We had this weird issue with installing an update on one of our servers. While troubleshooting this, it got it even messier as it turned out that the server is throwing "Access Denied" to almost everything even though I had administrator privileges. We worked with Microsoft on this case and the issue was fixed by changing the DCOM configuration.
- "Default Authentication Level" was set to "None" -- > Changed it to "Connect"
- "Default Impersonation Level" was set to Anonymous --> Changed it to "Identify"
$logfile = 'C:\Windows\Temp\DCOMenable.log'
function checkregistrysubkeys {
try{
$checkImpersonationLevel = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" | Select -ExpandProperty LegacyImpersonationLevel -ErrorAction Stop
if($checkImpersonationLevel -eq 2){
write-host "Impersonation level is correct : Identify"
writetolog("Impersonation level is correct : Identify")
} else {
try{
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" -Name LegacyImpersonationLevel -value 2 -ErrorAction Stop
write-host "Impersonation level set to Identify"
writetolog("Impersonation level set to Identify")
} catch{
write-host "ERROR: Unable to change ImpersonationLevel registry"
writetolog("ERROR: Unable to change ImpersonationLevel registry")
exit -1
}
}
} catch {
write-host "ERROR: Unable to check ImpersonationLevel registry"
writetolog("ERROR: Unable to check ImpersonationLevel registry")
exit -1
}
try{
$checkAuthenticationLevel = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" | Select -ExpandProperty LegacyAuthenticationLevel -ErrorAction Stop
if($checkAuthenticationLevel -eq 2){
write-host "Authentication level is correct : Connect"
} else {
try{
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" -Name LegacyAuthenticationLevel -value 2 -ErrorAction Stop
write-host "Authentication level set to Connect"
} catch{
write-host "ERROR: Unable to change AuthenticationLevel registry"
exit -1
}
}
} catch {
write-host "ERROR: Unable to check AuthenticationLevel registry"
exit -1
}
}
function writetolog([string] $txt) {
$Stamp = (Get-Date).toString("yyyy/MM/dd HH:mm:ss")
Add-content $logfile -value $Stamp':'$txt
}
try{
$isEnabledDCOM = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" | Select -ExpandProperty EnableDCOM -ErrorAction Stop
if($isEnabledDCOM -eq 'Y'){
write-host "DCOM already enabled"
writetolog("DCOM already enabled")
checkregistrysubkeys
}
exit
if($isEnabledDCOM -eq 'N'){
write-host "DCOM disabled"
writetolog("DCOM disabled")
write-host "Enabling DCOM..."
writetolog("Enabling DCOM...")
try{
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" -Name EnableDCOM -value 'Y' -ErrorAction Stop
write-host "DCOM enabled"
writetolog("DCOM enabled")
checkregistrysubkeys
}catch {
write-host "ERROR: Unable to change registry"
writetolog("ERROR: Unable to change registry")
exit -1
}
}
write-host "Task completed successfully"
writetolog("Task completed successfully")
exit 0
} catch {
write-host "ERROR: Unable to check EnableDCOM registry"
writetolog("ERROR: Unable to check EnableDCOM registry")
exit -1
}
No comments:
Post a Comment