none
DCOM Permissions Scripting RRS feed

  • Question

  • Hi Scripting Guys.

    I have to automate application deployment to a server 2012 R2. I have scripted with VBS all the configurations except of DCOM permissions configuration for the windows service account that calls Office 2010 (32bit) apps (Word, Excel, PowerPoint ...). I know using Office on a server is not the best idea, but in my case I do not have a choice and it works fine. However I have to avoid any manual deployment and configuration steps. I can easily configure 32 bit DCOM for Office apps manually and the application works fine, but I cannot find the DCOM configuration scripting solution either VBS or batch commands.

    I need to allow windows service account (domain user) to launch and access the Office apps in order to convert and format office documents to PDF. The service account is a member of local server Administrator group.

    Please help.

    Thanks

    --kengures 

    Wednesday, April 15, 2015 6:30 PM

Answers

All replies

  • You cannot remotely script Office components.  They will not work when remoted.  It is a built in restriction.

    If you need a document conversion service then just run the loop and check a folder for a document.

    Running Office "Headless" will eventually crash your server due to memory leaks a resource consumption.  You should purchase th PAdobe PDF conversion service that runs \on you server as a service. It is designed to do this.


    \_(ツ)_/

    Wednesday, April 15, 2015 7:03 PM
  • Hi jrv.

    It seems to be you did not get my point. Actually I do not have any issues with conversion. And I do not need to remotely script Office components. The only thing I need is a locally running script that will configure Office components DCOM permissions. The application installer will execute the script.

    Thanks 

    Friday, April 24, 2015 2:29 PM
  • Are you asking how to set DCOM permissions for Office?  Office does not support DCOM?  You cannot remotely use Office components and DCOM is a remoting service; (Distributed COM). The  "Distributed" is a computer term meaning across multiple diverse systems.

    When you ask about DCOM you also need to specify what it iws about. Are you asking for permissions to access DCOM? To access COM objects remotely?

    COM or COM+ permissions are set for users by default.  Users have local activation rights.  There is no need to alter this for a local install.

    You need to rethink you request and clarify what it is that you are trying to do.  I do not think you want to alter DCOM for installing Office components.


    \_(ツ)_/

    Friday, April 24, 2015 2:35 PM
  • Hi jrv.

    Ok. I will provide more specific info on it.

    I have created an Office to PDF converter application that is running on 2012 R2 server as windows service.

    Office 2010 32 bit is installed on the server.

    The application uses Office documents conversion and formatting capability.

    Because of windows service is running on isolated session 0 on server 2012 it does not have by default permission to launch any com components including Office apps installed on the server.

    So to provide these permissions I have to grant the windows service logon account which is a domain functional account with launch permissions on Office apps such as Word, PP and XL.

    I can easily do this manually using DCOM config 32, but I would like to make it a part of installation process scripting all the configuration steps. I have scripted everything except of DCOM launch permissions configuration. 

    Thanks.

     

    Friday, April 24, 2015 11:58 PM
  • Office components aren't supported under a service model. 

    Here are the instructions for setting COM permission: https://technet.microsoft.com/en-us/library/cc731858.aspx?f=255&MSPPError=-2147217396

    The only method I know of to set these are using the SDK tool called dcomperm.exe.  You can also use the MSI installer to set permissons.  See the MSI SDK for instructions.  I know of no way to do this with a script.

    I can give you a pointer.  Under AppID in the registry the security is set as a binary entry.  You can set this by geberating the binary security ID using the Windows API.

    Here are the instructions on how this is done: https://msdn.microsoft.com/en-us/library/aa384905%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396


    \_(ツ)_/

    • Marked as answer by kengures1 Sunday, April 26, 2015 4:30 PM
    Saturday, April 25, 2015 12:21 AM
  • Saturday, April 25, 2015 12:23 AM
  • There are two classes that override the default permission:

    Win32_DCOMApplicationLaunchAllowedSetting

    Win32_DCOMApplicationAccessAllowedSetting

    These associate a SID with a  Win32_DCOMApplication


    \_(ツ)_/

    Saturday, April 25, 2015 12:32 AM
  • Thanks a lot. I played with dcomperm.exe. I think it will work for me.

    --kengures

    Sunday, April 26, 2015 4:33 PM
  • Mostly we build installers and let them set the permissions when needed.  Running Office as a ring zero service can be a security issue if you are not careful what can access it.  If you are careful about the documents that are being converted then it is probably safe.

    "dcomperm" should do anything you can do in the GUI.


    \_(ツ)_/



    • Edited by jrv Sunday, April 26, 2015 9:20 PM
    Sunday, April 26, 2015 9:20 PM