Fixing the DCOM error: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID

There are 2 errors that can appear relating to DCOM activation when you use a least-privilege install approach on 2010, namely:


The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{61738644-F196-11D0-9953-00C04FD919C1}
and APPID
{61738644-F196-11D0-9953-00C04FD919C1}
to the user <FARM ID> SID (<FARM ID SID>) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.


The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{000C101C-0000-0000-C000-000000000046}
and APPID
{000C101C-0000-0000-C000-000000000046}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.


To fix them on 2008 R2 server, it’s actually a 2-step process:

First, go to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046} in the registry and change the permissions on the branch so that local Administrators group OWNS the branch, then add the Local Admin group to the users who can modify the branch.

Second, go to the 2 DCOM components (the one starting with 61738644 is our favourite IIS WAMREG Admin Service which we first met – for the same problem – back in SharePoint 2007) and assign the account in the error message local and remote activation permissions.

I’ve seen this fix work on 2003 and 2008 as well… but it may have been post-SP n…

Done!

Advertisements

About Brad Saide

I'm a SharePoint consultant. I'm also slowly going bald, seem to have a permanent spare tyre around my waist and enjoy socialising with friends over a beer or 10. The last 2 may possibly be related. Started working with SharePoint when the first version was in limited beta release (participated in the Technology Adoption Program while at Woolworths) and have been committed to the adoption of the technology as a business enabler ever since.
This entry was posted in Uncategorized. Bookmark the permalink.

11 Responses to Fixing the DCOM error: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID

  1. Nic says:

    I am confused with the second step:

    Second, go to the 2 DCOM components (the one starting with 61738644 is our favourite IIS WAMREG Admin Service which we first met – for the same problem – back in SharePoint 2007) and assign the account in the error message local and remote activation permissions.

    Where do I find the 2 DCOM components?

    Thanks,
    Nic

  2. Brad Saide says:

    In the Administrative tools area of the Control Panel, you will see an item called “Components” or “Component Services” – click it and drill through to the DCOM config. Done!

  3. Nic says:

    Thank you for the quick reply! I found the two DCOM errors and when I right click on them in DCOM config, and go to properties, I am unable to make any changes. Everything is greyed out. I essentially need to change the launch and access permissions, correct?

  4. @Nic – its greyed out because you don’t have permission. Open regedit. Rightclick on the CLSID (ex… {61738644-F196-11D0-9953-00C04FD919C1} and choose Permissions > Advanced. Then go to the Owners tab. Select the Administrators group for the server (make sure your a member or the login your using is in the Administrators group). Click Apply then Okay. This will change the owner to the Administration group (most times the TrustedInstaller is set as the owner)
    Then on the Security tab check the Administrators group has Full Control checked. Now you can go to Components and the boxes won’t be greyed out. If you already had Components open you will have to close and then reopen the program. Hope this helps 🙂

  5. lee088 says:

    Is it the same in server 2003?

  6. Andrew R. Kervin says:

    similar issue here.. (novice) server 2011, tried to follow the instructions you gave, changed owner on branch in regedit “{61738644-F196-11D0-9953-00C04FD919C1}”, but still not able to change permissions in component services.

    here is the full error:
    The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
    {61738644-F196-11D0-9953-00C04FD919C1}
    and APPID
    {61738644-F196-11D0-9953-00C04FD919C1}
    to the user SIGSMILES\spfarm SID (S-1-5-21-3402856012-2255539623-3850930472-1157) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    IISADMIN is the local service listed at the registry key above.

    any help would be appreciated.

  7. Adam says:

    This is a huge security risk making it part of the administrators group. Basic security 101, especially global admin passwords stored in memory-cache that isn’t flushed. I would NOT recommend doing this.

    • Brad Saide says:

      Hey Adam, thanks for your feedback. You do know of course that nobody is making anything part of the admin group? It may be worth re-reading the solution again (carefully) to get the full picture… 😉

      Two steps are involved: rights to edit the registry key are granted to the local admin group. Next, the user that was not able to activate the dcom service is added to the local and remote activation policy of the service (this is what the error msg in the event log complains about).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s