Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 10016 Source: DCOM

Source
Level
Description
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {<CLSID>} to the user <user> SID (<SID>). This security permission can be modified using the Component Services administrative tool.
Comments
 
CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}, APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D}, application: ShellServiceHost - I encountered this event recently on a couple of computers at work. It was being thrown whenever I tried to create a network print queue on an affected computer using PrinterLogic's (www.printerlogic.com) Printer Installer Client. I tried to resolve this issue using the solutions at EV100654 (Event ID 10016 issue in SQL Cluster Server), but the Windows registries of computers at my workplace are too locked down. I resolved this issue by uninstalling Printer Installer Client (v18.1.1.91) and then installing an earlier version (I think v16.x).
AppID: 83B33982-693D-4824-B42E-7196AE61BB05 - This event was recorded for every schedule MS SQL backup jobs (done by SQL Server Agent). The event description indicated the user as "NT SERVICE\SQLSERVERAGENT". Searching the registry for the AppID revealed that the application is Microsoft SQL Server Integration Services 11.0. Using Component Services, we browsed to Computers, My Computer, DCOM Config and identified the  Microsoft SQL Server Integration Services 11.0 component. Right-click, Security and edited the Launch and Activation Permissions and added the NT Service account as having the rights to launch and activate the COM. Ran the backup task again and confirmed that the error was gone.
In my case, Backup Exec 2010 R3 services would not start. Event ID 10016 from source DistributedCOM was being thrown dozens of times when attempting to restart services. Error 10016 from my event log:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{ADA33000-3CB4-4309-B1CC-5168A2B672A1}
and APPID
{ADA33000-3CB4-4309-B1CC-5168A2B672A1}
to the user IPS\PAD.BackupExec SID (S-1-5-21-3511456350-2009084765-4108714726-24618) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

To resolve this I performed the following steps:
1. Copied the CLSID (ADA33000-3CB4-4309-B1CC-5168A2B672A1)
2. Started the registry editor program (regedit.exe)
3. Searched for the CLSID and found it in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{ADA33000-3CB4-4309-B1CC-5168A2B672A1}. It was for the 'Adamm Server Class 0.0'
4. Opened Component Services by clicking: Start -> Control Panel -> Administrative Tools -> Components Services
5. Expand the Component Services then Computers -> My Computer -> DCOM Config and located 'Adamm Server Class 0.0'
6. Right clicked 'Adamm Server Class 0.0' and chose Properties
7. The Event ID included the line "permission settings do not grant Local Activation permission" so I clicked on the Security tab, then under 'Launch and Activation Permissions' I chose Customize then clicked Edit.

8. My Backup Exec services are being run under specific network user credentials, i.e. DOMAIN\bacnup.user.  I added this user to the security permissions and gave it 'Local launch' and 'Local Activation' permissions.

9. After effecting these settings (clicking OK on all open windows) I restarted Backup Exec services with no errors!
In my case  it was SBS2011 (W2008R2 with Sharepoint) and CLSID {000C101C-0000-0000-C000-000000000046} and APPID {000C101C-0000-0000-C000-000000000046} to the user domain\spfarm SID (S-1-5-21-527237240-1965331169-839522115-4665) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Since the permissions in the component services are resticted you have to set these first by changing the owner and permissions on the registrykey HKey_Classes_Root\Api\{000C101C-0000-0000-C000-000000000046}.
T751272 contains information on how to troubleshoot DCOM-related issued (settings, security, setup, tools).


For CLSID {61738644-F196-11D0-9953-00C04FD919C1}, if this occurs after the installation of Windows SBS 2011 according to ME2483007, this type of errors are benign and may be safely ignored.
According to TB643195, if the user name referenced in the event is the "NETWORK SERVICE" account then this occurs because this account does not have Activate permissions in DCOM. See the article for the steps to take to grant this type of access.
CLSID BA126AD1-2166-11D1-B1D0-00805FC1270E - See EV100140.
See ME920783 if you get this after you install Windows SharePoint Services 3.0.
TB457148 (Security-Related Policy Settings) provides a good explanation of the two categories of security permission, Launch security permission and Access security permission.
CLSID: 24FF4FDC-1D9F-4195-8C79-0DA39248FF48 refers to B292921D-AF50-400c-9B75-0C57A7F29BA1 in the registry which is the CLSID of the NAP Service agent. When I tried to edit the permissions in Component Services, I found that all the options were greyed out. I checked the services console and discovered that the NAP service was not running. The out-of-box configuration for Windows Server 2008 the Network Access Protection Agent start-mode is apparently "manual"¯. Once I changed the start mode for that service and then started the service DCOM error was corrected, I have not seen an error since.
My issue was related to Kaspersky -  see EV100096.
CLSID: {24FF4FDC-1D9F-4195-8C79-0DA39248FF48} - This may be caused by a Kaspersky Anti-Virus bug. See EV100094 - "Cannot access Microsoft NAP Agent: Event ID 10016".
I got this event on a Windows Small Business Server 2008 & SharePoint. The CLSID was {61738644-F196-11D0-9953-00C04FD919C1} and the user account NETWORK SERVICE. Changing the security settings for this user account in the Component services "IIS WAMREG admin Service" to allow Local Start and Local activate, fixed the problem for me.


In my case, I received this error on a target machine when I attempted to run the Group Policy Results Wizard in the GPMC against the target machine from an admin machine within the same domain. The CLSID was {8BC3F05E-D86B-11D0-A075-00C04FB68820}, which is the WMI service. W2K3 SP2 DC and XP SP3 clients.

Making sure that TCP port 135 was open on both the target and the admin machine as well as allowing the "Remote Admin Exception" for both profiles by means of a domain-based GPO solved the issue.

For more info, refer to T782615.
In regards to this problem, I found the post on "Mike H. - Another Geek In Need" blog quite useful. See EV100033.
I had this issue similar with "Anonymous (Last update 10/30/2006)". However, in my case, I simply set the component security to "Default" and the problem was solved.
To correct this error do the following:
1. Open Component Services, go to Computers -> My Computers -> DCOM Config.
2. Expand DCOM config until you get down to the CLSID, they appear after the named items.
3. Right click the CLSID, check the launch parameters; they will probably be set to custom and not containing any accounts.
4. Use the SID in the event log item, run it against PsGetSid, to get which account is needed.
5. Put that account in and configure the necessary requested launch permissions.

PsGetSid is part of a growing kit of command-line tools that aid in the administration of local and remote Windows NT/2K systems named PsTools. See the link below for more details.
See the EV100033 link to "SharePoint 2007 Server Issues Revisited" for information on this problem.
As per MSW2KDB, a program, the Clsid displayed in the message, tried to start the DCOM server by using the DCOM infrastructure. Based on the security ID (SID), this user does not have the necessary permissions to start the DCOM server.

See ME899965 and EV100029 for additional information on fixing this problem.

From a newsgroup post: "Windows XP SP2 and Windows 2003 SP2 introduced a machine-wide AccessCheck call that must succeed in addition to other specific access checks. You can modify the settings of this machine-wide AccessCheck by using Component Services. Right-click on My Computer -> Properties, and click on the COM Security tab.
Also, have a look at the TB457156, document ("Changes to Functionality in Microsoft Windows XP Service Pack 2 - Network Protection Technologies"), in the section marked "DCOM Security Enhancements". This may be helpful to you".
Windows XP Service Pack 2 changes some security settings to increase security for your system. One of these increased settings interacts with the way MCMS works in a way that it prevents a COM component from being activated. See the EV100032 link to "MCMS Complete FAQ" for a solution to this problem.

The problem is caused by a mismatch of files that occurs when you install Microsoft Internet Information Services. This problem occurs if you install IIS from an installation point that is not running Windows Server 2003 SP1. See ME908181 for details on this issue.

See ME817065, ME913119, ME913666, ME919090, ME919592, ME920720, ME922354, ME930461, ME931355 and ME937534 for additional information about this event.
In my case, I had the same CLSID as Linda. Here is the additional information she omitted that is needed to correct the problem: In Component Manager, under DCOM config, go to netman, browse to the Security Tab, edit the Launch and Activation Permissions and make the necessary changes. In this case, NETWORK SERVICE needs to be added with Local Launch and Local Activation permissions.
In my case, I received this event on a W2K3 server with SharePoint 3.0. The CLSID was {61738644-F196-11D0-9953-00C04FD919C1} and the user account WSS_ADMIN_WPG. Changing the security settings for this user account in the Component services "IIS WAMREG admin Service" to allow Remote Start and Remote Activate, fixed the problem for me.


In my case, I received this event on a W2K3 server with Citrix PS4. The CLSID was CLSID{49BD2028-1523-11D1-AD79-00C04FD8FDFF} = "Microsoft WBEM Unsecured Apartment" and the user account was Ctx_SmaUser. Changing the security settings for this user account in the Component services "Microsoft WBEM Unsecured Apartment" to allow Remote Start and Remote Activate, fixed it for me.
We had this problem after installing Win2k3 SP1. The information listed on EV100030 was exactly our problem but just ticking Remote Launch and Remote Activation did not fix the problem. Ticking Local Launch and Local Activation did fix the problem.
See ME895200 for a hotfix applicable to Microsoft Windows XP.
ME555099 has information on this event.
I received this event when attempting to access the Administration web page for Virtual Server 2005. This happened after changing the guest OS from Windows XP SP1 to Windows XP SP2. The increased security of SP2 had stopped me from accessing the admin page. ME891609 has detailed information on the issue but their suggested fix did not solve the issue. Setting to “Use Default” as mentioned by contributor PaulD did the trick.
1. Open the registry and go to "HKEY_CLASSES_ROOT\CLSID\{<CLSID in the event message>} to find out friendly name of this component. In my case, this is "Machine Debug Manager” (CLSID: 0C0A3666-30C9-11D0-8F20-00805F2CD064).
2. Go to Component Services via Start -> Control Panel -> Administrative Tools -> Components Services. Expand the Component Services branch then expand "Computers", "My Computer", and "DCOM Config". Right-click on "Machine Debug Manager" (or whatever your CLSID represents) and choose Properties. Click on the Security tab and under “Launch and Activation Permissions” select "Use Default". Click OK, close the Component Services window. The error should disappear now.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...