Add to My Yahoo! | Google Reader or Homepage | Add to Windows Live | Add to Windows Live Alerts

Wictor Wilén

Microsoft Certified Master (MCM) - SharePoint 2010 | Microsoft Most Valuable Professional (MVP) - SharePoint Server MVP | Author

Fix the SharePoint DCOM 10016 error on Windows Server 2008 R2

Posted at 2009-08-17 11:52 by Wictor Wilén in SharePoint , Security , Windows Server 2003 , Windows Server 2008 , Windows Server 2008 R2 with 61 comments.

If you have been installing SharePoint you have probably also seen and fixed the DCOM 10016 error. This error occurs in the event log when the SharePoint service accounts doesn't have the necessary permissions (Local Activation to the IIS WAMREG admin service). Your farm will still function, but your event log will be cluttered.

On a Windows Server 2003 or Windows Server 2008 machine you would just fire up the dcomcnfg utility (with elevated privileges) and enable Local Activation for your domain account.

But for Windows Server 2008 R2 (and Windows 7, since they share the same core) you cannot do this, the property dialog is all disabled due to permission restrictions. It doesn't matter if you are logged in as an administrator or using elevated privileges. The change is probably due to some new security improvements.

DCOMCNG - all disabled

The reason for it being disabled is that this dialog is mapped to a key in the registry which the Trusted Installer is owner of and everyone else only has read permissions. The key used by the IIS WAMREG admin is:

HKEY_CLASSES_ROOT\AppID\{61738644-F196-11D0-9953-00C04FD919C1}

Registry permissions on R2 Registry permissions on R1

Image on the left shows the default permissions for Windows Server 2008 R2 and on the right the default settings for Windows Server 2008.

To be able to change the Launch and Activation Permissions with dcomcnfg you have to change the ownership if this key. Start the registry editor (regedit), find the key, click Advanced in the Permissions dialog of this key and select the Owner tab. Now change the owner of the key to the administrators group for example, then set full control to the administrators group. Make sure not to change the permissions for the TrustedInstaller.

Now you have to restart the dcomcnfg application and once find the IIS WAMREG application and then set the Launch and Activation settings that you need to get rid of the DCOM 10016 error.

Unlocked!

Good luck!

WARNING: Changing the registry may seriously damage your server. All is on your own risk!

Comments and trackbacks

#  Rock out! by Clayton Cobb
Screenshot from websnpr That's what I needed! Thanks, Wictor.
#  Alrighty by Tobias Zimmergren
Screenshot from websnpr So you're saying you don't take responsibility if I mess up my Production server? come on mate, that's not fair ;-) Nice findings.
#  @Tobias by Wictor
Screenshot from websnpr If I could find a way to return the ownership to trusted installer then I could arrange a special support for you, for a small 6-digit amount :-)
#  Issue by NIck S
Screenshot from websnpr I get an error "Access Denied" while saving changed permissions (checking the full control checkbox on administrator group) Any idea?:)
#  Issue by NIck S
Screenshot from websnpr I get an error "Access Denied" while saving changed permissions (checking the full control checkbox on administrator group) Any idea?:)
#  Issue by NIck S
Screenshot from websnpr I get an error "Access Denied" while saving changed permissions (checking the full control checkbox on administrator group) Any idea?:)
#  Re: Issue by Wictor
Screenshot from websnpr Are you running as administrator and with elevated privs?
#  Re: Issue by Chris P
Screenshot from websnpr Did you go into Advanced and Take Ownership for the machine administrators group(assuming your account is one)?
#  Thank You by Niklas
Screenshot from websnpr for this!
#  @Niklas by Wictor
Screenshot from websnpr You're welcome!
#  No EPAL by Nick S
Screenshot from websnpr If u mean that, im using local administrator account. And corp win admin cant manage that issue;/
#  Fixed by Nick
Screenshot from websnpr Thank You Chris P.
#  Revert owner back to initial condition by Ricardo Santos
Screenshot from websnpr Thanks, Wictor! Your time avoided me a real pain. I'm sure it's probably figured out by now, but just to complete the info on your post, if you wish to revert the owner (after you gave Full Control to whatever group you wanted ;-)), it's very simple: Just change the owner back to "NT SERVICE\TrustedInstaller" - accounts running as services have this special nomenclature and don't show under any query on local SAM ;-) And there it is, back has if nothing was changed :-) But now you can go about fixing those danmed IIS WAM Reg rights and end the DCOM errors (Y)
#  Thank you! by Dinesh
Screenshot from websnpr Hi Wictor, Exactly what I was looking for. Thank you very much for the information!!
#  Thank you! by Dinesh
Screenshot from websnpr Hi Wictor, Exactly what I was looking for. Thank you very much for the information!!
#  Thank you! by Dinesh
Screenshot from websnpr Hi Wictor, Exactly what I was looking for. Thank you very much for the information!!
#  Thank you ! by Mitch
Screenshot from websnpr I was banging my head trying to figure this out. Never would have found it without your post. Thanks!
#  This works by Sameer Dhoot
Screenshot from websnpr Thanks you, this work as described.
#  Yes, This works by windows server support
Screenshot from websnpr very well described with full graphical representation
#  This helps a lot by Eugene
Screenshot from websnpr Hi, Thanks for the posting. It works. Cheers
#  Even helps with SP2010 by Craig
Screenshot from websnpr Yes, that's right, MS still haven't fixed this for SharePoint 2010...
#  Still greyed out... by Steve Gibson
Screenshot from websnpr Hi Wictor, Great post. Although I am still having issues with greyed out boxes. I have ran Regedit as administrator, taken ownership and applied the Full Control permission for the administrators group for the IIS WAMREG CSLID reg entry. I then ran component services as administrator but the Security tab is still greyed out for the IIS WAMREG entry. This is also following a server restart. Any ideas?
#  Still greyed out... by Steve Gibson
Screenshot from websnpr Hi Wictor, Great post. Although I am still having issues with greyed out boxes. I have ran Regedit as administrator, taken ownership and applied the Full Control permission for the administrators group for the IIS WAMREG CSLID reg entry. I then ran component services as administrator but the Security tab is still greyed out for the IIS WAMREG entry. This is also following a server restart. Any ideas?
#  Still greyed out... by Steve Gibson
Screenshot from websnpr Hi Wictor, Great post. Although I am still having issues with greyed out boxes. I have ran Regedit as administrator, taken ownership and applied the Full Control permission for the administrators group for the IIS WAMREG CSLID reg entry. I then ran component services as administrator but the Security tab is still greyed out for the IIS WAMREG entry. This is also following a server restart. Any ideas?
#  Thank you! by cesar
Screenshot from websnpr it works very well. Keep posting please.
#  Thanks! by William
Screenshot from websnpr This worked great! Thanks for taking the time buddy! Much appreciated.
#  Thank you! So very much by Des
Screenshot from websnpr I have been at a loss over this problem for ages... most other results I got were in Chinese :)
#  Help - Still Greyed out by David W
Screenshot from websnpr I was able to edit the registry - change owner - change permissions - But still no joy. Security tab is still greyed out. Suggestions ????
#  dcomcnfg property sheet is grayout by Trackback
Screenshot from websnpr Windows Server 2008 R2でdcomcnfg(コンポーネントサービス)でDCOMの構成をしようとしても、プロパティシートが変更不可になっていて、できない。アクティブ化を変えたいんだけど、どうすればいい?という相談を受けました。
#  コンポーネントサービス(dcomcnfg)でDCOM構成のセキュリティタブが無効になっている場合 by Trackback
Screenshot from websnpr Windows Server 2008 R2でdcomcnfg(コンポーネントサービス)でDCOMの構成をしようとしても、プロパティシートが変更不可になっていて、できない。アクティブ化を変えたいんだけど、どうすればいい?という相談を受けました。
#  SSO22Kerbmap bei Windows Server 2008 by Trackback
Screenshot from websnpr {}Installation{} Installation der CA, des FrontEnds sowie des SSP mit dem Authentifizierungstyp: Negotiate (Kerberos) entsprechend Teil 1
#  Windows Server 2008 by Trackback
Screenshot from websnpr {}Installation{} Installation der CA, des FrontEnds sowie des SSP mit dem Authentifizierungstyp: Negotiate (Kerberos) entsprechend Teil 1
#  Not working by Cormac E
Screenshot from websnpr I've still got the error, 'Retrieving the COM class factory for component with CLSID {000209FF-0000-0000-C000-000000000046} failed due to the following error: 80070005.' It did.t fix my problem. WS 2008 R2, 64 bit... Help!
#  Awesome! by Brad Turner
Screenshot from websnpr Worked great, this applies to FIM 2010 portals running under WSS 3.0 and 2008 R2.
#  Another Still Greyed Out by Chris L
Screenshot from websnpr I am also having the problems that David W and Steve Gibson are. Permissions are changed in the registry yet I am not allowed access to make any changes to the settings. Even after rebooting and logging in as the local admin.
#  RE:Still Greyed out by Blair
Screenshot from websnpr To all those that are still having the Greyed out issues after changing the Reg key, change the same permissions\ownership on the following Key: HKCR\Wow6432Node\AppID\{61738644-F196-11D0-9953-00C04FD919C1} and it will un-grey the component.
#  RE:Still Greyed out by Blair
Screenshot from websnpr To all those that are still having the Greyed out issues after changing the Reg key, change the same permissions\ownership on the following Key: HKCR\Wow6432Node\AppID\{61738644-F196-11D0-9953-00C04FD919C1} and it will un-grey the component.
#  Greyed out by Angus
Screenshot from websnpr The key is HKLM\Software\Wow6432node\Classes\AppID\{61738644-F196-11D0-9953-00C04FD919C1}
#  Greyed out by Angus
Screenshot from websnpr Sorry not clear, if the you are still not able to modify the permissions. Modify the permissions as Blair as mentioned but I found the key to be as follows: HKLM\Software\Wow6432node\Classes\AppID\{61738644-F196-11D0-9953-00C04FD919C1}. You may need to update both keys to change the permissions as desired.
#  Change Owner by Debbi
How do you change the owner back to TrustedInstaller?
#  Change Owner by Debbi
How do you change the owner back to TrustedInstaller?
#  Return Owner to TrustedInstaller by Kevin
Screenshot from websnpr To return the owner back to trusted installer, Go to the owners tab, click "Other users or groups...", if your server is part of a domain, click Location and select the server name and click OK. Enter "NT SERVICE\TrustedInstaller" as the object name and click "Check Names". Click OK. Click Apply to set TrustedInstaller as the owner, then click OK. You can also check the following blog entry for a walk through: http://blogs.msdn.com/b/emeadaxsupport/archive/2010/01/26/unable-to-edit-the-dcom-settings-for-iis-wamreg-admin-service-on-a-windows-server-2008-r2-when-trying-to-configure-kerberos-authentication-for-role-centers.aspx
#  @Kevin by Wictor
Screenshot from websnpr Thanks!
#  Thanks by David Jones
Screenshot from websnpr It was good for me too! Thanks
#  Thanks by Pathan
Screenshot from websnpr Thanks a bunch man. You saved the day!
#  Thanks but... by Khocha
Screenshot from websnpr BTW solving this problem starts giving a similar error in System Log for CLSID {000C101C-0000-0000-C000-000000000046} unfortunately, the approach described above does not help with the new error
#  Thanks for information by Vladimir Tsymbalyuk
Screenshot from websnpr
#  Thanks much by Brad Wheler
Screenshot from websnpr This is exactly what I was looking for - lots of instructions on what to change out there on the web, but precious few on how to change it. Cheers.
#  Just the ticket by Paul Mead
Screenshot from websnpr Nice post - thanks for that. Just wish MS would buck up and make default installs of their stuff - "Just Work" TM. This is on a fresh install of SBS 2011.
#  Haha yea right...... by Anthony
Screenshot from websnpr @Paul Mead: I cant even get MS Access 2010 to speak to SQL Server 2008 R2 (developed AFTER Access 2010 was). I cant export nor import without a slew of cryptic errors. I long for the days of Windows 2000, Access 2000, SQL Server 2000 and instead of creating all of this high security crap, MS and society as a whole should have hunted down, prosecuted and imprision anyone who attempted and/or succeeded in tampering, damaging or spying on other people's property. Instead of a world of horrendous products, we'd have a world of respect people who feared screwing with someone else's things.
#  Haha yea right...... by Anthony
Screenshot from websnpr @Paul Mead: I cant even get MS Access 2010 to speak to SQL Server 2008 R2 (developed AFTER Access 2010 was). I cant export nor import without a slew of cryptic errors. I long for the days of Windows 2000, Access 2000, SQL Server 2000 and instead of creating all of this high security crap, MS and society as a whole should have hunted down, prosecuted and imprision anyone who attempted and/or succeeded in tampering, damaging or spying on other people's property. Instead of a world of horrendous products, we'd have a world of respect people who feared screwing with someone else's things.
#  Thanks! by LeadAcid
Screenshot from websnpr It worked great for me!
#  WS2008 R2 SP1 changes everything by Roger
Screenshot from websnpr Unfortunately this methode does not work anymore if you have a clean install of WS2008 R2 SP1 and then install SP2010. Cheers Roger
#  Worked for me! by Esben
Screenshot from websnpr This solved an issue i had on an SBS 2011 server with Remote Web Workplace throwing DCOM errors whenever somebody logged in. Thanks a bunch!
#  Worked for me! by Esben
Screenshot from websnpr This solved an issue i had on an SBS 2011 server with Remote Web Workplace throwing DCOM errors whenever somebody logged in. Thanks a bunch!
#  Security tab greyed out - FIX by Mo Ilyas
Screenshot from websnpr You need to use regedt32 and not just regedit. Thanks for the info.
#  Thanks for the fix by Keith
Screenshot from websnpr Worked perfectly for me! Thanks!
#  Many thanks Wictor by Vince Stanton
Screenshot from websnpr Had the same issue on SBS 2011, this fixed the problem.
#  Thanks for the 64 bit extra key by TimA
Screenshot from websnpr Thanks Blair your comment worked for me
#  Security Greyed out even after Registry Permissions Change by John
Screenshot from websnpr Hi, I am running R2 SP1 and made the changes to the Reg Key as suggested. However, the security tab is still greyed out. I've re-opened the config tool and even rebooted post Reg change to be sure. Anyone else seeing this?
#  Security Greyed out even after Registry Permissions Change by John
Screenshot from websnpr Worked with Blair's Fix. Thanks! "To all those that are still having the Greyed out issues after changing the Reg key, change the same permissions\ownership on the following Key: HKCR\Wow6432Node\AppID\{61738644-F196-11D0-9953-00C04FD919C1} and it will un-grey the component."
Make a comment on this post:
Subject:  

Your name:  
Your Url:  
Note: submissions may have to be approved before being visible, so don't submit your comment multiple times.