 
  
by Dana Daugherty
Client Connection Account Lockout — I know there has been
         quite a lot of information available on this issue. In this
         article, I have attempted to compile information from a few Q
         articles and my own experience with with problem. Also, in the
         Solution section there is a plan for rotating connection
         accounts that might just help to prevent this problem from
         reoccurring in your SMS implementation.  
In this article, Dana Daugherty has compiled information from various Microsoft Knowledgebase articles and his own experience with the issue of Client Connection Account Lockouts to offer a solution that just might help to prevent the problem from occurring in your SMS implementation.
Windows NT/2K workstations rely on the Client Connection
         Account to access the Client Access Point (CAP). They need
         this account due to the use of different user contexts. The
         default account that is automatically created when the site is
         installed is SMSClient_xxx (where xxx is the
         site code). This account has no special rights apart from
         Domain User privileges. By default the “account never expires”
         check box is selected in User Manager For Domains. In the
         SMS  Site Hierarchy  xxx  Connection Accounts  Client
         group you should see this account SMSClient _xxx.
The Problem
If all NT/2K machines at a particular site experience the
         following symptoms they most likely are experiencing a client
         connection account lockout: they don’t receive current data in
         Systems Management, Sites tab, after depressing Update
         Configuration; they don’t receive SMS Advertised Programs; and
         they eventually disappear after 60 days unless travel mode is
         turned on. Lines similar to the following will appear in the
         client’s CCIM32.log file: 
Warning - could not read files from site TB1
         (#2147942405) $$
Warning -
         CNALPathEx::GetAccessiblePath returned error 2147942405
         $$
CClientSiteCfgArray -
         Can't get accessible path for site TB1 config info
         $$
CCIM32 - Retry in 60
         minutes $$
and
Client will be considered an orphan after 2001/07/30
         10:17.56 $$
The above would be a description of an orphaned SMS
         client. 
The Cause
This condition occurs for many different reasons,
         including:  
This situation illustrates the 3rd bullet above. There is
         only 1 client connection account for the site. Joe Blow shuts
         his workstation down before leaving for a much needed
         vacation. While he is gone, the client connection account
         password is changed. Joe blow returns from Tahiti, turns his
         machine on, and the SMS client attempts to connect to its CAP
         with an old password. The account is locked out and no NT/2K
         client can contact the CAP or receive an Advertised
         Program. 
Instances that fall under the other bullets listed above
         also change the account or password in some way giving us the
         same result — a locked out account. 
Domains with more restrictive NT Security Policies will
         most likely experience client account lockouts more
         often.  
The Solution
If the client connection account
         for one of your sites is locked out do the following:
Add 2 new accounts to the Domain. Let’s call them
         SMSClient_xxx001 and SMSClient_xxx002. In
         the SMS  Site Hierarchy  xxx  Connection Accounts
         Client group you must add the new accounts and passwords,
         exactly as you did in User Manager For Domains.On the next 23
         hour Client Configuration Installation Manager (CCIM) cycle
         the client will be unlocked. To test andor speed up the
         process run SMSLS.bat or manually run CCIM using the Update
         Configuration button in Systems Management  Site tab.
The action to take in order to prevent this from
         reoccurring depends on its cause and your NT security account
         policies. All sites should have 3 client connection accounts
         using some naming convention like SMSClient_xxx001.
         This will allow you to perform maintenance, if necessary
         without causing further trouble. For example in the situation
         above, Joe Blow’s machine is shut down. You need to change a
         password due to NT account policies. You can change the
         password on 1 account and still have 2 valid accounts
         available. This should solve the problem for most SMS
         implementations. 
For Domains with password restriction policies, especially
         Maximum Password Age you may need to develop an account
         rotation plan. If you have SMSClient_xxx001,
         SMSClient_xxx002 and SMSClient_xxx003 as
         valid accounts on your domain, each created 2 weeks apart.
         Add SMSClient_xxx004 a few days prior to the expiration
         of SMSClient_xxx001. Then delete
         SMSClient_xxx001. Don’t forget to add the new
         account to SMS  Site Hierarchy  xxx  Connection
         Accounts  Client group You will always have 3 valid accounts
         on your domain. This is a bit of a pain but it’s better than
         the alterative  — orphaned workstations.
More Information
For More information on the Client Account Lockout issue or
         orphaned SMS clients, please take a look at the following Tech
         Net articles from Microsoft:
http://support.microsoft.com/support/kb/articles/Q236/0/52.ASP
http://support.microsoft.com/support/kb/articles/Q237/7/59.ASP
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.