DOCUMENT:Q227033 06-AUG-2002 [sms] TITLE :Changing the SMSClient_ Password Can Cause Lockouts PRODUCT :Microsoft Systems Management Server PROD/VER:winnt:2.0 OPER/SYS: KEYWORDS:kbsms200 kbsms200bug ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Systems Management Server version 2.0 ------------------------------------------------------------------------------- SYMPTOMS ======== This article describes potential problems that can occur when Systems Management Server (SMS) version 2.0 is deployed in a domain that has the account lockout policy enabled. The default setting for account lockout is to lock the account after five incorrect logon attempts with an incorrect password and to unlock the account after waiting one half hour. If the Client Connection account (SMSClient_) password is changed in User Manager for Domains, the account is locked out. The SMS 2.0 clients store the password for this account locally and attempt to use the old password until the client is updated with the new password. The client updates the local copy of the password when the install process is run by running Smsls.bat or Smsman.exe. Until every client has run the installation process and updated the password, the SMSClient_ account is locked out shortly after it is re-enabled. If the client cannot connect to the Client Access Point (CAP), it tries every hour. The client never becomes aware of the new passwords until it runs the install process. After 60 days without being able to contact the CAP, the client uninstalls itself. WORKAROUND ========== To prevent lockouts from occurring, create at least one additional Client Connection account and have every SMS 2.0 client run the install process. This updates the client with the new account information and allows new clients to have access to the CAP. The SMSClient_ account continues to be locked out until every client is updated. Administrators can leave this account locked out or delete it from User Manager for Domains as well as the SMS 2.0 interface. Clients that have not been updated continue to use the wrong password for the SMSClient_ account, continuing to lock it out if it is not deleted, but do not lock out the new Client Connection account. STATUS ====== Microsoft has confirmed this to be a problem in Systems Management Server version 2.0. Additional query words: prodsms ====================================================================== Keywords : kbsms200 kbsms200bug Technology : kbSMSSearch kbSMS200 Version : winnt:2.0 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.