Marc,
We're currently working with Microsoft, but they aren't getting very far. Right now, we're in the config manager support queue, but may be working with DCOM team soon.
What we've found so far is that, for some reason the DCOM permissions on the general COMPUTER object in dcomcnfg seems to be corrupt.
Go to Start > Run > Dcomcnfg
Click on Component Services > Computers
Right-click on "My Computer" and then Properties.
COM Security Tab and click Edit Limits under the Launch and Activation Permissions.
First question: Do you see an access control list? Some of our systems are showing a blank dialog... all gray box, no ACL.
Second question: If you see the ACL, do you see any SIDS listed instead of the group names?
Also, if you can download the DCOMPERM.exe tool or grab it from your Microsoft Account Rep (or you can download it here:
http://www.myitforum.com/articles/34/view.asp?id=9323), what we're finding is that if we run the following command, we have many duplicate entries for the My Computer COM object.
dcomperm.exe -ml list
I recently rebuilt a system and did not join it to the domain. I ran that command after several reboots and we came up with a clean list.
I added it to our domain, and with each reboot, the list is adding duplicate entries.
My hunch is that there's a bad GPO in place. Thinking it may have to do with the GPO under Computer Configuration > Windows Settings > Security Settings > Local Policies/Security options > Other > Policy: DCOM:Machine access restrictions
in Security Descriptor Definition
We upgraded SCCM SP1 - SP2, but you may be installing SCCM for first time from SMS 2003. From what we can tell, it seems that the client, when installed resets the settings back to default, then waits for policy to reconfigure them. Since the
permissions are screwed up on that particular ACL, we think that the client just can't configure it.
In addition to the remote control being disabled, so is Remote Assistance for us. People that are ONLY in the Offer Remote Assistance Helpers local group get a "permission denied" when they try to offer remote assistance. Administrators have
no issue.
To resolve, at least temporarily, you can backup the following key HKLM\Software\Microsoft\OLE\MachineLaunchRestrictions (we'll be deleting this).
Go to Start > Run > Dcomcnfg
Click on Component Services > Computers
Right-click on "My Computer" and then Properties.
COM Security Tab and click Edit Limits under the Launch and Activation Permissions.
Record the security settings you see, if you see them at all.
Delete the registry key you just backed up.
Go back into DCOMCNFG and manually enter the users/groups into the ACL again.
Restart SCCM.
That seems to have resolved the issue, but still, with every reboot, we are seeing entries added to the list. In 2 instances, there were over 2000 entries. I rebooted a lab system 60 times yesterday and ended up with 420 entries... but you can
only see them using the dcomperm.exe -ml list
Curious to know if you are seeing the same DCOM symptoms.