RSS

Event 10022: A lot of dcom errors on W2K3 servers SP1

10 May

One of the apps guys installed a pre-packaged 3rd party apps which seems to have broken the dcom permission. As a result it cause a lot of event ID 10022 to be generated. For example:

[89231] COM
Type: ERROR
Computer: <servernname>

Time: 10/05/2007 10:25:51 ID: 10022
The machine-default access security descriptor for the COM Server application C:
\Program Files\Symantec AntiVirus\Rtvscan.exe is invalid. It contains Access Con
trol Entries with permissions that are invalid. The requested action was therefo
re not performed. This security permission can be corrected using the Component
Services administrative tool.

[89230] COM
Type: ERROR
Computer: <servernname>
Time: 10/05/2007 10:25:40 ID: 10022
The machine-default access security descriptor for the COM Server application C:
\WINNT\system32\CPQNiMgt\cpqnimgt.exe is invalid. It contains Access Control Ent
ries with permissions that are invalid. The requested action was therefore not p
erformed. This security permission can be corrected using the Component Services
administrative tool.

This has caused the server’s clipboard not to work and I could not view the eventlog properties from the eventlog viewer and neither could I view the COM properties. And when trying to When you try to expand COM+ programs in Component Services, I got the following error message:

error code 80040153 – Invalid value for registry

Did a few searches and found the following solution: http://www.kbalertz.com/kbNamed_934701/934701.aspx

But I check my faulty server but found that all the required default permissions are already there!

Luckily, I had a working server with which to compare with and I found that the faulty server had other accounts in the default Access and Lauch permission security, which included the IUSER_machine and IWAM_machine. After copying all the accounts and their permissions over to the faulty server and restarted DTCS, the server was fixed. 🙂

Updated: Okay, my apps guys talked to their vendor and we found that the issue is caused by their applications which have this symptoms sometimes on W2K3 SP1 servers. A backup of a registry key, uninstall and reinstall and restore the registry key would resolve it. So it have nothing to do with dcom permissions after all.

Advertisements
 
15 Comments

Posted by on May 10, 2007 in Windows

 

Tags:

15 responses to “Event 10022: A lot of dcom errors on W2K3 servers SP1

  1. Rasky

    July 17, 2007 at 12:49 pm

    What was the registy key?

     
  2. saltwetfish

    July 17, 2007 at 2:44 pm

    Sorry, I don’t know neither, but it has to do with the application’s registry keys rather than Windows ones, I supposed.

     
  3. JohnK

    August 2, 2007 at 5:16 pm

    We encountered a similar problem and tied the problem back to the following reg key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission

    The default users within the DCOM Access Permission list are ‘Self’ and ‘System’; this is the case if no DefaultAccessPermission value is present. However, if you add a user to the Default Security list, a value is spawned; if you were to remove the user so that only ‘Self’ and ‘System’ remain, the registry value persists. Since the desired state on our system was the default, I just removed the value from the registry and restarted the machine. The problem went away.

    There might be something messed up with the way Microsoft stores the value in the registry… maybe there’s an artifact left over in the binary value?

     
  4. saltwetfish

    August 4, 2007 at 12:44 am

    Hi John

    Thanks for sharing, it looks like either MS thought that there is no harm in leaving that value untouched reverted back to default or they really forgot about removing this value in the codes! 🙂

     
  5. EinarT

    August 9, 2007 at 9:00 pm

    Something bad happened, maybe because the computer was added to a domain and there was some mix with local admin and domain admin. The Application log filled up with Error event COM 10022. Scanning the net for this, I found your comments and the problem fixed by removing the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission

    Thank you!

     
  6. Matt Harper

    November 14, 2007 at 12:39 am

    Thank you so much for this, I had a couple of servers which I’d held back on updating due to this very issue. The solution works perfectly!

     
  7. George Johnson

    November 27, 2007 at 6:19 am

    Installed a scanner router program from Ricoh, rebooted, and almost started crying. Brand new server, just finished migrating users, email, everything except the scanner router, and I thought it had killed the server. Thanks guys.

     
  8. Jeff Burgess

    January 18, 2008 at 7:45 pm

    I had the same problem–a lot of 10022 errors. I followed the instructions in the kbalertz article (http://www.kbalertz.com/kbNamed_934701/934701.aspx), but the permissions were already there. HOWEVER, there were 2 unresolved SIDs sitting in there. Once I deleted the unresolved SIDs my problem went away. I think my original problem may have come from a manual uninstall of the Symantec Endpoint Protection client.

     
  9. Silvester

    January 29, 2008 at 10:53 am

    I had the same problem. It was coused by Ricoh Scaner driver. I delete key in registy and solve the problem.
    Thans to all.

     
  10. Michael Flagg

    February 6, 2008 at 3:58 pm

    I also had the very same issue with Ricoh ScanRouter v2. Deleting the above value fixed the problem after logging back in, no reboot required.

    Thanks for saving my primary DC!

     
  11. Ian Phillips

    December 23, 2008 at 8:09 am

    Similar issue with SBS 2003 – Domain controller; Application log full of 10022 DCOM errors; MMC snap-ins not functioning correctly (Services / Users, DComCnfg and Event Viewer etc).

    Arrrgh! – how can I fix the problem if I can’t even see the content of the EventViewer or stop some services that I think might be causing the problem?

    Additional KB article:
    http://support.microsoft.com/kb/934701

    The KB article says “From another Windows Server 2003 based computer” – which if like me you’re running
    SBS isn’t what you want to hear (I only have 1 server – don’t tell me I need another one on the network to fix this!). So I decided to try it from a client machine (XP) and it appears to work.

    Resolution: From a client PC on the domain, log on as the domain admin and you’ll be able to control / edit the DComCnfg / services of your DC from the client PC. Open the services / DCOM / EventViewer locally and right click then “Connect to another computer…”

    DCOM permissions: I didn’t have unresolved SID’s (as outlined above) – but granting permission within both “Access” and “Launch and Activation” to the “Everyone” group resolved the issue.

    Clearly that’s opened up a security hole – but it’s allowed me to uninstall the Symantec Endpoint 11 applications (Server and client) that I suspect were causing the issues in the first place.

    hope this helps someone!

     
  12. Tim Hughes

    June 24, 2009 at 5:38 pm

    I had this problem as well – likely from using a regcleaner utility – wreaked havoc on just about everything from the clipboard to ie to mmc snapins – had to import [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission] from another computer and voila! thanks for the post.

     
  13. Rajesh Karedla

    October 11, 2011 at 8:40 am

    It Worked for Us also… thanks for the solution

     
  14. Daniel

    March 15, 2012 at 7:57 pm

    Thanks a million!!! I also had this problem in Windows 2003 after installing the crappy Ricoh ScanRouter software. Deleting the registry key solved the problem.

    THANK YOU!!

     
  15. Anoep

    August 21, 2012 at 6:53 pm

    Thanks for this solution it worked also for me..

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: