VNC Deployment Wizard: How to troubleshoot Access Denied error.


Author
Message
Yury Averkiev (s-code)
Yury Averkiev (s-code)
Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)
Group: Administrators
Posts: 1.9K, Visits: 3.6K
If you are receiving an Access Denied error while running the VNC Deployment Wizard and
  • you are sure that you entered a valid administrative logon credentials
  • and in case if you are deploying to a Windows XP based computer, that the simplified file sharing is turned off

Then you should check that Allow Distributed COM setting is enabled on the computer you are trying to deploy to (it's enabled by default but some software might turn it off).

To do so you should open Component Services snap-in. Start->Administrative Tools->Component Services.
When snap-in is running in the left tree navigate to: Console Root->Component Services->Computers->My Computer and select Properties command.
(you must run the snap-in on the computer you are trying to deploy to. Or you can also connect to the computer remotely by running New->Computer context menu command available for the Console Root->Component Services->Computers tree node.)


The credit for sending this information to us goes to Dave Hansen.

http://www.s-code.com/App_Themes/Default/images/blue_line.gif
Regards,

Yury Averkiev, SmartCode

Yury Averkiev (s-code)
Yury Averkiev (s-code)
Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)
Group: Administrators
Posts: 1.9K, Visits: 3.6K
The following article explains how to manage DCOM settings using Group Policy
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngsecps.mspx

http://www.s-code.com/App_Themes/Default/images/blue_line.gif
Regards,
Yury Averkiev, SmartCode

graemelucas
graemelucas
Supreme Being (8.2K reputation)Supreme Being (8.2K reputation)Supreme Being (8.2K reputation)Supreme Being (8.2K reputation)Supreme Being (8.2K reputation)Supreme Being (8.2K reputation)Supreme Being (8.2K reputation)Supreme Being (8.2K reputation)Supreme Being (8.2K reputation)
Group: Forum Members
Posts: 73, Visits: 131
I am having difficulty applying DCOM settings via group policy.

I can adjust ACL settings in group policy, but cannot seem to find instructions on enabling DCOM via Group Policy.

Our network has about 800 PC's, about 15% of which has DCOM Disabled.

Is there a way of enabling DCOM via group policy, rather than visiting each machine individually?

I've read through the article linked in the previous post, this only seems to be discussing the two ACL settings in Group Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

Also windows firewall is off on all machines (set by group policy) so haven't adjusted the firewall settings in Group Policy > Computer Configuration > Administrative Templates > Network > Network Configuration > Windows Firewall > xx Profile.

I've found a Distributed COM setting in Group Policy > Computer Configuration > Administrative Templates >  System > Distrubuted COM but nothing seems to allow me to enable DCOM on the machine.

Thanks in advance,

Graeme Lucas

Regards,

Graeme Lucas BigGrin

Yury Averkiev (s-code)
Yury Averkiev (s-code)
Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)
Group: Administrators
Posts: 1.9K, Visits: 3.6K
From this page: http://technet2.microsoft.com/windowsserver/en/library/a940a24d-34c2-471c-89e5-d9f1500374c91033.mspx?mfr=true

To delegate access to Group Policy Results
1.  Enable the Windows Firewall: Allow remote administration exception Group Policy setting on target computers.
2.  Set the following DCOM security policy settings on target computers. (They are located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.)
     DCOM: Machine access restrictions in Security Descriptor Definition Language (SDDL) syntax
     DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax

 
 


http://www.s-code.com/App_Themes/Default/images/blue_line.gif
Regards,
Yury Averkiev, SmartCode

graemelucas
graemelucas
Supreme Being (8.2K reputation)Supreme Being (8.2K reputation)Supreme Being (8.2K reputation)Supreme Being (8.2K reputation)Supreme Being (8.2K reputation)Supreme Being (8.2K reputation)Supreme Being (8.2K reputation)Supreme Being (8.2K reputation)Supreme Being (8.2K reputation)
Group: Forum Members
Posts: 73, Visits: 131
Hi,

that entire document is referring to windows firewall exceptions, which as mentioned in my previous post we have disabled via group policy so I figured it doesn't apply?

The two policy settings;

DCOM: Machine access restrictions…

DCOM: Machine launch restrictions…

only seem to refer to the actual ACL settings, but not the 'master on off switch'.

As we do not use windows firewall, the other group policy setting doesn't seem to apply.

The closest thing I've found is to modify the registry setting;

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]

"EnableDCOM"="Y"

applying that fixes the issue as it turned dcom on at the 'top' level (after a reboot), but I cannot seem to do this via group policy, and applying the available group policy changed still doesn't turn on dcom.

Also to further expand the above registry setting;

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
  00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
  00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

that turns on DCOM AND sets the appropriate ACL settings, it works, but it's not a group policy solution, which is what we really need!

back to the drawing board? any suggestions? Wink

Regards,

Graeme Lucas BigGrin

mnhim
mnhim
Supreme Being (2K reputation)Supreme Being (2K reputation)Supreme Being (2K reputation)Supreme Being (2K reputation)Supreme Being (2K reputation)Supreme Being (2K reputation)Supreme Being (2K reputation)Supreme Being (2K reputation)Supreme Being (2K reputation)
Group: Forum Members
Posts: 11, Visits: 11
Let me know if you have a solution for this.
Yury Averkiev (s-code)
Yury Averkiev (s-code)
Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)
Group: Administrators
Posts: 1.9K, Visits: 3.6K
Let me know if you have a solution for this.

In case if your the VNC Manager on Vista with UAC enabled, there is one more possible cause for Access Denied error:
Please take a look here:
http://www.s-code.com/kayako/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=19

http://www.s-code.com/App_Themes/Default/images/blue_line.gif
Regards,
Yury Averkiev, SmartCode

captain
captain
Supreme Being (2.3K reputation)Supreme Being (2.3K reputation)Supreme Being (2.3K reputation)Supreme Being (2.3K reputation)Supreme Being (2.3K reputation)Supreme Being (2.3K reputation)Supreme Being (2.3K reputation)Supreme Being (2.3K reputation)Supreme Being (2.3K reputation)
Group: Forum Members
Posts: 12, Visits: 32
Yury Averkiev (s-code) (3/7/2006)
If you are receiving an Access Denied error while running the VNC Deployment Wizard and
  • you are sure that you entered a valid administrative logon credentials
  • and in case if you are deploying to a Windows XP based computer, that the simplified file sharing is turned off
Then you should check that Allow Distributed COM setting is enabled on the computer you are trying to deploy to (it's enabled by default but some software might turn it off).

To do so you should open Component Services snap-in. Start->Administrative Tools->Component Services.
When snap-in is running in the left tree navigate to: Console Root->Component Services->Computers->My Computer and select Properties command.
(you must run the snap-in on the computer you are trying to deploy to. Or you can also connect to the computer remotely by running New->Computer context menu command available for the Console Root->Component Services->Computers tree node.)


Any other configuration needed in xp?

I cannot install vnc viewer on a xp computer that error takes 'error code 5'

imagination is more important than knowledge
Yury Averkiev (s-code)
Yury Averkiev (s-code)
Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)Supreme Being (214K reputation)
Group: Administrators
Posts: 1.9K, Visits: 3.6K
Captain, could you send the content of the log window? 

http://www.s-code.com/App_Themes/Default/images/blue_line.gif
Regards,
Yury Averkiev, SmartCode

captain
captain
Supreme Being (2.3K reputation)Supreme Being (2.3K reputation)Supreme Being (2.3K reputation)Supreme Being (2.3K reputation)Supreme Being (2.3K reputation)Supreme Being (2.3K reputation)Supreme Being (2.3K reputation)Supreme Being (2.3K reputation)Supreme Being (2.3K reputation)
Group: Forum Members
Posts: 12, Visits: 32
Yury Averkiev (s-code) (3/16/2015)
Captain, could you send the content of the log window? 


Failed to install SmartCode UltraVNC. The following error was returned: Failed to open network connection. Error code: 5 Access is denied. 


imagination is more important than knowledge
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Similar Topics

Explore
Messages
Mentions
Search