Article ID: 840677
Article Last Modified on 10/27/2006
APPLIES TO
- Microsoft Systems Management Server 2.0 Standard Edition
SYMPTOMS
After you turn on the following features in Microsoft Systems Management Server (SMS) version 2.0, logon points are not created in a trusted domain that is managed by the SMS site:
- Windows Networking Logon Discovery
- Windows Networking Logon Client Installation
Symptom example
You want to create logon points that are in the accounts domain, and the SMS site is in a resource domain. The following error message entry may appear in the Nt_logon.log file:
Note Error 5 is defined as an "Access Denied" error.
CAUSE
This issue occurs when the SMS Service account does not have sufficient permissions to create the SMS 2.0 logon point in the domain. For example, this might occur when you want to create logon points in an accounts domain when SMS is installed in a resource domain. If the resource domain name\SMS service account does not have sufficient permissions to connect to the admin$ share of the primary domain controller (PDC) in the accounts domain, the logon point is not created.
RESOLUTION
To resolve this issue, specify a domain administrator level site system connection account from the domain that you are trying to connect to. If you use the example from the Symptoms section, you would specify a site system connection account from the accounts domain that is a member of the accounts domain name\Domain Admins group. Alternatively, you can add the SMS service account to the Domain Administrators group of the domain that you are trying to connect to. If you use the example from the Symptoms section, you would add the resource domain\SMSService account to the Domain Administrators group of the accounts domain.
Note The previous example uses the default SMSService account for demonstration purposes. Your SMS site may use a different account.
Important If you are running SMS 2.0 Service Pack 5 (SP5) and later, you can maintain logon points by using an account that is not a domain administrator.
To change the SMS service account, perform a site reset. To do this, follow these steps:
- Click Start, point to Programs, point to Systems Management Server, and then click SMS Setup.
- Click Next, and then click Next.
- Click Modify or reset the current instalation, and then click Next.
- Type the account and password that you want to use for the SMS services, and then click Next.
- Click Next, click Next, click Next, and then click Finish.
- Click Yes to continue and reset the site.
MORE INFORMATION
For additional information about how to create a trusted domain account, see the "Create a Trusted Domain SMS Service Account in a Windows NT Domain" topic in SMS Administrator Help.
For additional information about the SMS site system account, see the following topics in the SMS Administrator's Guide:
- Chapter 4, Understanding SMS System Accounts, SMS Site Server Service Accounts.
- Chapter 4, Understanding SMS System Accounts, SMS Remote Site System Service Accounts.
For additional information about related topics, click the following article numbers to view the articles in the Microsoft Knowledge Base:
816290 List of security changes in Systems Management Server 2.0 Service Pack 5
816292 Windows Networking Logon Client Installation requires domain administrator permissions to create logon points
834308 Logon points are not updated in Systems Management Server 2.0
Keywords: kbsmsslp kbsmsadmin kbuser kbsetup kbsecurity kbdiscovery kbprb KB840677
