Microsoft KB Archive/914047

= Error message if you select a Windows Server 2003 Service Pack 1-based domain controller when you use the Group Policy Modeling Wizard: &quot;Access is denied&quot; =

Article ID: 914047

Article Last Modified on 10/26/2007

-

APPLIES TO

 Microsoft Windows Server 2003 SP1, when used with:  Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 Microsoft Windows Server 2003, Enterprise Edition  Microsoft Windows Server 2003, Enterprise x64 Edition Microsoft Windows Server 2003, Standard x64 Edition

-

<div class="notice_section">

<div class="symptoms_section">

SYMPTOMS
If you select a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based domain controller when you use the Group Policy Modeling Wizard in the Group Policy Management Console (GPMC), you may receive the following error message:

Access is denied.

This problem occurs if one or more of the following conditions are true:
 * You are not logged on to the local computer by using the administrator account.
 * The administrator has delegated control of the following Resultant Set of Policy (RSoP) tasks in Active Directory:
 * Generate Resultant Set of Policy (logging)
 * Generate Resultant Set of Policy (planning)

<div class="cause_section">

CAUSE
This problem occurs because the default Component Object Model (COM) permissions have been changed in Windows Server 2003 SP1. The Windows Server 2003 SP1 COM permissions restrict remote calls that are not authenticated. Therefore, a COM program may work locally, but remote calls that are not authenticated fail.

<div class="resolution_section">

RESOLUTION
To resolve this problem, use one of the following methods.

Method 1: Few domain controllers in the domain

 * 1) Click Start, click Run, type  :\WINDOWS\system32\Com\comexp.msc, and then click OK.

Note  is a placeholder for the drive where Windows is installed.
 * 1) In the left pane, expand Component Services, and then expand Computers.
 * 2) Right-click My Computer, and then click Properties.
 * 3) On the COM Security tab, click Edit Limits in the Launch and Activation Permissions field.
 * 4) Click the user name in the Group or user names field that you want to be able to run the Group Policy Modeling Wizard, and then click to select Allow for the Remote Activation permission.
 * 5) Click OK two times.

Method 2: Many domain controllers in the domain

 * 1) Create a new Group Policy on the domain controller's organizational unit (OU).
 * 2) In the Domain Controllers Group Policy console, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
 * 3) In the list of available policies, double-click DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax.
 * 4) Click Edit Security, click the user name in the Group or user names field that you want to be able to run the Group Policy Modeling Wizard, and then click to select Allow for the Remote Activation permission.
 * 5) Click OK two times.
 * 6) Exit Group Policy Object Editor.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

892500 Programs that use DCOM do not work correctly after you install Microsoft Windows Server 2003 Service Pack 1

For more information, visit the following Microsoft TechNet Web site:

http://technet.microsoft.com/en-us/library/bb457154.aspx

Technical support for x64-based versions of Microsoft Windows
Your hardware manufacturer provides technical support and assistance for x64-based versions of Windows. Your hardware manufacturer provides support because an x64-based version of Windows was included with your hardware. Your hardware manufacturer might have customized the installation of Windows with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your x64-based version of Windows. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.

For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:

http://www.microsoft.com/windowsxp/64bit/default.mspx

For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/64bit/x64/default.mspx

Additional query words: Winx64 Windowsx64 64bit 64-bit GPMC Access Denied

Keywords: kbtshoot kbprb KB914047

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.