Error message if you select a Windows Server 2003 Service Pack 1-based domain controller when you use the Group Policy Modeling Wizard: "Access is denied" (914047)

SYMPTOMS

If you select a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based domain controller when you use the Group Policy Modeling Wizard in the Group Policy Management Console (GPMC), you may receive the following error message:

Access is denied.

This problem occurs if one or more of the following conditions are true:

You are not logged on to the local computer by using the administrator account.
The administrator has delegated control of the following Resultant Set of Policy (RSoP) tasks in Active Directory:
- Generate Resultant Set of Policy (logging)
- Generate Resultant Set of Policy (planning)

RESOLUTION

To resolve this problem, use one of the following methods.

Method 1: Few domain controllers in the domain

Click Start, click Run, type <drive>:\WINDOWS\system32\Com\comexp.msc, and then click OK.
Note <drive> is a placeholder for the drive where Windows is installed.
In the left pane, expand Component Services, and then expand Computers.
Right-click My Computer, and then click Properties.
On the COM Security tab, click Edit Limits in the Launch and Activation Permissions field.
Click the user name in the Group or user names field that you want to be able to run the Group Policy Modeling Wizard, and then click to select Allow for the Remote Activation permission.
Click OK two times.

Method 2: Many domain controllers in the domain

Create a new Group Policy on the domain controller's organizational unit (OU).
In the Domain Controllers Group Policy console, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
In the list of available policies, double-click DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax.
Click Edit Security, click the user name in the Group or user names field that you want to be able to run the Group Policy Modeling Wizard, and then click to select Allow for the Remote Activation permission.
Click OK two times.
Exit Group Policy Object Editor.

MORE INFORMATION

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

892500 Programs that use DCOM do not work correctly after you install Microsoft Windows Server 2003 Service Pack 1

For more information, visit the following Microsoft TechNet Web site:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2maint.mspx

Technical support for x64-based versions of Microsoft Windows

Your hardware manufacturer provides technical support and assistance for x64-based versions of Windows. Your hardware manufacturer provides support because an x64-based version of Windows was included with your hardware. Your hardware manufacturer might have customized the installation of Windows with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your x64-based version of Windows. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.

For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:

http://www.microsoft.com/windowsxp/64bit/default.mspx

For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/64bit/x64/default.mspx