This post is migrated from previous hosting provider. There are still some issues with old posts. Please make a comment on this post with any issues.

Fix the SharePoint DCOM 10016 error on Windows Server 2008 R2

Tags: SharePoint, Security, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2

If you have been installing SharePoint you have probably also seen and fixed the DCOM 10016 error. This error occurs in the event log when the SharePoint service accounts doesn't have the necessary permissions (Local Activation to the IIS WAMREG admin service). Your farm will still function, but your event log will be cluttered.

On a Windows Server 2003 or Windows Server 2008 machine you would just fire up the dcomcnfg utility (with elevated privileges) and enable Local Activation for your domain account.

But for Windows Server 2008 R2 (and Windows 7, since they share the same core) you cannot do this, the property dialog is all disabled due to permission restrictions. It doesn't matter if you are logged in as an administrator or using elevated privileges. The change is probably due to some new security improvements.

DCOMCNG - all disabled

The reason for it being disabled is that this dialog is mapped to a key in the registry which the Trusted Installer is owner of and everyone else only has read permissions. The key used by the IIS WAMREG admin is:

HKEY_CLASSES_ROOT\AppID\{61738644-F196-11D0-9953-00C04FD919C1}

Registry permissions on R2 Registry permissions on R1

Image on the left shows the default permissions for Windows Server 2008 R2 and on the right the default settings for Windows Server 2008.

To be able to change the Launch and Activation Permissions with dcomcnfg you have to change the ownership if this key. Start the registry editor (regedit), find the key, click Advanced in the Permissions dialog of this key and select the Owner tab. Now change the owner of the key to the administrators group for example, then set full control to the administrators group. Make sure not to change the permissions for the TrustedInstaller.

Now you have to restart the dcomcnfg application and once find the IIS WAMREG application and then set the Launch and Activation settings that you need to get rid of the DCOM 10016 error.

Unlocked!

Good luck!

WARNING: Changing the registry may seriously damage your server. All is on your own risk!

80 Comments

  • Wictor said

    If I could find a way to return the ownership to trusted installer then I could arrange a special support for you, for a small 6-digit amount :-)

  • NIck S said

    I get an error "Access Denied" while saving changed permissions (checking the full control checkbox on administrator group) Any idea?:)

  • NIck S said

    I get an error "Access Denied" while saving changed permissions (checking the full control checkbox on administrator group) Any idea?:)

  • NIck S said

    I get an error "Access Denied" while saving changed permissions (checking the full control checkbox on administrator group) Any idea?:)

  • Ricardo Santos said

    Thanks, Wictor! Your time avoided me a real pain. I'm sure it's probably figured out by now, but just to complete the info on your post, if you wish to revert the owner (after you gave Full Control to whatever group you wanted ;-)), it's very simple: Just change the owner back to "NT SERVICE\TrustedInstaller" - accounts running as services have this special nomenclature and don't show under any query on local SAM ;-) And there it is, back has if nothing was changed :-) But now you can go about fixing those danmed IIS WAM Reg rights and end the DCOM errors (Y)

  • Steve Gibson said

    Hi Wictor, Great post. Although I am still having issues with greyed out boxes. I have ran Regedit as administrator, taken ownership and applied the Full Control permission for the administrators group for the IIS WAMREG CSLID reg entry. I then ran component services as administrator but the Security tab is still greyed out for the IIS WAMREG entry. This is also following a server restart. Any ideas?

  • Steve Gibson said

    Hi Wictor, Great post. Although I am still having issues with greyed out boxes. I have ran Regedit as administrator, taken ownership and applied the Full Control permission for the administrators group for the IIS WAMREG CSLID reg entry. I then ran component services as administrator but the Security tab is still greyed out for the IIS WAMREG entry. This is also following a server restart. Any ideas?

  • Steve Gibson said

    Hi Wictor, Great post. Although I am still having issues with greyed out boxes. I have ran Regedit as administrator, taken ownership and applied the Full Control permission for the administrators group for the IIS WAMREG CSLID reg entry. I then ran component services as administrator but the Security tab is still greyed out for the IIS WAMREG entry. This is also following a server restart. Any ideas?

  • Des said

    I have been at a loss over this problem for ages... most other results I got were in Chinese :)

  • David W said

    I was able to edit the registry - change owner - change permissions - But still no joy. Security tab is still greyed out. Suggestions ????

  • Trackback said

    Windows Server 2008 R2でdcomcnfg(コンポーネントサービス)でDCOMの構成をしようとしても、プロパティシートが変更不可になっていて、できない。アクティブ化を変えたいんだけど、どうすればいい?という相談を受けました。

  • Trackback said

    Windows Server 2008 R2でdcomcnfg(コンポーネントサービス)でDCOMの構成をしようとしても、プロパティシートが変更不可になっていて、できない。アクティブ化を変えたいんだけど、どうすればいい?という相談を受けました。

  • Trackback said

    {}Installation{} Installation der CA, des FrontEnds sowie des SSP mit dem Authentifizierungstyp: Negotiate (Kerberos) entsprechend Teil 1

  • Trackback said

    {}Installation{} Installation der CA, des FrontEnds sowie des SSP mit dem Authentifizierungstyp: Negotiate (Kerberos) entsprechend Teil 1

  • Cormac E said

    I've still got the error, 'Retrieving the COM class factory for component with CLSID {000209FF-0000-0000-C000-000000000046} failed due to the following error: 80070005.' It did.t fix my problem. WS 2008 R2, 64 bit... Help!

  • Chris L said

    I am also having the problems that David W and Steve Gibson are. Permissions are changed in the registry yet I am not allowed access to make any changes to the settings. Even after rebooting and logging in as the local admin.

  • Blair said

    To all those that are still having the Greyed out issues after changing the Reg key, change the same permissions\ownership on the following Key: HKCR\Wow6432Node\AppID\{61738644-F196-11D0-9953-00C04FD919C1} and it will un-grey the component.

  • Blair said

    To all those that are still having the Greyed out issues after changing the Reg key, change the same permissions\ownership on the following Key: HKCR\Wow6432Node\AppID\{61738644-F196-11D0-9953-00C04FD919C1} and it will un-grey the component.

  • Angus said

    Sorry not clear, if the you are still not able to modify the permissions. Modify the permissions as Blair as mentioned but I found the key to be as follows: HKLM\Software\Wow6432node\Classes\AppID\{61738644-F196-11D0-9953-00C04FD919C1}. You may need to update both keys to change the permissions as desired.

  • Kevin said

    To return the owner back to trusted installer, Go to the owners tab, click "Other users or groups...", if your server is part of a domain, click Location and select the server name and click OK. Enter "NT SERVICE\TrustedInstaller" as the object name and click "Check Names". Click OK. Click Apply to set TrustedInstaller as the owner, then click OK. You can also check the following blog entry for a walk through: http://blogs.msdn.com/b/emeadaxsupport/archive/2010/01/26/unable-to-edit-the-dcom-settings-for-iis-wamreg-admin-service-on-a-windows-server-2008-r2-when-trying-to-configure-kerberos-authentication-for-role-centers.aspx

  • Khocha said

    BTW solving this problem starts giving a similar error in System Log for CLSID {000C101C-0000-0000-C000-000000000046} unfortunately, the approach described above does not help with the new error

  • Brad Wheler said

    This is exactly what I was looking for - lots of instructions on what to change out there on the web, but precious few on how to change it. Cheers.

  • Paul Mead said

    Nice post - thanks for that. Just wish MS would buck up and make default installs of their stuff - "Just Work" TM. This is on a fresh install of SBS 2011.

  • Anthony said

    @Paul Mead: I cant even get MS Access 2010 to speak to SQL Server 2008 R2 (developed AFTER Access 2010 was). I cant export nor import without a slew of cryptic errors. I long for the days of Windows 2000, Access 2000, SQL Server 2000 and instead of creating all of this high security crap, MS and society as a whole should have hunted down, prosecuted and imprision anyone who attempted and/or succeeded in tampering, damaging or spying on other people's property. Instead of a world of horrendous products, we'd have a world of respect people who feared screwing with someone else's things.

  • Anthony said

    @Paul Mead: I cant even get MS Access 2010 to speak to SQL Server 2008 R2 (developed AFTER Access 2010 was). I cant export nor import without a slew of cryptic errors. I long for the days of Windows 2000, Access 2000, SQL Server 2000 and instead of creating all of this high security crap, MS and society as a whole should have hunted down, prosecuted and imprision anyone who attempted and/or succeeded in tampering, damaging or spying on other people's property. Instead of a world of horrendous products, we'd have a world of respect people who feared screwing with someone else's things.

  • Roger said

    Unfortunately this methode does not work anymore if you have a clean install of WS2008 R2 SP1 and then install SP2010. Cheers Roger

  • Esben said

    This solved an issue i had on an SBS 2011 server with Remote Web Workplace throwing DCOM errors whenever somebody logged in. Thanks a bunch!

  • Esben said

    This solved an issue i had on an SBS 2011 server with Remote Web Workplace throwing DCOM errors whenever somebody logged in. Thanks a bunch!

  • John said

    Hi, I am running R2 SP1 and made the changes to the Reg Key as suggested. However, the security tab is still greyed out. I've re-opened the config tool and even rebooted post Reg change to be sure. Anyone else seeing this?

  • John said

    Worked with Blair's Fix. Thanks! "To all those that are still having the Greyed out issues after changing the Reg key, change the same permissions\ownership on the following Key: HKCR\Wow6432Node\AppID\{61738644-F196-11D0-9953-00C04FD919C1} and it will un-grey the component."

  • Nate said

    Can't seem to get it to work.

    - Changed ownership of the regkey to Administrators & granted full permissions.
    - Restarted dcomcnfg, but options are still all grayed out.
    - Also tried restarting DCOM and IIS, but no luck.

    I'm rather stumped here. Any suggestions would be greatly appreciated.
    Thanks in advance!

  • Vandross said

    Hello All,

    as Khocha posted on Dec 15 2010 at 9:21 AM ...

    BTW solving this problem starts giving a similar error in System Log for CLSID {000C101C-0000-0000-C000-000000000046} unfortunately, the approach described above does not help with the new error

    I have the same Problem here. The CLSID {000C101C-0000-0000-C000-000000000046} - Error cant be solved.

    I am wondering if anyone else has experienced the same ?

    Thank you in advance

  • cash advance said

    This is the major second I have glimpsed your content and do reminiscent of to state to you – it is in reality satisfying to observer and I greeting your hard work. But if you did it in an undemanding procedure that would be actually pleasing. But over all I exceedingly proposed you and assured will contain up for more mails like this. articulate thankfulness you so much.

Add a Comment

AWS Tracker

About Wictor...

Wictor Wilén is a Director and SharePoint Architect working at Connecta AB. Wictor has achieved the Microsoft Certified Architect (MCA) - SharePoint 2010, Microsoft Certified Solutions Master (MCSM) - SharePoint  and Microsoft Certified Master (MCM) - SharePoint 2010 certifications. He has also been awarded Microsoft Most Valuable Professional (MVP) for four consecutive years.

And a word from our sponsors...

SharePoint 2010 Web Parts in Action