Vista - WS-Management 1.1 - invalid ACEs in the COM server launch andactivation security descriptor

I got past my previous set of problems with WS-Management, documented
in another thread. Now I'm managing to deploy it, I'm coming across a
strange error in Event Viewer:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10021
Date: 30/04/2008
Time: 17:54:02
User: N/A
Computer: TEST-PS1
Description:
The launch and activation security descriptor for the COM Server
application with CLSID {3E5CA495-8D6A-4D1F-AD99-177B426C8B8E} is
invalid. It contains Access Control Entries with permissions that are
invalid. The requested action was therefore not performed. This
security permission can be corrected using the Component Services
administrative tool.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I can recreate the problem at will and have seen it on more than one
device. E.g. from an R2 SP2 server (test-fs1) I type:

winrs -r:test-ps1 ipconfig /all (where test-ps1 is an R1 SP2 machine)

and this will generate 14 identical messages (it's always 14).
Another pair of machines (both SP1) also generate 14 identical
messages. A pair of XP workstations will generate 11 of the same
messages. Different commands still result in the same errors. XP -
Server 2003 results in 14. Server 2003 - XP results in 11.

Oddly, the command still runs and returns the results.

When I navigate to Component Services > Computers > My Computer > DCOM
Config > Microsoft Windows Remote Shell Host and open Properties and
the Security tab I see that Launch and Activation Permissions are set
to Customize and clicking Edit reveals that Administrators have all
set to Allow, whilst INTERACTIVE and SYSTEM both have only Local
Launch and Local Activation set to Allow.

First, has anyone seen similar?

Second, does anyone know why it happened? As far as I can tell,
nothing odd happened during the installation.

Third, does anyone know how to fix it?

Are you sure it is that component that's causing the issue?
http://windowsitpro.com/article/arti...ple-steps.html

If you're not sure you have the proper component, this tells you how to
find it:
http://support.microsoft.com/?kbid=899965

Marco

--
Microsoft MVP - Windows PowerShell
http://www.microsoft.com/mvp

PowerGadgets MVP
http://www.powergadgets.com/mvp

Blog:
http://marcoshaw.blogspot.com

Trying the second document first, the key exists in a number of places
but not where described.

I found this key HKEY_CLASSES_ROOT\CLSID\{0289a7c5-91bf-4547-81ae-
fec91a89dec5} whose (Default) value is "Microsoft Windows Remote Shell
Host" with has the pertinent GUID as the AppID value:
{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}

The GUID also exists here: HKEY_CLASSES_ROOT\AppID\{3e5ca495-8d6a-4d1f-
ad99-177b426c8b8e} which also has the (Default) value "Microsoft
Windows Remote Shell Host" AND A LaunchPermission binary value.

and it exists here: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}
and here: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{0289a7c5-91bf-4547-81ae-fec91a89dec5} in the AppId value. I don't
really understand how it all links together and how COM works.

As for the first document, when I tried to display the security info
in Component Services for the custom Launch and Activation
permissions, I got "Unable to display security information" which
doesn't seem unreasonable if there are invalid ACEs. However, it did
display on another machine claiming the same. I've reset it to "Use
default" and run a quick test and it seems to have cleared the problem
on this machine.

I need to test this on other machines but even if it works, I'd like
to know why. I'm wondering if it's something we're doing accidentally
in the SMS package. The packaging guys have all gone home so I'll
have to check later.

On Apr 30, 6:58 pm, "Marco Shaw [MVP]" <marco.shaw@_NO_SPAM_gmail.com>
wrote: