How IT WorksSMS Client-Side Software Installation
Steve Rachui
When configuring a software package for distribution in Systems Management Server (SMS) 2003, the administrator must choose the user context under which the software will be installed—either the logged-on user or the administrative context. If you choose local user, the software installation will be executed under the context of the user currently logged onto the computer. Because this option requires a user be logged onto the target computer, and is very limited if the local user does not have administrative rights, it is more common for software distributions to be sent under administrative credentials.
Even using administrative credentials, there are software installation differences depending whether the target is an SMS 2003 advanced client or a legacy client. On an advanced client, software distributions configured to install using administrative credentials cause the software program to be executed in the context of the local system account. On legacy clients, selecting administrative credentials causes the installation to be executed under the context of the SMS Client Token local account (smsclitoknlocalacct&). This account is created as a typical user account and elevated to the necessary administrative credentials at the time of software install. For workstations and member servers, this account is unique to that particular system and is stored in the local Security Accounts Manager (SAM) database. Domain controllers also use this account but share a domain copy.
The choice to use the local system account for the advanced client allows for increased security, but there’s more you need to know. Consider, for example, the distribution of a Microsoft Installer (MSI) package. If the MSI package has been built to attempt a per-user instead of per-system installation, the installation may fail or the results may be unexpected. MSI packages can usually be deployed per-system by adding the allusers=2 switch to the MSI command line through SMS.
Other installations may also not behave as expected if they’re initiated from SMS distribution points but during execution attempt to access external network resources. The advanced client and legacy client handle this differently, and without understanding these differences, software installations may be inconsistent between the two clients.
When distributing software using administrative credentials, the local system account (advanced client) and SMS Client Token Local Account (legacy client) have full administrative privileges on the local computer but do not necessarily have access to network resources that might be needed during software execution.
When the SMS 2003 advanced client initiates software execution, it connects to the SMS Distribution Point to retrieve the software. Assuming all required files are available on the SMS distribution point, installation proceeds. If the requested software does not reside on an SMS distribution point or if during installation references are made to a non-SMS share, then SMS will attempt to connect to that share location under the context of the Advanced Client Network Access Account. If this account is not configured or does not have rights to the requested share, the installation will fail and errors will be noted in the execution manager log (execmgr.log). Typically errors in this log will be of the access-denied variety when the SMS client attempts to access a non-SMS share. It should be noted, however, that even if the network access account is used, the actual installation of the software is still handled by the local system context. The Advanced Client Network Access Account is used strictly for network access.
In contrast to the advanced client, the SMS 2003 legacy client has the ability to use the Software Installation Account. This account is used not only to access non-SMS shares for software installation—just as the Advanced Client Network Access Account—but also to perform the actual installation. At run time this account is elevated (if necessary) to have administrative privileges.
Understanding how network communication is facilitated for each client during software distribution can help pinpoint failures should they occur. Execmgr logging (advanced client) or SMSAPM32 logging (legacy client) is often useful to track the cause of errors.
Steve Rachui is a Manageability Support Escalation Engineer in the Product Support Services group at Microsoft. He has supported SMS since its introduction. Steve can be reached at steverac@microsoft.com.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.