locked
How to grant Component Services/DCOM permissions for an application via GPO? (SSIS) RRS feed

  • Question

  • Is it possible to grant Component Services/DCOM permissions to an application via Group Policy?

    Specifically this is for SQL Server 2012 Integration Services:
    http://msdn.microsoft.com/en-us/library/hh213130.aspx

    I'd like to be able to grant permissions to a group to this application as instructed.

    I saw this:
    http://technet.microsoft.com/en-us/library/bb457148.aspx

    And found the settings under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

    But i'm not sure how to specify the application?

    In short, I'd like to set the permissions as outlined in the first link (SSIS) via group policy.

    Thursday, April 25, 2013 8:28 PM

Answers

  • I was able to get this set up by using GPO Preferences and setting the registry key.

    To do this, i followed the instructions for setting the permissions to my user group as outlined in the article:
    http://msdn.microsoft.com/en-us/library/hh213130.aspx

    First I need the application ID and you can find it in the properties of the application in the DCOM Config. Just follow the above article and you can find the ID.

    DCOM Application ID

    Now I export the registry key for this application which is located at:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{83B33982-693D-4824-B42E-7196AE61BB05}

    This gives me the values i need: AccessPermission and LaunchPermission. Since I already set the permissions as i wanted, these settings are preserved in this registry key in the two values.

    Next, I open up the registry export in notepad and copy the numerical values. Its important to get rid of the end of line \ and all the commas; you should be left with just the numbers - this is important as when you create the registry item in the GPO, it expects the value to be without the characters!

    From: 
    01,00,04,80,6c,00,00,00,7c,00,00,00,00,00,00,00,14,00,\
    00,00,02,00,58,00,03,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,00,00,\

    To:
    010004806c0000007c000000000000001400000002.......

    Now its time to set up the GPO. Under Computer Configuration > Preferences > Windows Settings > Registry I created two registry items for the two values I mentioned above. I set them to Action: Replace, Value Type: REG_BINARY and for Value Data, I pasted the numbers we got from the registry export.

    This will replace the two values in the key with the ones provided. I used a group to assign permissions so all i need to do is add users to it and I don't have to update this GPO. After applying the policy, i tested this successfully. I'm not sure if there's a better way of doing it, but this certainly solves my problem! :)

    Thanks,
    PolishPaul

    • Marked as answer by PolishPaul Friday, April 26, 2013 3:09 PM
    Friday, April 26, 2013 3:09 PM

All replies

  • Hi ,

    Thank you for posting your issue in the forum.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Andy Qi
    TechNet Community Support

    Friday, April 26, 2013 7:00 AM
  • I was able to get this set up by using GPO Preferences and setting the registry key.

    To do this, i followed the instructions for setting the permissions to my user group as outlined in the article:
    http://msdn.microsoft.com/en-us/library/hh213130.aspx

    First I need the application ID and you can find it in the properties of the application in the DCOM Config. Just follow the above article and you can find the ID.

    DCOM Application ID

    Now I export the registry key for this application which is located at:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{83B33982-693D-4824-B42E-7196AE61BB05}

    This gives me the values i need: AccessPermission and LaunchPermission. Since I already set the permissions as i wanted, these settings are preserved in this registry key in the two values.

    Next, I open up the registry export in notepad and copy the numerical values. Its important to get rid of the end of line \ and all the commas; you should be left with just the numbers - this is important as when you create the registry item in the GPO, it expects the value to be without the characters!

    From: 
    01,00,04,80,6c,00,00,00,7c,00,00,00,00,00,00,00,14,00,\
    00,00,02,00,58,00,03,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,00,00,\

    To:
    010004806c0000007c000000000000001400000002.......

    Now its time to set up the GPO. Under Computer Configuration > Preferences > Windows Settings > Registry I created two registry items for the two values I mentioned above. I set them to Action: Replace, Value Type: REG_BINARY and for Value Data, I pasted the numbers we got from the registry export.

    This will replace the two values in the key with the ones provided. I used a group to assign permissions so all i need to do is add users to it and I don't have to update this GPO. After applying the policy, i tested this successfully. I'm not sure if there's a better way of doing it, but this certainly solves my problem! :)

    Thanks,
    PolishPaul

    • Marked as answer by PolishPaul Friday, April 26, 2013 3:09 PM
    Friday, April 26, 2013 3:09 PM