Steve Harris

Some pictures, the odd grumble and a bit of IT
Follow me on Twitter
View my Photostream

System Configuration Manager 2007 R2 Gone Bad

I should title this system configuration manager gone bad #1 as I am sure this will not be the last time I will be writing about it.
In a situation where the success of advertisments to desktops is unpredictable and deployment of packages to desktops are not working start with the following article, during which if you notice that your servers mp_location.log error is full of errors return to this post and read on.
Insider’s Guide to Troubleshooting Client Content Download in Configuration Manager 2007
Step 3 of the article above desribes the mp_location.log file found on your Management Point server under \Program Files\SMS_CCM\Logs\, and possible errors it may contain. But it does not cover the following error which if you are using Trace32 from the Configuration Management Toolkit V2 will be a screen of red.

SQL Server Name : database_servername
SQL Database Name : sms_sitename
Integrated Auth : True

MPDB Method : Init()
MPDB Method HRESULT : 0×80004005
Error Description : Cannot open database “sms_sitename” requested by the login. The login failed.
OLEDB IID : {0C733A8B-2A1C-11CE-ADE5-00AA0044773D}
ProgID : Microsoft OLE DB Provider for SQL Server

SQL Server Name : database_servername
Native Error no. : 4060
Error State : 1
Class (Severity) : 11
Line number in SP : 1

In addition your database server may well be logging event id 6512

Event Type: Error
Event Category: (2)
Event ID: 6512
Date: 24/11/2010
Time: 18:18:53
User: domain\serviceaccount
Computer: database_servername
Failed to initialize the Common Language Runtime (CLR) v2.0.50727 with HRESULT 0×80004005. You need to restart SQL server to use CLR integration features.

When you check the whether CLR is enabled using the SQL Server Surface Area Configuration you may find it is, and that it has been enabled in the past because advertisments and deployments worked in the past.
It is the solution though, no matter how much you don’t like it, a critical update or service pack may have been applied to the .net framework 2.0 since it last worked and SQL Server requires a restart. If you want to be sure you can browse the database assemblies under programability and you will probably receive the same error message.
Time to suck it up, stay late and do a 30 second restart of the SQL server and agent services. Following that restart the SMS Executive and related services on your Configuration Manager server and within minutes your world will be a better place.

Find an SMTP address in your Exchange Organisation

I can’t remember when it stopped working but nowadays you cannot use Microsoft Outlook to match an SMTP address to a user if it’s not the primary address. It is useful if you get the duplicate address exists error message of if you are simply trying to locate a mailbox. This one I keep forgetting so that I have some reference here is the graphical way of doing it:-

  • Launch Active Directory Users and Computers from the start menu;
  • Right click the domain and select Find;
  • In the Find drop down list select Custom Search;
  • Change to the Advanced tab and in the LDAP query field enter “” (minus the double quotations);
  • Click the Find Now button.

All being well you should now have your mystery mailbox.

Setting permissions on Windows Service Accounts

Permissions to start, stop and query the status of windows services can be set using group policy, however if you want to set permissions on a specific service on a specific server and not mess about with group policy filtering the following can be done.

The first thing to remember is that not all services are the same so the process will not always be the same, furthermore it appears that certain services will not allow domain groups to be specified whereas other will.

Secondly you will need to download a copy of sc.exe from

Now the boring stuff. Setting permissions on services is done using security descriptors and is formatted according to Security Descriptor Definition Language (SDDL). More information regarding this can be found by following the links in this post.

The current security descriptor of a service can be viewed using sc sdshow “service name” e.g. sc sdshow “GFI NSM 7 Engine”.

The output of this is pretty unreadable however an explanation of the output can be found here

The link above contains a great deal of useful information however in my case I found that the section which described setting the descriptor to allow a user to start and stop a service only allowed for the service to be stopped. I found a good tip on this site, the approach suggested here is to copy the descriptor from either the User Interface (UI) or Authenticated User (AU) section and modify who it applies to.

For me the following worked:-

  1. Obtain the SID of the user or group, in this case I used a group;
  2. Obtain the current descriptor using the sc sdshow command above, copy the output to the clipboard, paste in to notepad and correct the word wrapping;
  3. Save this as your original descriptor so that you can go back to it in the future;
  4. Enter the first part of the command but do not press enter sc sdset “service name”
  5. Now copy and paste the contents of your notepad to the end of the line, but still do not press enter;
  6. The descriptors to allow a service to be started, stopped and queried are usually LC, CR, RP and WP. But try and get away with the bare minimum or use the suggestion above i.e. copy the AU or UI descriptor.
  7. So add the following to the end of the command line (A;;LCCRRPWP;;;<insert SID>) e.g. (A;;LCCRRPWP;;;S-1-5-21-2964678487-1243059729-2897732695-7012)
  8. Now press enter;
  9. All being well you will receive a successful message.

As the entire command can be quite long a further example showing it all together is here….

sc sdset “GFI NSM 7 Engine” D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)

If this is a one time change and you do not intend this change to apply to more than a couple of services on a server this is a perfect solution to allow ‘normal’ users to start and stop services remotely using SC stop and SC start. However if you have a requirement to do this for more servers then go the GPO route, its easier to manage.