• you are sure that you entered a valid administrative logon credentials
• and in case if you are deploying to a Windows XP based computer, that the simplified file sharing is turned off

Then you should check that Allow Distributed COM setting is enabled on the computer you are trying to deploy to (it's enabled by default but some software might turn it off).

To do so you should open Component Services snap-in. Start->Administrative Tools->Component Services.
When snap-in is running in the left tree navigate to: Console Root->Component Services->Computers->My Computer and select Properties command.
(you must run the snap-in on the computer you are trying to deploy to. Or you can also connect to the computer remotely by running New->Computer context menu command available for the Console Root->Component Services->Computers tree node.)

The credit for sending this information to us goes to Dave Hansen.

I can adjust ACL settings in group policy, but cannot seem to find instructions on enabling DCOM via Group Policy.

Our network has about 800 PC's, about 15% of which has DCOM Disabled.

Is there a way of enabling DCOM via group policy, rather than visiting each machine individually?

I've read through the article linked in the previous post, this only seems to be discussing the two ACL settings in Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

Also windows firewall is off on all machines (set by group policy) so haven't adjusted the firewall settings in Group Policy > Computer Configuration > Administrative Templates > Network > Network Configuration > Windows Firewall > xx Profile.

I've found a Distributed COM setting in Group Policy > Computer Configuration > Administrative Templates >  System > Distrubuted COM but nothing seems to allow me to enable DCOM on the machine.

Thanks in advance,

Graeme Lucas

that entire document is referring to windows firewall exceptions, which as mentioned in my previous post we have disabled via group policy so I figured it doesn't apply?

The two policy settings;

DCOM: Machine access restrictions…

DCOM: Machine launch restrictions…

only seem to refer to the actual ACL settings, but not the 'master on off switch'.

As we do not use windows firewall, the other group policy setting doesn't seem to apply.

The closest thing I've found is to modify the registry setting;

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]

"EnableDCOM"="Y"

applying that fixes the issue as it turned dcom on at the 'top' level (after a reboot), but I cannot seem to do this via group policy, and applying the available group policy changed still doesn't turn on dcom.

Also to further expand the above registry setting;

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
  00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
  00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

that turns on DCOM AND sets the appropriate ACL settings, it works, but it's not a group policy solution, which is what we really need!

back to the drawing board? any suggestions?