kbsms200sp1fix kbsms200sp2fix kbsoftwaredist KB232653

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.