Pesky DCOM 10016 Errors

The SharePoint Configuration Wizard (and Central Admin) does a decent job of ensuring the neccessary privileges are applied to various users and resources, but one slipped through the 'net.

You know the one - it's that pesky DCOM 10016 which will fill up your System Log with noise everytime your application pool spins up.

Now it just so happens that the error doesn't actually matter a stuff and won't break anything, other than your sysadmin's patience and respect for SharePoint! It's especially annoying if you are running Operations Manager or a Managed Security Auditing system which will bleet when this stuff gets logged.

So how to make it go away? Well it's easy you copy (without the braces) the GUID in the Description (remembering that the 'old' event viewer doesn't support context menus so use Ctrl-C) do a find in Regedit for the GUID and you'll get the name of the application for which access is denied.

It turns out you don't actually need to do that, because the GUID is a well known system component - the IWAM Reg Admin Service. So you need to fire up Component Services, right click on IWAM Reg Admin Service in DCOM Config and add your application pool identities to have Allow Local Activation. Just like Dustin blogged eons ago.

The trouble with this approach is that everytime you fire up a new web app in a new app pool the errors will unfold on you again. Of course generally it is a bad idea to add permissions to users anyway. What you need is a group into which all your app pool accounts get put, and then add that group using DCOM config. If you do that, 10016 will never again darken your days.

So you could create a group for that purpose, but why bother? There's one on your boxes allready, into which SharePoint sticks your app pool identities (as long as you use Central Admin to create them). It's called WSS_WPG. Sounds good right? No - because those groups are local groups - so not ideal good for a farm.

So the best current solution is to create a new Global Security group in AD (say 'SharePoint IWAM'), add your app pool identities into it and use Group Policy to fiddle with the DCOM Security. And remember don't give the group any more rights than it needs.

Print | posted on Wednesday, April 04, 2007 9:26 PM

Feedback

# re: Pesky DCOM 10016 Errors

Hi Spencer,

Related to your article, I was running into a similar DCOM error but with the SPSearch component, not the IIS WAMREG admin Service. Hence the famous fix for IISWAMREG did not fix my event log entries.

I haven't found much about the SPSearch DCOM errors so I blogged about it. Thought you might want to know about it:
http://blogs.vertigo.com/personal/steventap/Blog/Lists/Posts/Post.aspx?ID=21

Steven.

4/6/2007 12:37 AM | Steven Tapping

# re: Pesky DCOM 10016 Errors

yup -seen that one a bunch of times also, although not since RTM - the WSS Search account be added to WSS_WPG or WSS_ADMIN_WPG when it's assigned in central admin.

You shouldn't need to add it explicitly in DCOMconfig. trouble is, central admin sometimes craps out at this stage.

I recommend *not* adding accounts explicitly - very bad infosec practice - add the account to WSS_WPG as this is assigned correctly by the SP Config Wizard.

4/6/2007 12:58 AM | Spence

# re: Pesky DCOM 10016 Errors

I tried everything mentioned on numerous forums and nothing worked. Then I read something about Windows firewall and decided to check it since I use Kaspersky Internet Security. Under Windows Firewall, Advanced tab I cleared the check marks for all 1394 and Local Area Connections, rebooted my machine and no more DCOM errors. I'm running Windows XP Home, SP3. I hope this helps someone else. It was driving me crazy. Good luck, Mike

3/28/2009 10:30 PM | Mike

Post Comment

Title
Name
Email
Url
Comment
Remember Me?
Please add 5 and 1 and type the answer here:

Archives

Post Categories

Articles

Real World

SharePoint MCM R2