Easy Fix for DCOM Permissions Errors with PowerShell
There is no doubt that in working with various applications, you have ran into issues with Distributed COM or DCOM as it is more commonly known. DCOM can be a bear to troubleshoot and resolve issues with in an environement for various applications. One of the common issues with DCOM that you may see in a Windows event log is permissions issues related to an application object. Resolving DCOM permissions issues can be tedious and require a good deal of manual effort to fix. However, I wanted to shed light on an easy way to easily fix DCOM permissions errors using Powershell. Let’s see how.
What is Distributed COM or DCOM?
Distrubuted COM or DCOM allows a computerto run applications over the network connected to a different server node and run them as if it is running locally. This is a Microsoft construct that allows COM objects to communicate over the network. For DCOM to work, it must be configured to work between the two computers in the DCOM network conversation. There are 3 identifiers involved including CLSID, PROGID, and APPID.
DCOM Permissions Errors
As detailed in the Microsoft KB here, these 10016 events are recorded when Microsoft components tries to access DCOM components without the required permissions. In this case, this is expected and by design.
A coding pattern has been implemented where the code first tries to access the DCOM components with one set of parameters. If the first attempt is unsuccessful, it tries again with another set of parameters. The reason why it does not skip the first attempt is because there are scenarios where it can succeed. In those scenarios, that is preferable.
Easy Fix for DCOM Permissions Errors with PowerShell
PowerShell is such a great way to easily resolve issues for IT operations that may have taken hours or longer to resolve before. When it comes to DCOM permissions, PowerShell comes to the rescue here as well.
First of all, most likely you have seen this type of error many times when needing to fix permissions with DCOM, but for example purposes, below is a screenshot of a DCOM error that may present itself in your environment related to improper permissions being assigned to the appID.
Typically, you would have to launch the DCOM config utility with dcomcnfg and browse to and find the application ID, and add permissions using the DCOM config app. This can be cumbersome and tedious to do.
Grant, Revoke, Get DCOM permissions using PowerShell
If you are looking for a way to easily repair or add permissions that are at the heart of the event log errors you may be troubleshooting, there is a great script on the TechNet Script Center that allows granting, revoking, and getting DCOM permissions using PowerShell. This is a much easier way to work with permissions in DCOM than using the DCOM config utility.
In the few times I have needed to easily fix DCOM permissions errors, the script has been a really great tool.
Link to the tool:
After downloading the PowerShell module, import the module using the command:
- Import-Module .DCOMPermissions.psm1
To run the command you use the Grant-DCOMPermission cmdlet after importing the module. Basic syntax:
Grant-DCOMPermission -ApplicationID "{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}" -Account "<your username>" -Type Launch -Permissions LocalLaunch,LocalActivation -OverrideConfigurationPermissions
Wrapping Up
Another great use case for using PowerShell to quickly and easily resolve permissions issues with DCOM. In fact, it is an Easy Fix for DCOM Permissions Errors with PowerShell. This is a much preferred way to interact with and resolve DCOM permissions issues than using the DCOM config GUI tool. Be sure and check out the Microsoft TechNet Script Center download and use this tool the next time you need to resolve permissions errors on your DCOM objects.
I get a 404 error when trying to download https://gallery.technet.microsoft.com/scriptcenter/Grant-Revoke-Get-DCOM-22da5b96, has this been deleted…???