Microsoft KB Archive/931355

From BetaArchive Wiki

Article ID: 931355

Article Last Modified on 4/24/2007


  • Microsoft Windows Server 2003 Service Pack 1, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)


On a computer that is running Microsoft Windows Server 2003 with Service Pack 1 (SP1), an event that resembles the following may be logged in the System log: Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: Date
Time: Time
User: Network services

Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {AppGUID} to the user User_Name SID User_SID. This security permission can be modified using the Component Services administrative tool.


This issue may occur if the netman component in DCOM does not have the following permissions:

  • Remote Launch
  • Local Activation
  • Remote Activation


To resolve this issue, grant the permissions that are mentioned in the "Cause" section to the netman component in DCOM. To do this, follow these steps:

  1. Click Start, click Run, type dcomcnfg, and then click OK.
  2. In Component Services, double-click Component Services, and then double-click Computers.
  3. Expand My Computer, expand DCOM Config, and then click netman in the DCOM Config node.
  4. Right-click netman, and then click Properties.
  5. In the netman Properties dialog box, click the Security tab.
  6. Under Launch and Activation Permissions, click Edit.
  7. In the Launch Permission dialog box, click Add.
  8. In the Enter the object names to select box, type Network Service, and then click OK.
  9. While Network Service is selected, click to select the Allow check boxes for the following items:
    • Remote Launch
    • Local Activation
    • Remote Activation
  10. Click OK two times.


DCOM security enhancements in Windows Server 2003 SP1

Microsoft Windows operating systems that are based on the Microsoft Windows NT kernel rely on remote procedure call (RPC) services to run. These operating systems include Microsoft Windows XP and Windows Server 2003. DCOM gives users a convenient way to use RPC services to distribute COM applications across their networks.

Windows Server 2003 SP1 helps enhance security in DCOM and RPC. RPC with DCOM lets you start or call a program on another computer. However, this ability makes RPC more vulnerable to malicious users. To help defend against this vulnerability, Windows Server 2003 SP1 verifies every program call against a computer-wide discretionary access control list (DACL). This process provides a minimum authorization standard for all program calls on a computer. The process does this by maintaining a list of users who have and do not have permission to access a system service.

Although many COM applications include some security-specific code, they may use weak settings. Therefore, the settings may grant unauthenticated access to a process. In earlier versions of Windows Server 2003, an administrator cannot override these settings to stregthen security.

The enhanced DCOM computer restriction settings that are included in Windows Server 2003 SP1 help administrators control incoming calls that use DCOM.

For more information about the DCOM security enhancements that are included in Windows Server 2003 SP1, visit the following Microsoft Web site:

Additional query words: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

Keywords: kbexpertiseadvanced kbtshoot KB931355