16 Apr 2007 46 Comments
I’m responsible for a couple of SharePoint 2007 (MOSS) farms where all SharePoint servers showed the following error in the system event log:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Time: 4:31:48 AM
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
to the user <DOMAIN>\sa_adm SID (S-1-5-21-162740987-2502514208-3469184634-1119). This security permission can be modified using the Component Services administrative tool.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
The error would show up at regular intervals in clusters (4-12 at roughly the same time) and there would be a few more with other usernames and other class id’s. I had two fully functional farms with 3 SharePoint servers each and a number of standalone development machines. They all exhibited similar behavior.
The error listed above is that the user running the Central Administration web application doesn’t have access to activate (instantiate) the IIS WAMREG admin Service object (search the registry for the CLSID).
Strangely enough I didn’t observe any functional errors in the farms as a result of these errors – nothing seemed amiss (plenty of stuff didn’t work but none directly related to this).
An important note here is that the service users used in the farm are all standard domain accounts and only given additional local rights by the SharePoint installer and Central Administration (The one exception is that “aspnet_regiis -ga IIS_WPG” was executed after SharePoint install and initial configuration).
The following procedure removes the errors from the event log without compromising the entire security setup (yes, assign administrative rights for the service users would do the trick too) and has been verified by Microsoft consulting services.
On each SharePoint server do the following:
- Click Start, Click Run, type “dcomcnfg” and click ok
- Expand Component Services / Computers / My Computer / DCOM Config
- Right click IIS WAMREG admin Service and choose Properties
- Click the Security tag
- Click Edit under Launch and Activation Permissions
- Click Add
- In the Select Users, Computers or Groups type computername\WSS_WPG and
- Click ok
- In the Permissions for UserName list, click to select the Allow check box
- Click Ok twice.
- Go back to the main Component Services window, right click the “netman” node and select Properties
- Click the security tab
- Click Edit under Activation Permissions
- Click Add on the Launch Permissons Dialog
- Enter “NETWORK SERVICE” in the edit box
- Click Ok
- Enable all the checkboxes for the NETWORK SERVICE
- Click Ok twice
- Finally, run “IISReset”
That should be it!
A little less event log errors to worry about – there are plenty left on a reasonable complex SharePoint farm…
As a side note: The above error also shows up in other applications as well – I’ve heard about it for exchange servers as well and more applications are probably affected. In that case you’ll need to search the registry for the actual DCOM application and assign the rights to another local group (or username as a last resort).