Error Code 80070569 configuring Windows DCOM Identity with domain user

Question

I have a COM application instantiated by a local Windows service with which I would like to gain access to a network share. To achieve this, I simply attempted to configure my COM server to run as a domain user with access to that share: I go to the 'dcomcnfg' console, locate my server under Console Root\Component Services\DCOM Config, right-click to 'Properties', go to the 'Identity' tab and specify the domain user for the "This user" option. When I do this on my own company network, it works beautifully. However, when a user tries it on their network, they get:

"Catalog Error

An error occurred while processing the last operation on the remote computer 'DOMAIN'. Error code 80070569 - Logon failure: the user has not been granted the requested logon type at this computer."

where 'DOMAIN' is the name of the customer's domain. The domain user is in the 'Administrators' group on the local PC and should have all necessary logon permissions there. I'm presuming then that this is a problem with their domain policies, but network administration is not my area of expertise. Anybody know exactly what domain privilege(s) the domain user needs in order to make this work? Thanks.

Answer 1

First of all, lets state that for every security principal in Active Directory there are bunch of different logon types: Interactive, Network, Batch, Service, and so on

Security pricnipal can be allowed or denied almost any of logon types via Group Policy. The exact settings can be found here: Configuration>Windows Settings>Security Settings>Local Policies>Security Options

To verify that GP is actually causing your problems I suggest running this console command

gpresult /h filename.html

With this data you should probably contact that domain administrators and ask them for assistance, not much can be done to override domain GP with local administrative access. At least not on constant basis.

As a workaround, you can try revert to using Local System account as security context for your app. It actually can access network shares in domain, but does so via computers AD account (Domain\computername$), so appropriate permissions must be given for AD computer object on your network share.