RE: SMS 2.o SP5 and XP-SP2 errors
mjacques_at_phcs.com
Date: 09/27/04
- Next message: TerryM: "Re: Best practice: New distribution point"
- Previous message: Mike Dobson: "Re: Sms 2003 advanced Clients report no to admin console but i can still connect"
- In reply to: Keith P. Rutledge [MSFT]: "RE: SMS 2.o SP5 and XP-SP2 errors"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 27 Sep 2004 06:47:12 -0700
There is a hot fix available that needs to be istalled all
so see KB832862
>-----Original Message-----
>There are two primary causes for this and they are
documented on two
>different web
>pages, so I am including the URLs and the text (with some
editing) for easy
>access:
>
> Here is the relevant section from the Microsoft Systems
Management Server
>2003
>Clients FAQ (see the last item, "Windows XP SP2)."
><http://www.microsoft.com/technet/prodtechnol/sms/sms2003/
techfaq/tfaq03.msp
>x>
>
>"SMS Administrator console: Windows Firewall has three
settings: On, On
>with no
>exceptions, and Off. When you select the Don't allow
exceptions check box,
>the SMS
>Administrator console cannot connect to any SMS site
database from the
>Windows XP
>client. This is by design. If Windows Firewall is set to
On (recommended),
>the SMS
>Administrator console cannot display all of the items in
the console tree
>until you
>add the program unsecapp.exe and the port TCP 135 to the
list of programs
>and
>services on the Exceptions tab of Windows Firewall."
>
>You can test this by simply setting the Firewall to Off.
If the Admin
>console works
>at that point, you can enable and configure the firewall
as follows:
>
>1. Click "Start", open "Control Panel" and
launch "Windows Firewall".
>2. From the "General" tab in the "Windows Firewall"
applet, ensure that
>Windows Firewall is enabled ("On"), and the "Don't allow
exceptions"
>setting is <not> selected.
>
>3. To unblock the network connection for the SMS
Administrator console,
>from the "Exceptions" tab, click the "Add Program" button.
>4. From the "Add a Program" dialog box, click
the "Browse" button, then
>open the following filename: <%windir%>\system32
\wbem\unsecapp.exe
>5. Scope can be defined as necessary by clicking
the "Change scope"
>button, then click "OK" to add the unsecapp.exe program
to the
>exception list.
>
>6. The program must now be enabled. In the list
of "Programs and
>Services", locate the "unsecapp.exe" program that was
just added and
>place a check mark next to it.
>7. Click the "Add Port" button.
>8. From the "Add a Port" dialog box, type "135" (without
the quotation
>marks) for "Port number", ensure that "TCP" is the
protocol selected,
>and type a "Name", for the exception, such as "<SMS
Administrator
>Console>" (without the quotation marks).
>9. Scope can be defined as necessary by clicking
the "Change scope"
>button, then click "OK" to add the port to the exception
list.
>
>10. The port setting must now be enabled. In the list
of "Programs and
>Services", locate the exception that was just added, such
as < "SMS
>Administrator Console" (without the quotation marks)> and
place a check
>mark next to it.
>11. Click "OK" to save changes and close the "Windows
Firewall" applet.
>
>
>In certain situations, adding the program unsecapp.exe
and the port TCP 135
>to the
>list of programs and services on the Exceptions tab of
Windows Firewall is
>not
>sufficient. You might also require:
>
>1. Anonymous remote access rights in DCOM, and
>
>2. You might need to change the security policy for the
client computer so
>that
>Local Policies\Security Options\Network Access: Let
Everyone permissions
>apply to
>anonymous users is set to Enabled. This security policy
can be set through
>Active
>Directory Group Policy or local security policy.
>
>*** You should only make these changes if adding the
program unsecapp.exe
>and the
>port TCP 135 to the exceptions list does not resolve the
problem.
>
>BOTH STEPS MUST BE DONE FOR THIS TO WORK!
>
>-- STEP ONE:
>
>To allow anonymous remote access in DCOM:
>
>1. From the Start menu, click Run and type Dcomcnfg.exe.
>
>2. In Component Services, click Console root, click
Component Services,
>click
>Computers, and then click My Computer. On the Action
menu, click Properties.
>
>3. In the My Computer Properties dialog box, on the COM
Security tab, in
>the Access
>Permissions section, click Edit Limits.
>
>4. In the Access Permissions dialog box, grant Anonymous
Logon allow Remote
>Access.
>
>
>-- STEP TWO:
>Change the security policy for the client computer so
that Local
>Policies\Security
>Options\Network Access: Let Everyone permissions apply to
anonymous users
>is set to
>Enabled. This security policy can be set through Active
Directory Group
>Policy or
>local security policy.
>
>1. Open Secpol.msc at the Run line.
>2. Security setting >> Local Polices >> Security Options
>3. enable -- Network access: Let Everyone permissions
apply to anonymous
>users.
>
>Best Regards,
>
>Keith Rutledge, MCSE NT4/2000
>Microsoft Online Support Engineer
>Get Secure! - www.microsoft.com/security
>
>=====================================================
>When responding to posts, please "Reply to Group" via
>your newsreader so that others may learn and benefit
>from your issue.
>=====================================================
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>
>
>.
>
- Next message: TerryM: "Re: Best practice: New distribution point"
- Previous message: Mike Dobson: "Re: Sms 2003 advanced Clients report no to admin console but i can still connect"
- In reply to: Keith P. Rutledge [MSFT]: "RE: SMS 2.o SP5 and XP-SP2 errors"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
