Environment
Situation
Resolution
The following event will be generated once DCOM logging is enabled.
Severity: Error
Event ID: 10017
Source: COM
Category: None
The machine default permission settings do not grant local access permission to the COM server application C:\Program Files\NetIQ\DRA\DRAExchShell.exe to the user domain\serviceaccount {SID}. The security permission can be modified using the Component Services administrative tool
To resolve this issue:
- Add ?DRA service account? to GPO policy ?DCOM:Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) Syntax? and give full privilege (Local Launch, Remote Launch, Local Activation, Remote Activation).
- Add ?DRA service account? to GPO policy DCOM:Machine Access Restrictions in Security Descriptor Definition Language (SDDL) Syntax and give full privilege (Local Access, Remote Access).
- Copy the ?Customized? Security option ?MCS OnePoint Administration Service? to ?ExchShell?. DRA starts working fine once System is restarted.
Cause
This can occur when the following two GPO policies are enabled:
1. DCOM:Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) Syntax
2. DCOM:Machine Access Restrictions in Security Descriptor Definition Language (SDDL) Syntax
Note: Location of policy: (Group Policy object) Computer Configuration \Windows Settings \Local Policies \Security OptionsDCOM setting are proper for this customer, but due to GPO DCOM policy, DRA Exchange functionalities are not working.
In DRA 8.5 onwards Installer will configure DCOM settings. But somehow, the DCOM security settings for ?MCS OnePoint Administration Service? and ?ExchShell?.
?Customized? Security option for ?Launch and activation Permissions? and ?Access Permission? for the DRA component ?MCS OnePoint Administration Service? and ?ExchShell? is selected. Unfortunately ?Customized? Security option for ?ExchShell?, doesn?t have enough privileges.