Add to My Yahoo! | Google Reader or Homepage | Add to Windows Live | Add to Windows Live Alerts

Wictor Wilén

SharePoint Server MVP / Author / MCT / MCTS / MCP / MSc writing about SharePoint and other interesting Microsoft technologies

Fix the SharePoint DCOM 10016 error on Windows Server 2008 R2

Posted at 2009-08-17 11:52 by Wictor Wilén in SharePoint , Security , Windows Server 2003 , Windows Server 2008 , Windows Server 2008 R2 with 42 comments.

If you have been installing SharePoint you have probably also seen and fixed the DCOM 10016 error. This error occurs in the event log when the SharePoint service accounts doesn't have the necessary permissions (Local Activation to the IIS WAMREG admin service). Your farm will still function, but your event log will be cluttered.

On a Windows Server 2003 or Windows Server 2008 machine you would just fire up the dcomcnfg utility (with elevated privileges) and enable Local Activation for your domain account.

But for Windows Server 2008 R2 (and Windows 7, since they share the same core) you cannot do this, the property dialog is all disabled due to permission restrictions. It doesn't matter if you are logged in as an administrator or using elevated privileges. The change is probably due to some new security improvements.

DCOMCNG - all disabled

The reason for it being disabled is that this dialog is mapped to a key in the registry which the Trusted Installer is owner of and everyone else only has read permissions. The key used by the IIS WAMREG admin is:

HKEY_CLASSES_ROOT\AppID\{61738644-F196-11D0-9953-00C04FD919C1}

Registry permissions on R2 Registry permissions on R1

Image on the left shows the default permissions for Windows Server 2008 R2 and on the right the default settings for Windows Server 2008.

To be able to change the Launch and Activation Permissions with dcomcnfg you have to change the ownership if this key. Start the registry editor (regedit), find the key, click Advanced in the Permissions dialog of this key and select the Owner tab. Now change the owner of the key to the administrators group for example, then set full control to the administrators group. Make sure not to change the permissions for the TrustedInstaller.

Now you have to restart the dcomcnfg application and once find the IIS WAMREG application and then set the Launch and Activation settings that you need to get rid of the DCOM 10016 error.

Unlocked!

Good luck!

WARNING: Changing the registry may seriously damage your server. All is on your own risk!

Comments and trackbacks

#  Rock out! by Clayton Cobb
Screenshot from websnpr That's what I needed! Thanks, Wictor.
#  Alrighty by Tobias Zimmergren
Screenshot from websnpr So you're saying you don't take responsibility if I mess up my Production server? come on mate, that's not fair ;-) Nice findings.
#  @Tobias by Wictor
Screenshot from websnpr If I could find a way to return the ownership to trusted installer then I could arrange a special support for you, for a small 6-digit amount :-)
#  Issue by NIck S
Screenshot from websnpr I get an error "Access Denied" while saving changed permissions (checking the full control checkbox on administrator group) Any idea?:)
#  Issue by NIck S
Screenshot from websnpr I get an error "Access Denied" while saving changed permissions (checking the full control checkbox on administrator group) Any idea?:)
#  Issue by NIck S
Screenshot from websnpr I get an error "Access Denied" while saving changed permissions (checking the full control checkbox on administrator group) Any idea?:)
#  Re: Issue by Wictor
Screenshot from websnpr Are you running as administrator and with elevated privs?
#  Re: Issue by Chris P
Screenshot from websnpr Did you go into Advanced and Take Ownership for the machine administrators group(assuming your account is one)?
#  Thank You by Niklas
Screenshot from websnpr for this!
#  @Niklas by Wictor
Screenshot from websnpr You're welcome!
#  No EPAL by Nick S
Screenshot from websnpr If u mean that, im using local administrator account. And corp win admin cant manage that issue;/
#  Fixed by Nick
Screenshot from websnpr Thank You Chris P.
#  Revert owner back to initial condition by Ricardo Santos
Screenshot from websnpr Thanks, Wictor! Your time avoided me a real pain. I'm sure it's probably figured out by now, but just to complete the info on your post, if you wish to revert the owner (after you gave Full Control to whatever group you wanted ;-)), it's very simple: Just change the owner back to "NT SERVICE\TrustedInstaller" - accounts running as services have this special nomenclature and don't show under any query on local SAM ;-) And there it is, back has if nothing was changed :-) But now you can go about fixing those danmed IIS WAM Reg rights and end the DCOM errors (Y)
#  Thank you! by Dinesh
Screenshot from websnpr Hi Wictor, Exactly what I was looking for. Thank you very much for the information!!
#  Thank you! by Dinesh
Screenshot from websnpr Hi Wictor, Exactly what I was looking for. Thank you very much for the information!!
#  Thank you! by Dinesh
Screenshot from websnpr Hi Wictor, Exactly what I was looking for. Thank you very much for the information!!
#  Thank you ! by Mitch
Screenshot from websnpr I was banging my head trying to figure this out. Never would have found it without your post. Thanks!
#  This works by Sameer Dhoot
Screenshot from websnpr Thanks you, this work as described.
#  Yes, This works by windows server support
Screenshot from websnpr very well described with full graphical representation
#  This helps a lot by Eugene
Screenshot from websnpr Hi, Thanks for the posting. It works. Cheers
#  Even helps with SP2010 by Craig
Screenshot from websnpr Yes, that's right, MS still haven't fixed this for SharePoint 2010...
#  Still greyed out... by Steve Gibson
Screenshot from websnpr Hi Wictor, Great post. Although I am still having issues with greyed out boxes. I have ran Regedit as administrator, taken ownership and applied the Full Control permission for the administrators group for the IIS WAMREG CSLID reg entry. I then ran component services as administrator but the Security tab is still greyed out for the IIS WAMREG entry. This is also following a server restart. Any ideas?
#  Still greyed out... by Steve Gibson
Screenshot from websnpr Hi Wictor, Great post. Although I am still having issues with greyed out boxes. I have ran Regedit as administrator, taken ownership and applied the Full Control permission for the administrators group for the IIS WAMREG CSLID reg entry. I then ran component services as administrator but the Security tab is still greyed out for the IIS WAMREG entry. This is also following a server restart. Any ideas?
#  Still greyed out... by Steve Gibson
Screenshot from websnpr Hi Wictor, Great post. Although I am still having issues with greyed out boxes. I have ran Regedit as administrator, taken ownership and applied the Full Control permission for the administrators group for the IIS WAMREG CSLID reg entry. I then ran component services as administrator but the Security tab is still greyed out for the IIS WAMREG entry. This is also following a server restart. Any ideas?
#  Thank you! by cesar
Screenshot from websnpr it works very well. Keep posting please.
#  Thanks! by William
Screenshot from websnpr This worked great! Thanks for taking the time buddy! Much appreciated.
#  Thank you! So very much by Des
Screenshot from websnpr I have been at a loss over this problem for ages... most other results I got were in Chinese :)
#  Help - Still Greyed out by David W
Screenshot from websnpr I was able to edit the registry - change owner - change permissions - But still no joy. Security tab is still greyed out. Suggestions ????
#  dcomcnfg property sheet is grayout by Trackback
Screenshot from websnpr Windows Server 2008 R2でdcomcnfg(コンポーネントサービス)でDCOMの構成をしようとしても、プロパティシートが変更不可になっていて、できない。アクティブ化を変えたいんだけど、どうすればいい?という相談を受けました。
#  コンポーネントサービス(dcomcnfg)でDCOM構成のセキュリティタブが無効になっている場合 by Trackback
Screenshot from websnpr Windows Server 2008 R2でdcomcnfg(コンポーネントサービス)でDCOMの構成をしようとしても、プロパティシートが変更不可になっていて、できない。アクティブ化を変えたいんだけど、どうすればいい?という相談を受けました。
#  SSO22Kerbmap bei Windows Server 2008 by Trackback
Screenshot from websnpr {}Installation{} Installation der CA, des FrontEnds sowie des SSP mit dem Authentifizierungstyp: Negotiate (Kerberos) entsprechend Teil 1
#  Windows Server 2008 by Trackback
Screenshot from websnpr {}Installation{} Installation der CA, des FrontEnds sowie des SSP mit dem Authentifizierungstyp: Negotiate (Kerberos) entsprechend Teil 1
#  Not working by Cormac E
Screenshot from websnpr I've still got the error, 'Retrieving the COM class factory for component with CLSID {000209FF-0000-0000-C000-000000000046} failed due to the following error: 80070005.' It did.t fix my problem. WS 2008 R2, 64 bit... Help!
#  Awesome! by Brad Turner
Screenshot from websnpr Worked great, this applies to FIM 2010 portals running under WSS 3.0 and 2008 R2.
#  Another Still Greyed Out by Chris L
Screenshot from websnpr I am also having the problems that David W and Steve Gibson are. Permissions are changed in the registry yet I am not allowed access to make any changes to the settings. Even after rebooting and logging in as the local admin.
#  RE:Still Greyed out by Blair
Screenshot from websnpr To all those that are still having the Greyed out issues after changing the Reg key, change the same permissions\ownership on the following Key: HKCR\Wow6432Node\AppID\{61738644-F196-11D0-9953-00C04FD919C1} and it will un-grey the component.
#  RE:Still Greyed out by Blair
Screenshot from websnpr To all those that are still having the Greyed out issues after changing the Reg key, change the same permissions\ownership on the following Key: HKCR\Wow6432Node\AppID\{61738644-F196-11D0-9953-00C04FD919C1} and it will un-grey the component.
#  Greyed out by Angus
Screenshot from websnpr The key is HKLM\Software\Wow6432node\Classes\AppID\{61738644-F196-11D0-9953-00C04FD919C1}
#  Greyed out by Angus
Screenshot from websnpr Sorry not clear, if the you are still not able to modify the permissions. Modify the permissions as Blair as mentioned but I found the key to be as follows: HKLM\Software\Wow6432node\Classes\AppID\{61738644-F196-11D0-9953-00C04FD919C1}. You may need to update both keys to change the permissions as desired.
#  Change Owner by Debbi
How do you change the owner back to TrustedInstaller?
#  Change Owner by Debbi
How do you change the owner back to TrustedInstaller?
#  Return Owner to TrustedInstaller by Kevin
Screenshot from websnpr To return the owner back to trusted installer, Go to the owners tab, click "Other users or groups...", if your server is part of a domain, click Location and select the server name and click OK. Enter "NT SERVICE\TrustedInstaller" as the object name and click "Check Names". Click OK. Click Apply to set TrustedInstaller as the owner, then click OK. You can also check the following blog entry for a walk through: http://blogs.msdn.com/b/emeadaxsupport/archive/2010/01/26/unable-to-edit-the-dcom-settings-for-iis-wamreg-admin-service-on-a-windows-server-2008-r2-when-trying-to-configure-kerberos-authentication-for-role-centers.aspx
Make a comment on this post:
Subject:  

Your name:  
Your Url:  
Note: submissions may have to be approved before being visible, so don't submit your comment multiple times.
Real Time Web Analytics