Re: Permission Denied When Accessing COM+ Component as Plain Domain User on 2003

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 07/07/05 

Date: Thu, 7 Jul 2005 06:09:40 -0700

If your W2k3 is now at SP1, have you reviewed the SP1 release
note information, as it, like SP2 for XP, introduced new hardening
for RPC and DCOM. Now, you said COM+ but it sure sounded
like the users may be remote when attempting this, so . . . 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
"segedunum" <segedunum.1rsupz@> wrote in message
news:TLedncgfpIfTv1DfRVn_vg@giganews.com...
>
> Hi All,
>
> I've got a problem running COM+ components on Windows 2003 that I
> haven't seen perviously.
>
> If I log into the client workstation as a domain administrator, I can
> access the COM+ component absolutely fine. However, if I access it
> logged in as an ordinary domain user I get a permission denied 70
> error. Otherwise, users can get access to the server fine and use
> shares on it. I've been through all the motions for this.
>
> - The workstations and the server are a part of an Active Directory set
> up and authenticate against it.
> - I've created roles for domain users against my COM+ components to
> ensure declarative security for them.
>
> In the event log I've got authentication sucesses for the domain users
> from the workstations I'm using, so no failures there and nothing that
> would indicate any kind of other failure. None of my COM+ components
> implement programmatic security, or even have an Initialize routine.
> They're very, very simple components.
>
> I've been through everything I can think of. The only remaining thing I
> can think of is if a setting in AD is stopping access, but I have
> absolutely no idea what that might be because it could be just about
> anything. I think I've exhausted everything in Component Services, but
> if anyone has any other ideas that would be great because I can't
> believe I'm the only one to see an error 70 like this.
>
> Thanks a lot.
>
>
> -- 
> segedunumPosted from http://www.pcreview.co.uk/ newsgroup access
>

Relevant Pages

  • Re: How to stop all authenticated users from adding computers
    ... default domain controller policy or equivalents for the security right "ADD WORKSTATIONS TO DOMAIN". ... I assume Domain users or Everyone are listed there. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problem after removed "domain users" from "local administrator"s g
    ... We finally decided to remove the "domain users" group from the "local administrators" group on the workstations and since doing that we have a strange problem happening. ... Some programs simply cannot be used without administrator privileges, ever, which is an excellent reason to switch to software written by competent people. ... The right answer, in hindsight, was to add Domain Users to the Local Users group. ...
    (microsoft.public.windows.server.sbs)
  • Re: permission/security issues
    ... If you talk about domain users, also the Administrator is a domain user, so you kicked off yourself. ... Hopefully you have a recent backup then just rename the top level folder and restore the backup. ... Try with the advanced tab under security to take ownership of the folder and reset the permissions after that. ... except the user with the home settings. ...
    (microsoft.public.windows.file_system)
  • Re: Domain Users Privileges
    ... RMouse on the folder that is shared and pick "Sharing and Security". ... > By default the domain users only have Read-only access on ... > config in the local policies that the domain user can have ...
    (microsoft.public.security)
  • Group membership and rights
    ... workstations. ... Login scripts are of the .vbs type, ... when I place my users in the Domain Users ... What local group should the local user ...
    (microsoft.public.win2000.active_directory)