SharePoint and the Local Activation permission on DCOM objects on 2008R2

Another SharePoint farm installation, another problem.

I had to install SharePoint 2007 (don’t ask..) on a Windows Server 2008R2 development machine. This is quite doable, as long as you install Service pack 2 of SharePoint. I figured it would be no problem and just another install, like I’ve done a gazillion times before.

Everything went quite well and because of the SSD disk, the installation didn’t take as long as I was used to. After the full installation was done I checked the Event Log to see if I maybe forgot something. Most of the time there’s something wrong with the Search services or something else which is easily forgotten. This time I saw a familiar message of some COM object not being able to start because of a permission error. A message similar as this one:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID


to the user **[account and SID]**. This security permission can be modified using the Component Services administrative tool.

I’ve seen this a few times before and knew how to fix it.

Start up the Component Services on the machine:


Expand the treeview of the Component Services on My Computer:


Now for the tricky part, search the component which has the same GUID as the error message has. This sounds easy, but the downside is you can’t sort the Application ID column. Lucky for us you can also do a search in the registry for this GUID and it’ll tell you what the component’s name is.


As you can see it’s the IIS WAMREG admin Service


Knowing the name makes the search a bit easier as the list is sorted alphabetically.

Right-click on the component and view the properties of it. Navigating to the Security tab gives you some options, but as you can see all of these options are disabled on a Windows 2008R2 machine.


Apparently the security model has changed a bit on Windows 2008R2 as these were still enabled on Windows 2008. Opening the Component Services as an Administrator makes no difference in what you will see.

Lucky I was able to find a solution for this problem. Quote:

_The reason for it being disabled is that this dialog is mapped to a key in the registry which theTrusted Installer is owner of and everyone else only has read permissions. The key used by the IIS WAMREG admin is:


Well, that just means we have to change this registry key. Just navigate to this key again, select the permissions on the key:


Click the Advanced button and navigate to the Owner tab:


Select the Administrators group and hit the Apply button.

Now you are able to give the Administrators group_ Full Control_ on the registry key


After you’ve done that you need to restart the Component Services and after doing so you’ll be able to change the Launch and Activation Permissions


Add the account which was mentioned in the event log entry and assign the Local Launch and Local Activation permissions to it.

Now you’re done!


comments powered by Disqus