Home > SharePoint, Windows Server 2008 R2 > DCOM Config in Windows Server 2008 R2

DCOM Config in Windows Server 2008 R2

I have recently installed SharePoint 2007 on Windows Server 2008 R2 and ran into a rather peculiar security feature in R2.

As most SharePoint Administrators would have come across the DCOM Config error [Error No 10016], this error does not break the SharePoint farm but errors fill up the error log. The solution for this is give local activation permissions to the service account for the IIS WAMREG Admin Service and the error goes away.

But in the new Windows Server 2008 R2 environment, this was not the case. I could not make any changes to the properties of IIS WAMREG Admin Service through the Component Services Administrative Tool. All the properties were grayed out and I could not change the local and activation permissions from the security tab. My initial reaction was that I did not have sufficient permissions on the box which cannot be true as I am an Administrator on this particular box.

After some investigation, I found that I indeed did not have permissions to make changes to the component services. So, I tried assigning myself permissions;

I opened “REGEDIT and I navigated to the following key

HKLM -> SOFTWARE -> Classes -> AppID -> {61738644-F196-111D0-995300C04FD919C1}

I right clicked on this AppID and selected permissions.

The first thing you notice under security is that Administrators only have read access to this service. That explains why the settings are grayed out in DCOM Config. I tried to give the administrators full control but I got the following message

Unable to save permission changes on {61738644-F196-111D0-995300C04FD919C1}.

Access is denied.

I also noticed the only person or service which has full control over this is the “TrustedInstaller”. This was really strange for me, then I clicked on advanced and under the owner tab, current owner was listed as “TrustedInstaller”. Under that there is an option to change owner to either the administrators group or my own user account. I simply changed the owner to the administrators group and restarted the component services. Guess what, I was able to modify properties of the IIS WAMREG Admin Service.

This is a new security feature in R2 which prevents changes to the component services even though you are Administrator on the server, if you need to change the properties of any component services, you need to assume ownership through the registry editor.

Note: Do not change the permissions levels of the “TrustedInstaller”, this will cause problems during installations.

  1. Andreas
    February 3, 2011 at 10:21 am

    Good that you have acknowledge this security feature in Windows 2008 R2. Now i can move further with my configuration :).

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: