SMS 2003 Software Installation Account issue
Hi -
I've configured a program to Run Whether or Not a User is Logged in and to use Software Installation Account ("SoftwareInstAccount") for advanced clients. The Site Setting -> Component Configuration -> Software Distribution -> Advanced Client Network Access Account appears to be configured correctly as DOM\SoftwareInstAccount
I have verified that the software installation account is in AD and all permissions are correct (I can runas /user:DOM\SoftwareInstAccount etc. and do everything I need)
But the problem is that the SMS job does not appear to be actually running in that user context or for some other reason cannot connect to the network share (which I can do if I runas interactively). What gives? Shouldn't the UserContext below in the execmgr.log show as "SoftwareInstAccount"?
How can I force SMS to use the software installation account?
PS -
I modified the wsh script to return an error to the event log if the mapping operation fails. The script returned:
getdodat.vbs: 2147024843 -- The network path was not found.
PPS - modified again to use ip address (not resolver) to find the share, and now error is "access denied".
I've configured a program to Run Whether or Not a User is Logged in and to use Software Installation Account ("SoftwareInstAccount") for advanced clients. The Site Setting -> Component Configuration -> Software Distribution -> Advanced Client Network Access Account appears to be configured correctly as DOM\SoftwareInstAccount
I have verified that the software installation account is in AD and all permissions are correct (I can runas /user:DOM\SoftwareInstAccount etc. and do everything I need)
But the problem is that the SMS job does not appear to be actually running in that user context or for some other reason cannot connect to the network share (which I can do if I runas interactively). What gives? Shouldn't the UserContext below in the execmgr.log show as "SoftwareInstAccount"?
How can I force SMS to use the software installation account?
{
AdvertisementId = "AMB20705";
ClientID = "GUID:FEBA9120-0A03-478B-A2D8-C1C0FE81987D";
CommandLine = "\"C:\\WINNT\\system32\\cscript.exe\" getdodat.vbs";
DateTime = "20060615140936.731000+000";
MachineName = "ZZTOWSWM08";
PackageName = "AMA000BB";
ProcessID = 1060;
ProgramName = "Upload_DAT";
SiteCode = "AMB";
ThreadID = 1828;
UserContext = "NT AUTHORITY\\SYSTEM";
WorkingDirectory = "\\\\ZZTOSMS203\\SMSPKGE$\\AMA000BB\\";
};PS -
I modified the wsh script to return an error to the event log if the mapping operation fails. The script returned:
getdodat.vbs: 2147024843 -- The network path was not found.
PPS - modified again to use ip address (not resolver) to find the share, and now error is "access denied".
0 Comments
[ + ] Show comments
Answers (1)
Please log in to answer
Posted by:
Rhys
18 years ago
Not sure if you got an answer to this one or not but here is my guess.
The advance client does not use the software installation account. This is only for legacy clients. Run with adminstrative rights on the advance client will run the installation/command line as a service.
If the client does not have rights to the network share, it will use the Advance Client Network Access Account (Site Hierarchy/Site_Name/Site Settings/Component Configuration/Software Distribution). This account is ONLY used to connect to the network location if the client doesn't have rights. It is not used to actually perform the installation. That will either be the client's context or adminstrative rights (service) set under the program/environment.
Again, this only applies to advance clients.
The advance client does not use the software installation account. This is only for legacy clients. Run with adminstrative rights on the advance client will run the installation/command line as a service.
If the client does not have rights to the network share, it will use the Advance Client Network Access Account (Site Hierarchy/Site_Name/Site Settings/Component Configuration/Software Distribution). This account is ONLY used to connect to the network location if the client doesn't have rights. It is not used to actually perform the installation. That will either be the client's context or adminstrative rights (service) set under the program/environment.
Again, this only applies to advance clients.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.