Sysprep'd image, event 10020

[Joe]

I setup a machine, and included IIS. Then Sysprep'd. All machines brought
to life with this image are logging the following error in the event log.

I assume this has something to do with the machines being renamed during the
imaging process? Any fix for this? is this "bad"?

Thanks,

Joe


Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10020
Date: 26-Jan-06
Time: 10:14:45
User: N/A
Computer: ZATHRAS
Description:
The machine wide Default Launch and Activation security descriptor is
invalid. It contains Access Control Entries with permissions that are
invalid. The requested action was therefore not performed. This security
permission can be corrected using the Component Services administrative
tool.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[Guest]

I setup a machine, and included IIS. Then Sysprep'd. All machines brought
to life with this image are logging the following error in the event log.

I assume this has something to do with the machines being renamed during the
imaging process? Any fix for this? is this "bad"?

Thanks,

Joe


Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10020
Date: 26-Jan-06
Time: 10:14:45
User: N/A
Computer: ZATHRAS
Description:
The machine wide Default Launch and Activation security descriptor is
invalid. It contains Access Control Entries with permissions that are
invalid. The requested action was therefore not performed. This security
permission can be corrected using the Component Services administrative
tool.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Joe - I've had a post on this for at least 6 month - no resposes at all -
especially from Microsoft people.

The problem seems to be the IWAM account. I can manually fix it by the
following steps:
start -> Settings -> Control Panel -> Administrative Tools -> Component
Services -> Component Services -> Computers -> My Computer

Right click My Computer -> Properties -> Com Security tab -> Launch and
Activation Permissions -> Edit Default -> remove "Launch IIS Process Account"
-> add IWAM_... account

I'm trying te see if there is a way to programmatically change the account
entry in dcom.

Interestingly though is that on a clean installation (no sysprep use) with
IIS there is no IWAM_ ... account listed. So this may just be a wild goose
chase.

Have you had any luck? Have you found that this causes any problems?

I'm at a Computer Science school and the image will be used in teaching labs
so I would like to know it works properly.

 

[Guest]

Joe - I've had a post on this for at least 6 month - no resposes at all -
especially from Microsoft people.

The problem seems to be the IWAM account. I can manually fix it by the
following steps:
start -> Settings -> Control Panel -> Administrative Tools -> Component
Services -> Component Services -> Computers -> My Computer

Right click My Computer -> Properties -> Com Security tab -> Launch and
Activation Permissions -> Edit Default -> remove "Launch IIS Process Account"
-> add IWAM_... account

I'm trying te see if there is a way to programmatically change the account
entry in dcom.

Interestingly though is that on a clean installation (no sysprep use) with
IIS there is no IWAM_ ... account listed. So this may just be a wild goose
chase.

Have you had any luck? Have you found that this causes any problems?

I'm at a Computer Science school and the image will be used in teaching labs
so I would like to know it works properly.

One other thing I just noticed is that in addition to the IWAM_... account,
the IUSR_ ... account has also been added by the sysprep process.

Again - I have no idea if either of these two accounts is needed but as they
weren't before using sysprep, I assume that they are not needed.

 

[Guest]

One other thing I just noticed is that in addition to the IWAM_... account,
the IUSR_ ... account has also been added by the sysprep process.

Again - I have no idea if either of these two accounts is needed but as they
weren't before using sysprep, I assume that they are not needed.

Sorry for the patchiness of my additions

One other test I've tried is removing the IWAM and IUSR accounts with the
comexp.msc under "Launch and Activation Permissions". I rebooted and they
were still gone. I then sysprepped the system, imaged it and loaded the new
image. The two accounts had been added again.

 

[Joe]

Hi David -

I did get a response over in microsoft.public.component_svcs. It suggested
that I do exactly what you mention. My error went away after this.
Interestingly enough, I never had anything "not work" though, so I think the
error might be inocuous.

Also interesting is that I checked a clean machine as well. The permissions
there did not include IWAM or IUSR.

I dont know if this helps, but....

Joe

 

[Joe]

Then it does sound like its sysprep that adds it (or maybe the whole SID
generation process causes COM+ to do it?).

I dunno either.

I suggest you repost this info over in component_svcs. There seems to be at
least one person there that handles this kind of stuff.

Joe

 

[Guest]

Hi David -

I did get a response over in microsoft.public.component_svcs. It suggested
that I do exactly what you mention. My error went away after this.
Interestingly enough, I never had anything "not work" though, so I think the
error might be inocuous.

Also interesting is that I checked a clean machine as well. The permissions
there did not include IWAM or IUSR.

I dont know if this helps, but....

Joe

Hi Joe,

Like you I have many machines that I need IIS on so a manual solution is out
of the question.

A bit of hunting however has helped me locate a tool called dcomperm.exe
whichcomes as source code in the Platform SDK. I also found a bundled copy
at executive software http://www.executive.com/products/winfirewall.asp
(search for dcomperm on the page).

dcomperm lets me remove (or remove and then add) the IUSR and IWAM accounts.

As I said before, I don't think these accounts are needed but as it's always
good to have a fallback position ... this tool allows me one

Using the tool I made a vbscript that will either remove the accounts or
remove/add the accounts.

I did find that strangely the IWAM accounts have the same name as the cloned
pc so that's a bit of a gotcha if you use different pc's ... better to
enumerate the accounts and find the IWAM account.

I guess from all of this it's clear that sysprep doesn't handle IIS well
I'd hate to be at a large web farm trying to make generic images ... but I
guess Microsoft still has a way to go.