DCOM security

I am having problems creating a DCOM component under Windows XP SP2.

I am creating the component locally to eliminate any remote access issues.

When I set the identity to "The interactive user" I can create the component
okay so I know that its registered okay and all its dependencies are
present.

When I set the identity to the logged on user but specified explicitly under
"This user" I get VB error "ActiveX component can't create object".

What is the difference between "interactive user" and specifying the same
user under "This user"?

I have tried adding "Everyone" with full control under each security section
to no avail.

I have checked for any DCOM restrictions in "Local Security Settings\Local
Policies\Security Options" but none are set.

Where else should I look?

O my own computer there are only six policies in "Local Security
Settings\Local Policies\Security Options" - four "Accounts", a "Network
access" and a "Network security". On the problem computer there are
sixty-four.

What has added these additional policies?

Andrew
Tue Dec 21 04:29:49 CST 2004

PS. This is part of a distributed application that worked adequately until
we installed SP2.

Roger
Tue Dec 21 19:17:13 CST 2004

Keep in mind that granting to UserX and granting to
Interactive (with the understanding that the tests are
made with UserX logged in locally) do differ in that
the grant to UserX is without qualification as to whether
local or remote.
Have you examined the information on the changes to
DCom Activation security which was introduced with
XP SP2 ?
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx#EIAA


--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Andrew Jarvis" <someone@somewhere> wrote in message
news:O04Q6X05EHA.828@TK2MSFTNGP14.phx.gbl...
> I am having problems creating a DCOM component under Windows XP SP2.
>
> I am creating the component locally to eliminate any remote access issues.
>
> When I set the identity to "The interactive user" I can create the
component
> okay so I know that its registered okay and all its dependencies are
> present.
>
> When I set the identity to the logged on user but specified explicitly
under
> "This user" I get VB error "ActiveX component can't create object".
>
> What is the difference between "interactive user" and specifying the same
> user under "This user"?
>
> I have tried adding "Everyone" with full control under each security
section
> to no avail.
>
> I have checked for any DCOM restrictions in "Local Security Settings\Local
> Policies\Security Options" but none are set.
>
> Where else should I look?
>
> O my own computer there are only six policies in "Local Security
> Settings\Local Policies\Security Options" - four "Accounts", a "Network
> access" and a "Network security". On the problem computer there are
> sixty-four.
>
> What has added these additional policies?
>
>
>

Andrew
Wed Dec 22 06:29:59 CST 2004

I have since discovered that if I double click the server in Explorer then
it launches okay.

If I right click and do Run As UserX then a dependency cannot be located.

Am I right in thinking that the environment is not being supplied to the
application in this instance?

What would cause this?



"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uuXzVO85EHA.1260@TK2MSFTNGP12.phx.gbl...
> Keep in mind that granting to UserX and granting to
> Interactive (with the understanding that the tests are
> made with UserX logged in locally) do differ in that
> the grant to UserX is without qualification as to whether
> local or remote.
> Have you examined the information on the changes to
> DCom Activation security which was introduced with
> XP SP2 ?
> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx#EIAA
>
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Andrew Jarvis" <someone@somewhere> wrote in message
> news:O04Q6X05EHA.828@TK2MSFTNGP14.phx.gbl...
>> I am having problems creating a DCOM component under Windows XP SP2.
>>
>> I am creating the component locally to eliminate any remote access
>> issues.
>>
>> When I set the identity to "The interactive user" I can create the
> component
>> okay so I know that its registered okay and all its dependencies are
>> present.
>>
>> When I set the identity to the logged on user but specified explicitly
> under
>> "This user" I get VB error "ActiveX component can't create object".
>>
>> What is the difference between "interactive user" and specifying the same
>> user under "This user"?
>>
>> I have tried adding "Everyone" with full control under each security
> section
>> to no avail.
>>
>> I have checked for any DCOM restrictions in "Local Security
>> Settings\Local
>> Policies\Security Options" but none are set.
>>
>> Where else should I look?
>>
>> O my own computer there are only six policies in "Local Security
>> Settings\Local Policies\Security Options" - four "Accounts", a "Network
>> access" and a "Network security". On the problem computer there are
>> sixty-four.
>>
>> What has added these additional policies?
>>
>>
>>
>
>

Andrew
Wed Dec 22 07:37:50 CST 2004

Finally figured it out.

In the environment path variable, the drive letter for the path of the
dependent DLL was assigned by "cmd /c subst ..." in the Startup folder!
Therefore it did not exist in the new user context.

Apologies for wasting your time.

AJ

Roger
Thu Dec 23 02:18:37 CST 2004

Hey, no apollogies needed nor expected :-)
Glad you sorted it.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Andrew Jarvis" <someone@somewhere> wrote in message
news:%23SXlwtC6EHA.2788@TK2MSFTNGP15.phx.gbl...
> Finally figured it out.
>
> In the environment path variable, the drive letter for the path of the
> dependent DLL was assigned by "cmd /c subst ..." in the Startup folder!
> Therefore it did not exist in the new user context.
>
> Apologies for wasting your time.
>
> AJ
>
>