SmartCode Web Forum

VNC Deployment Wizard: How to troubleshoot Access Denied error.

https://www.s-code.com/forum/Topic746.aspx

By Yury Averkiev (s-code) - 7 Mar 2006

If you are receiving an Access Denied error while running the VNC Deployment Wizard and
  • you are sure that you entered a valid administrative logon credentials
  • and in case if you are deploying to a Windows XP based computer, that the simplified file sharing is turned off

Then you should check that Allow Distributed COM setting is enabled on the computer you are trying to deploy to (it's enabled by default but some software might turn it off).

To do so you should open Component Services snap-in. Start->Administrative Tools->Component Services.
When snap-in is running in the left tree navigate to: Console Root->Component Services->Computers->My Computer and select Properties command.
(you must run the snap-in on the computer you are trying to deploy to. Or you can also connect to the computer remotely by running New->Computer context menu command available for the Console Root->Component Services->Computers tree node.)


The credit for sending this information to us goes to Dave Hansen.

By Yury Averkiev (s-code) - 3 Sep 2006

The following article explains how to manage DCOM settings using Group Policy
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngsecps.mspx
By graemelucas - 2 Jan 2008

I am having difficulty applying DCOM settings via group policy.

I can adjust ACL settings in group policy, but cannot seem to find instructions on enabling DCOM via Group Policy.

Our network has about 800 PC's, about 15% of which has DCOM Disabled.

Is there a way of enabling DCOM via group policy, rather than visiting each machine individually?

I've read through the article linked in the previous post, this only seems to be discussing the two ACL settings in Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

Also windows firewall is off on all machines (set by group policy) so haven't adjusted the firewall settings in Group Policy > Computer Configuration > Administrative Templates > Network > Network Configuration > Windows Firewall > xx Profile.

I've found a Distributed COM setting in Group Policy > Computer Configuration > Administrative Templates >  System > Distrubuted COM but nothing seems to allow me to enable DCOM on the machine.

Thanks in advance,

Graeme Lucas

By Yury Averkiev (s-code) - 2 Jan 2008

From this page: http://technet2.microsoft.com/windowsserver/en/library/a940a24d-34c2-471c-89e5-d9f1500374c91033.mspx?mfr=true

To delegate access to Group Policy Results
1.  Enable the Windows Firewall: Allow remote administration exception Group Policy setting on target computers.
2.  Set the following DCOM security policy settings on target computers. (They are located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.)
     DCOM: Machine access restrictions in Security Descriptor Definition Language (SDDL) syntax
     DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax

 
 
By graemelucas - 8 Jan 2008

Hi,

that entire document is referring to windows firewall exceptions, which as mentioned in my previous post we have disabled via group policy so I figured it doesn't apply?

The two policy settings;

DCOM: Machine access restrictions…

DCOM: Machine launch restrictions…

only seem to refer to the actual ACL settings, but not the 'master on off switch'.

As we do not use windows firewall, the other group policy setting doesn't seem to apply.

The closest thing I've found is to modify the registry setting;

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]

"EnableDCOM"="Y"

applying that fixes the issue as it turned dcom on at the 'top' level (after a reboot), but I cannot seem to do this via group policy, and applying the available group policy changed still doesn't turn on dcom.

Also to further expand the above registry setting;

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
  00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
  00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

that turns on DCOM AND sets the appropriate ACL settings, it works, but it's not a group policy solution, which is what we really need!

back to the drawing board? any suggestions? Wink

By mnhim - 13 Nov 2008

Let me know if you have a solution for this.
By Yury Averkiev (s-code) - 13 Nov 2008

Let me know if you have a solution for this.

In case if your the VNC Manager on Vista with UAC enabled, there is one more possible cause for Access Denied error:
Please take a look here:
http://www.s-code.com/kayako/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=19
By captain - 16 Mar 2015

Yury Averkiev (s-code) (3/7/2006)
If you are receiving an Access Denied error while running the VNC Deployment Wizard and
  • you are sure that you entered a valid administrative logon credentials
  • and in case if you are deploying to a Windows XP based computer, that the simplified file sharing is turned off
Then you should check that Allow Distributed COM setting is enabled on the computer you are trying to deploy to (it's enabled by default but some software might turn it off).

To do so you should open Component Services snap-in. Start->Administrative Tools->Component Services.
When snap-in is running in the left tree navigate to: Console Root->Component Services->Computers->My Computer and select Properties command.
(you must run the snap-in on the computer you are trying to deploy to. Or you can also connect to the computer remotely by running New->Computer context menu command available for the Console Root->Component Services->Computers tree node.)


Any other configuration needed in xp?

I cannot install vnc viewer on a xp computer that error takes 'error code 5'
By Yury Averkiev (s-code) - 16 Mar 2015

Captain, could you send the content of the log window? 
By captain - 16 Mar 2015

Yury Averkiev (s-code) (3/16/2015)
Captain, could you send the content of the log window? 


Failed to install SmartCode UltraVNC. The following error was returned: Failed to open network connection. Error code: 5 Access is denied. 
By Yury Averkiev (s-code) - 16 Mar 2015

Are you able to open \\remotecomputer\admin$ in the Windows Explorer? 
By captain - 17 Mar 2015

Yury Averkiev (s-code) (3/16/2015)
Are you able to open \\remotecomputer\admin$ in the Windows Explorer? 

I'm able to connect "\\remotecomputer" it shows just printers.

in that case "\\remotecomputer\admin$" it's asking Username Password, And I typed correct logins then cannot connect with it.

But I'm able to remote desktop connection without any problem with this computer
By Yury Averkiev (s-code) - 17 Mar 2015

Well it least it proves that the Deployment Wizard is not to blame.

By default it opens connection to "\\remotecomputer\admin$". Most likely your GPOs prohibit access to admin shares. You might want to talk to your IT admins regarding this.
By captain - 17 Mar 2015

Thanks for your reply.. I have succesfully installed it Smile
By Yury Averkiev (s-code) - 17 Mar 2015

Great!

For the benefit of others, what did you have to change to allow access to the admin$ share?
By captain - 17 Mar 2015

It was very simple, admin credential was different to access it and I wasn't know