Announcement

Collapse
No announcement yet.

Centralized change of DCOM settings

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Centralized change of DCOM settings

    Hi, everyone.

    I encountered a problem with my network computers while trying to run WMI queries. It looks like they were closed to tight. I changed the firewall settings by opening the 135 port (only for computers on my subnet) and had to do two more changes in the DCOM (I used dcomcnfg for this).
    The issue is that I am not willing to go and change the two settings (shown in the two screenshots attached) manually, computer after computer.
    Couldn't find in the GPO any setting that can help (did I missed something?)
    Is there any way to change this by GPO, or script or something?

    TIA.
    Last edited by sorinso; 9th November 2007, 21:29.

    Sorin Solomon


    In order to succeed, your desire for success should be greater than your fear of failure.
    -

  • #2
    Re: Centralized change of DCOM settings

    Hi,
    If no GPO can be found to do this a dirty solution might be to create an Administrative Template and roll out the registry settings that way?
    So you would use a tool like Regmon to monitor which registry keys change as you adjust the settings.
    Then you could export these keys and using a program like Reg2Adm to create a .adm file or you could try constructing a .adm file by hand.
    Then add the Template to a GPO.

    It isn't simple and there is quite a but of effort involved but it might still be easier then the alternative. On the plus side you won't have to visit your users.


    I've done this for a registry key and one downside which I've noticed is that it takes much longer for the policy to be applied.


    As I said it isn't the cleanest or the best but it should work if you are truely stuck.
    I don't know anything about (you or your) computers.
    Research/test for yourself when listening to free advice.

    Comment


    • #3
      Re: Centralized change of DCOM settings

      If you find out the registry entries you could just script the changes instead of creating an adm file.

      Or check out dcomperm http://www.myitforum.com/articles/11/view.asp?id=9323
      Apparently it's an unsupported utility from M$.

      I only found it by searching. Obviously use at your own risk.
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: Centralized change of DCOM settings

        If I understand correctly you are trying to run WMI queries against client computers in AD environment.
        So, ff you want successfully run WMI quires from you server to client computer with windows firewall enabled, just open port 135 is not enough.
        In additional you should enable Windows Firewall: Allow remote administration exception:
        Under Console Root, expand Computer Configuration, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile(if you want to use this settings in domain environment)
        Than you should allow Unsecapp.exe. The client application is frequently the Unsecapp.exe application, this application is used to send results back.
        It can be done trough GPO:
        Locate Windows Firewall: Define program exceptions setting and enable it.
        Under Console Root, expand Computer Configuration, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.
        Click on Show and add to the list following line:
        %WINDIR%\SYSTEM32\wbem\unsecapp.exe:*:You Application or Service name.
        Sure instead of * you can use you local subnet.
        Here example from my test environment, where Offer Remote Assistance and RSoP in logging mode are allowed (both use DCOM):



        And than you can check that everything configured in proper way on one of client computer:



        In Windows XP and Windows 2003, the DCOM entry is located in the following registry subkey:
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
        The String value of the DCOM entry is EnableDCOM = Y. If this value is set to 'N' or if this value is missing, WMI quires based on DCOM will not work.
        Last edited by igor7; 29th July 2007, 23:29.

        Comment


        • #5
          Re: Centralized change of DCOM settings

          10nx, guys, for the ideas and advices...
          I'll get working on it and see which one will work...

          Sorin Solomon


          In order to succeed, your desire for success should be greater than your fear of failure.
          -

          Comment

          Working...
          X