I think the SYSTEM account needs to be granted access permissions to the
object as well.

-----Original Message-----
From: Distributed COM-Based Code [mailto:DCOMDISCUSS.MICROSOFT.COM] On
Behalf Of Mark Freeman
Sent: Wednesday, January 16, 2002 7:10 AM
To: DCOMDISCUSS.MICROSOFT.COM
Subject: Re: 0x80070005 (accessdenied) on W2K

Dump of the Dcomcnfg settings and the event log. It seems the client can
launch the server by CCIEX returns 0x80070005.

Dcomcnfg settings:
        Authentication Level: Default (connect)
        Impersonation Level: Identify
        Identity: JEMMAC\Administrator

        Access Permissions:
                        Administrator: Allow Access
                        MFREEMAN: Allow Access

        Launch Permissions:
                        Administrator: Allow Launch
                        MFREEMAN: Allow Launch

After turning on auditting, I got the following trace in the security
event
log:

1.
A new process has been created:
        New Process ID: 4280710688
        Image File Name: \dcomsvr\bin\DCOMCli.exe
        Creator Process ID: 4281658720
        User Name: MFREEMAN
        Domain: JEMMAC
        Logon ID: (0x0,0x18B214)

2.
Successful Logon:
        User Name: Administrator
        Domain: JEMMAC
        Logon ID: (0x0,0xA933F7)
        Logon Type: 4
        Logon Process: Advapi
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Workstation Name: SALFORD

3.
Special privileges assigned to new logon:
        User Name: Administrator
        Domain: JEMMAC
        Logon ID: (0x0,0xA933F7)
        Assigned: SeAssignPrimaryTokenPrivilege
                        SeChangeNotifyPrivilege
                        SeBackupPrivilege
                        SeRestorePrivilege
                        SeDebugPrivilege

4.
User Logoff:
        User Name: Administrator
        Domain: JEMMAC
        Logon ID: (0x0,0xA933F7)
        Logon Type: 4

5.
A new process has been created:
        New Process ID: 4280912288
        Image File Name: \dcomsvr\bin\DCOMSvr.exe
        Creator Process ID: 2225542400
        User Name: SALFORD$
        Domain: JEMMAC
        Logon ID: (0x0,0x3E7)

6.
Successful Logon:
        User Name: Administrator
        Domain: JEMMAC
        Logon ID: (0x0,0xA93696)
        Logon Type: 4
        Logon Process: Advapi
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Workstation Name: SALFORD

7.
Special privileges assigned to new logon:
        User Name: Administrator
        Domain: JEMMAC
        Logon ID: (0x0,0xA93696)
        Assigned: SeAssignPrimaryTokenPrivilege
                        SeChangeNotifyPrivilege
                        SeBackupPrivilege
                        SeRestorePrivilege
                        SeDebugPrivilege

8.
User Logoff:
        User Name: Administrator
        Domain: JEMMAC
        Logon ID: (0x0,0xA93696)
        Logon Type: 4

9.
A process has exited:
        Process ID: 2192
        User Name: MFREEMAN
        Domain: JEMMAC
        Logon ID: (0x0,0x18B214)

Thanks again,

Mark.

-----Original Message-----
From: Distributed COM-Based Code [mailto:DCOMDISCUSS.MICROSOFT.COM]On
Behalf Of Owen T. Cunningham
Sent: Wednesday, January 16, 2002 5:19 AM
To: DCOMDISCUSS.MICROSOFT.COM
Subject: Re: 0x80070005 (accessdenied) on W2K

(a) Can you post your exact DCOMCNFG settings?

(b) Try enabling auditing on the W2k box to see the reason for the
failure.

-----Original Message-----
From: Distributed COM-Based Code [mailto:DCOMDISCUSS.MICROSOFT.COM] On
Behalf Of Mark Freeman
Sent: Tuesday, January 15, 2002 10:44 AM
To: DCOMDISCUSS.MICROSOFT.COM
Subject: 0x80070005 (accessdenied) on W2K

Hi,

I'm experiencing some security related problems connecting to a COM
server
on W2K. The W2K box is within an NT4 domain. The following summarises
the
problem:

COM server run as <domain>\mfreeman
        Client running as <domain>\mfreeman connects OK (both locally
and from a
remote machine).
        Client running as <domain>\administrator fails to connect (both
locally and
from a remote machine).

COM server run as <domain>\administrator
        Client running as <domain>\administrator connects OK (both
locally and from
a remote machine).
        Client running as <domain>\mfreeman fails to connect (both
locally and from
a remote machine).

As you can see, connections can only be made from clients whose identity
is
the same as the server. In both cases, I have used DCOMCNFG to grant
both
access and launch permissions to both <domain>\administrator and
<domain>\mfreeman. Curiously, if I switch to running the same server on
an
NT4 machine, then everything works just fine!

I would greatly appreciate any pointers in tracking this down.

TIA

Mark Freeman

mailto:mark.freemanjemmac.com

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]