Tagline: Fix your SharePoint DCOM issues with a single click !
The dreaded DCOM error (10016, DistributedCOM, Local Activation, IIS WAMREG admin Service) has seen the light ever since SharePoint 2007. It carried over to SharePoint 2010 and now it seems to SharePoint 2013 as well.
Fixing it wasn’t all that hard. You had to identifiy the DCOM app based on the GUID, identify the user(s) affected and then modify the Local Activation permissions accordingly.
Windows Server 2008 R2 and higher made that a bit harder. You first have to set the permissions of the DCOM app in the registry, but that requires changing the owner, granting permissions on the registry key, granting local activation, and then undoing your permission and owner change on the registry key (keep things tidy, you know).
Quite some manual steps to take so I decided to automate them.
At first I decided to PowerShell it, but I’m not a PoSH hero and decided to use some ready available tools, along with a bit of batch scripting.
The two tools required are:
This tool is provided as sample source code by Microsoft, but I’ve included a compiled version in the download. It takes various parameters to list, set or remove permissions on various DCOM objects.
This tool allows you to run a process from different credentials, including TrustedInstaller which will make our life a lot easier.
» Link: DevxExec
This tool eliminates the need to change the permissions in the registry, since our TrustedInstaller account already has them and we’re impersonating that account!
Putting it together
I have two scripts using the dcomperm tool; one for displaying the current permissions, one for setting the permissions. Note that the APPID and USER (can be user or group) in both files are currently configured for the IIS WAMREG admin Service and the IIS_IUSRS builtin group. You can change these if you want.
dcomperm -al %appid% list
dcomperm -al %appid% set %user% permit level:la
Then I have a corresponding batch file that will run each in elevated mode as TrustedInstaller using devxexec.
devxexec /user:TrustedInstaller get_dcom_perms.cmd
The outcome is that we can just run the run_set_elevated script, which will impersonate the TrustedInstaller account and grant local activation permissions to our IIS_IUSRS group for the DCOM app.