I have been trying for the last few days to figure why I am getting the following message on the server hosting the Management point Log Name: SystemSource: Microsoft-Windows-DistributedCOMDate: 8/22/2008 2:27:00 PMEvent ID: 10016Task Category: NoneLevel: ErrorKeywords: ClassicUser: SYSTEMComputer: mp.test.locDescription:The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48}to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" /> <EventID Qualifiers="49152">10016</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2008-08-22T19:27:00.000Z" /> <EventRecordID>5833</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>System</Channel> <Computer>mp.test.loc</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="param1">application-specific</Data> <Data Name="param2">Local</Data> <Data Name="param3">Launch</Data> <Data Name="param4">{24FF4FDC-1D9F-4195-8C79-0DA39248FF48}</Data> <Data Name="param5">NT AUTHORITY</Data> <Data Name="param6">SYSTEM</Data> <Data Name="param7">S-1-5-18</Data> <Data Name="param8">LocalHost (Using LRPC)</Data> </EventData></Event> I searched the registry for the CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48} and it turned out to be Quarantine Private SHA Binding class with an AppID of {B292921D-AF50-400c-9B75-0C57A7F29BA1} which I have been able to match up with theNetwork Access Protection Agent. Everything that I have read on the forums all I should have to do is modify the Launch permissions for Network Access Protection Agent, however, all the options for that serivce in Component Services are grayed out. The Network Policy and Access Services Tools role and the System Health Validator site role are not installed. How can I clear this error?

I am not sure if this makes any differnce but I have discoverd the following errors in the Configuration Manager logs System task 'SMSSHA_Shutdown' returned error code 0x80040200.CcmExec8/25/2008 7:11:04 PM5608 (0x15E8)Error waiting for tasks (0x80040213), will shut down anyway.CcmExec8/25/2008 7:11:06 PM1168 (0x0490)Error registering hosted class '{E67DBF56-96CA-4e11-83A5-5DEC8BD02EA8}'. Code 0x80040154CCMEXEC8/25/2008 7:11:42 PM6100 (0x17D4)Failed to query size of Security (may not exist) (0x80070002)CCMEXEC8/25/2008 7:11:44 PM4220 (0x107C)System task 'SMSSHA_Startup' returned error code 0x80070005.CcmExec8/25/2008 7:11:46 PM1136 (0x0470) Unknown task LSProxyMPModificationTask in non-quarantine - ignoring.LocationServices8/25/2008 7:11:45 PM4124 (0x101C)

Looks like dcom permissions http://technet.microsoft.com/en-us/library/bb633148.aspx

NT AUTHORITY\SYSTEM by default has local launch permissions. I cannot edit the limits because the Edit Limits button is grayed out within the Launch and Activation Permissions frame on the COM Security tab for My Computer Properties in dcomcnfg.exe The SMS_MP_CONTROL_MANAGER revoled another error this morning.This is the first time I have noticed this error on the server .... MP Control Manager detected management point is not responding to HTTP requests. The HTTP status code and text is 500, Internal Server Error. Possible cause: Management point encountered an error when connecting to SQL Server. Solution: Verify that the SQL server is properly configured to allow Management Point access. Verify that management point computer account or the Management Point Database Connection Account is a member of SMS Management Point Role (msdbrole_MP) in the SQL Server database. Possible cause: The SQL Server Service Principal Names (SPNs) are not registered correctly in Active DirectorySolution: Ensure SQL server SPNs are correctly registered. Review Q829868. Possible cause: Internet Information Services (IIS) isn't configured to listen on the ports over which SMS is configured to communicate. Solution: Verify that the designated Web Site is configured to use the same ports which SMS is configured to use. Possible cause: The designated Web Site is disabled in IIS. Solution: Verify that the designated Web Site is enabled, and functioning properly. Possible cause: The SMS ISAPI Application Identity does not have the requisite logon privileges. Solution: Verify that the account that the SMS ISAPI is configured to I know that there isn'ta problem with the SPN because I can query AD for them. The web-site needed is running properly the only thing that I have done to it was move Inetpub from C: to D:.

Upon further review of the CM logs I discoverd that the client was having issues because the NAP service was not running. The out-of-box configuration for Windows Server 2008 the Network Access Protection Agent start-mode is manual. Once I changed the start mode for that service and restarted the server the DCOM error was corrected. I discovered all this from SHA is registered alreadysmssha8/25/2008 7:11:46 PM1136 (0x0470)CORE: SHA Registered successfully with the NAP Agent, but could not succesfully bindsmssha8/25/2008 7:11:46 PM1136 (0x0470)CORE: NAP Agent Service might not be runningsmssha8/25/2008 7:11:46 PM1136 (0x0470)SHA is registered alreadysmssha8/25/2008 7:38:27 PM2336 (0x0920)

Run regedit.exe as administrator. Locate HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ Wow6432Node \ AppID \ {B292921D-AF50-400c-9B75-0C57A7F29BA1} Open the window permits for this branch. Do the Administrators group the owner of this branch After that, give the Administrators group full access Restart dcomcnfg.exe as administrator Now you can change the properties of the DCOM application

I am having this same issue with pstools. The service won't launch and I get these dcom errors in the event log. So how in heaven's name do these pemissions get altered?? No one has Admin access to this computer besides myself. Almost all my other computers do not have a problem with pstools, but this one and a couple others do (out of about 400 computers), and although I cannot say for sure, I don't think it has always had problems! Obviously, how it goes wrong is a rhetorical question. Perhaps a better one is, is there a repair utility that simply goes through DCOM and fixes all the permissions?

The steps below is what worked for me. George had already stated most of this in this thread already but I figured I'd expand on it for clarity. 1. Open regedit 2. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{B292921D-AF50-400c-9B75-0C57A7F29BA1} 3. Right click the {B292921D-AF50-400c-9B75-0C57A7F29BA1} folder and select "Permissions" 4. Click Advanced 5. Click the "Owner" tab 6. Change owner to the local "Administrators" group and click OK. 7. Grant the local "Administrators" group Full Control over the {B292921D-AF50-400c-9B75-0C57A7F29BA1} key and click OK. 8. Launch “Component Services” under Start -> Programs -> Administrative Tools 9. Navigate to Component Services -> Computers -> My Computer -> DCOM Config 10. Right-click the "NAP Agent Service" and select properties. 11. Click the security tab 12. Click the "Edit..." button under the "Launch and Activation Permissions" 13. Highlight the "SYSTEM" user. Grant the user "Local Launch" permission. 14. Click OK and exit out of Component Services and regedit.