deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update policy-csp-admx-dcom.md

Browse Source
This commit is contained in:
nimishasatapathy 2021-10-04 19:38:24 +05:30
parent 6b302796f4
commit 11d0da4547
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
windows/client-management/mdm/policy-csp-admx-dcom.md
View File

@ -159,7 +159,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
This policy setting allows you to view and change a list of DCOM server application IDs (appids), which are exempted from the DCOM Activation security check. This policy setting allows you to view and change a list of DCOM server application IDs (app ids), which are exempted from the DCOM Activation security check.
DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators. DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators.
DCOM ignores the second list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled. DCOM ignores the second list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled.
DCOM server application IDs added to this policy must be listed in curly brace format. DCOM server application IDs added to this policy must be listed in curly brace format.
@ -168,15 +168,15 @@ For example, `{b5dcb061-cefb-42e0-a1be-e6a6438133fe}`.
If you enter a non-existent or improperly formatted application ID DCOM will add it to the list without checking for errors. If you enter a non-existent or improperly formatted application ID DCOM will add it to the list without checking for errors.
- If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. - If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings.
If you add an application ID to this list and set its value to 1, DCOM will not enforce the Activation security check for that DCOM server. If you add an application ID to this list and set its value to one, DCOM will not enforce the Activation security check for that DCOM server.
If you add an application ID to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless of local If you add an application ID to this list and set its value to zero DCOM will always enforce the Activation security check for that DCOM server regardless of local
settings. settings.
- If you disable this policy setting, the application ID exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used. - If you disable this policy setting, the application ID exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used.
If you do not configure this policy setting, the application ID exemption list defined by local computer administrators is used. Notes: The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process. If you do not configure this policy setting, the application ID exemption list defined by local computer administrators is used. Notes: The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process.
This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server's custom launch permission contains explicit DENY entries this may mean that object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead. This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server's custom launch permission contains explicit DENY entries this may mean that object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead.
The proper action in this situation is to reconfigure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short-term as an application compatibility deployment aid. The proper action in this situation is to reconfigure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short term as an application compatibility deployment aid.
DCOM servers added to this exemption list are only exempted if their custom launch permissions do not contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups. DCOM servers added to this exemption list are only exempted if their custom launch permissions do not contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups.
> [!NOTE] > [!NOTE]