VNC Deployment Wizard: How to troubleshoot Access Denied error.


VNC Deployment Wizard: How to troubleshoot Access Denied error.

Author
Message
Yury Averkiev (s-code)
View Quick Profile

Supreme Being
Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)

Group: Administrators
Last Active: 3 days ago @ 6:45 PM
Posts: 1.9K, Visits: 3.5K
If you are receiving an Access Denied error while running the VNC Deployment Wizard and
  • you are sure that you entered a valid administrative logon credentials
  • and in case if you are deploying to a Windows XP based computer, that the simplified file sharing is turned off

Then you should check that Allow Distributed COM setting is enabled on the computer you are trying to deploy to (it's enabled by default but some software might turn it off).

To do so you should open Component Services snap-in. Start->Administrative Tools->Component Services.
When snap-in is running in the left tree navigate to: Console Root->Component Services->Computers->My Computer and select Properties command.
(you must run the snap-in on the computer you are trying to deploy to. Or you can also connect to the computer remotely by running New->Computer context menu command available for the Console Root->Component Services->Computers tree node.)


The credit for sending this information to us goes to Dave Hansen.

http://www.s-code.com/App_Themes/Default/images/blue_line.gif
Kindest Regards,
SmartCode Solutions Support

Yury Averkiev (s-code)
View Quick Profile

Supreme Being
Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)

Group: Administrators
Last Active: 3 days ago @ 6:45 PM
Posts: 1.9K, Visits: 3.5K
The following article explains how to manage DCOM settings using Group Policy
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngsecps.mspx

http://www.s-code.com/App_Themes/Default/images/blue_line.gif
Kindest Regards,
SmartCode Solutions Support
graemelucas
View Quick Profile

Supreme Being
Supreme Being (7.6K reputation)Supreme Being (7.6K reputation)Supreme Being (7.6K reputation)Supreme Being (7.6K reputation)Supreme Being (7.6K reputation)Supreme Being (7.6K reputation)Supreme Being (7.6K reputation)Supreme Being (7.6K reputation)Supreme Being (7.6K reputation)

Group: Forum Members
Last Active: 6 Years Ago
Posts: 72, Visits: 131
I am having difficulty applying DCOM settings via group policy.

I can adjust ACL settings in group policy, but cannot seem to find instructions on enabling DCOM via Group Policy.

Our network has about 800 PC's, about 15% of which has DCOM Disabled.

Is there a way of enabling DCOM via group policy, rather than visiting each machine individually?

I've read through the article linked in the previous post, this only seems to be discussing the two ACL settings in Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

Also windows firewall is off on all machines (set by group policy) so haven't adjusted the firewall settings in Group Policy > Computer Configuration > Administrative Templates > Network > Network Configuration > Windows Firewall > xx Profile.

I've found a Distributed COM setting in Group Policy > Computer Configuration > Administrative Templates >  System > Distrubuted COM but nothing seems to allow me to enable DCOM on the machine.

Thanks in advance,

Graeme Lucas

Regards,

Graeme Lucas BigGrin

Yury Averkiev (s-code)
View Quick Profile

Supreme Being
Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)

Group: Administrators
Last Active: 3 days ago @ 6:45 PM
Posts: 1.9K, Visits: 3.5K
From this page: http://technet2.microsoft.com/windowsserver/en/library/a940a24d-34c2-471c-89e5-d9f1500374c91033.mspx?mfr=true

To delegate access to Group Policy Results
1.  Enable the Windows Firewall: Allow remote administration exception Group Policy setting on target computers.
2.  Set the following DCOM security policy settings on target computers. (They are located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.)
     DCOM: Machine access restrictions in Security Descriptor Definition Language (SDDL) syntax
     DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax

 
 


http://www.s-code.com/App_Themes/Default/images/blue_line.gif
Kindest Regards,
SmartCode Solutions Support
graemelucas
View Quick Profile

Supreme Being
Supreme Being (7.6K reputation)Supreme Being (7.6K reputation)Supreme Being (7.6K reputation)Supreme Being (7.6K reputation)Supreme Being (7.6K reputation)Supreme Being (7.6K reputation)Supreme Being (7.6K reputation)Supreme Being (7.6K reputation)Supreme Being (7.6K reputation)

Group: Forum Members
Last Active: 6 Years Ago
Posts: 72, Visits: 131
Hi,

that entire document is referring to windows firewall exceptions, which as mentioned in my previous post we have disabled via group policy so I figured it doesn't apply?

The two policy settings;

DCOM: Machine access restrictions…

DCOM: Machine launch restrictions…

only seem to refer to the actual ACL settings, but not the 'master on off switch'.

As we do not use windows firewall, the other group policy setting doesn't seem to apply.

The closest thing I've found is to modify the registry setting;

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]

"EnableDCOM"="Y"

applying that fixes the issue as it turned dcom on at the 'top' level (after a reboot), but I cannot seem to do this via group policy, and applying the available group policy changed still doesn't turn on dcom.

Also to further expand the above registry setting;

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
  00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
  00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

that turns on DCOM AND sets the appropriate ACL settings, it works, but it's not a group policy solution, which is what we really need!

back to the drawing board? any suggestions? Wink

Regards,

Graeme Lucas BigGrin

mnhim
View Quick Profile

Supreme Being
Supreme Being (1.9K reputation)Supreme Being (1.9K reputation)Supreme Being (1.9K reputation)Supreme Being (1.9K reputation)Supreme Being (1.9K reputation)Supreme Being (1.9K reputation)Supreme Being (1.9K reputation)Supreme Being (1.9K reputation)Supreme Being (1.9K reputation)

Group: Forum Members
Last Active: 8 Years Ago
Posts: 11, Visits: 11
Let me know if you have a solution for this.
Yury Averkiev (s-code)
View Quick Profile

Supreme Being
Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)

Group: Administrators
Last Active: 3 days ago @ 6:45 PM
Posts: 1.9K, Visits: 3.5K
Let me know if you have a solution for this.

In case if your the VNC Manager on Vista with UAC enabled, there is one more possible cause for Access Denied error:
Please take a look here:
http://www.s-code.com/kayako/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=19

http://www.s-code.com/App_Themes/Default/images/blue_line.gif
Kindest Regards,
SmartCode Solutions Support
captain
View Quick Profile

Supreme Being
Supreme Being (2.1K reputation)Supreme Being (2.1K reputation)Supreme Being (2.1K reputation)Supreme Being (2.1K reputation)Supreme Being (2.1K reputation)Supreme Being (2.1K reputation)Supreme Being (2.1K reputation)Supreme Being (2.1K reputation)Supreme Being (2.1K reputation)

Group: Forum Members
Last Active: 2 Years Ago
Posts: 12, Visits: 31
Yury Averkiev (s-code) (3/7/2006)
If you are receiving an Access Denied error while running the VNC Deployment Wizard and
  • you are sure that you entered a valid administrative logon credentials
  • and in case if you are deploying to a Windows XP based computer, that the simplified file sharing is turned off
Then you should check that Allow Distributed COM setting is enabled on the computer you are trying to deploy to (it's enabled by default but some software might turn it off).

To do so you should open Component Services snap-in. Start->Administrative Tools->Component Services.
When snap-in is running in the left tree navigate to: Console Root->Component Services->Computers->My Computer and select Properties command.
(you must run the snap-in on the computer you are trying to deploy to. Or you can also connect to the computer remotely by running New->Computer context menu command available for the Console Root->Component Services->Computers tree node.)


Any other configuration needed in xp?

I cannot install vnc viewer on a xp computer that error takes 'error code 5'

imagination is more important than knowledge
Yury Averkiev (s-code)
View Quick Profile

Supreme Being
Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)Supreme Being (193.8K reputation)

Group: Administrators
Last Active: 3 days ago @ 6:45 PM
Posts: 1.9K, Visits: 3.5K
Captain, could you send the content of the log window? 

http://www.s-code.com/App_Themes/Default/images/blue_line.gif
Kindest Regards,
SmartCode Solutions Support
captain
View Quick Profile

Supreme Being
Supreme Being (2.1K reputation)Supreme Being (2.1K reputation)Supreme Being (2.1K reputation)Supreme Being (2.1K reputation)Supreme Being (2.1K reputation)Supreme Being (2.1K reputation)Supreme Being (2.1K reputation)Supreme Being (2.1K reputation)Supreme Being (2.1K reputation)

Group: Forum Members
Last Active: 2 Years Ago
Posts: 12, Visits: 31
Yury Averkiev (s-code) (3/16/2015)
Captain, could you send the content of the log window? 


Failed to install SmartCode UltraVNC. The following error was returned: Failed to open network connection. Error code: 5 Access is denied. 


imagination is more important than knowledge


Similar Topics


Reading This Topic