Announcement

Collapse
No announcement yet.
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Thought I'd share this...

    I'm sure this applies to previous versions (9.x, unsure about 8.x), but definatly applies to 10.1.

    We did the jump from 7.5 -> 8.1 -> 10.1 last night, and everything rang pretty smoothly. I had a phone or two hiccup, but thankfully for POE, a reset of the switch forced those phones to get power-cycle.

    What bit me in the can was the PCM upgrade. I use Active Directory and a GPO to push the application out to the client computers. While the upgrade itself went good, i forgot about the users 'having' to have administrative access to function.

    After running dcomcnfg.exe and going to Component Services->Computers->My Computer->DCOM Config, the STClientLogin has the Launch & Activation Perms requirement to be: Administrators, NETWORK SERVICE and also SYSTEM in order to active. Once I added Authenticated Users (Local Launch & Local Activation), everything started to work quite nicely, but with 200+ computers to do this to, it's one hell of a chore.

    The secret: I exported the registry key from above, and in my Shoretel GPO, I have the computer run a logon script during bootup that imports the key I exported above. HKEY_CLASSES_ROOT\AppID\{BC2F1927-D833-11D3-A76C-0050049EC1CD} and LaunchPermission is the binary key that houses the local launch & local activation key. Once the system read that in and the user logged in, PCM fired up without bitching about a thing.

    If anyone has any questions, I can be more in-depth, but I'm just throwing this together should anyone else want to not require admin access for users on their machine and NOT have to go to each one and run the dcomcnfg....

    J

  • #2
    maybe i'm missing something...but if you push PCM with a GPO (computer configuration->software settings->software installation) you shouldn't have to give admin rights; it installs the software on next computer startup. we've been doing this for years, but possibly i'm misunderstanding your post

    Comment


    • #3
      I've also been pushing them vai GPO for 2 years, but that's not the issue.

      The issue was once they were pushed out and installed, the users couldn't run the application because of DCOM. STClientLogin wasn't authenticated to let non-administrators launch the process.

      I was sharing the fix to get non-administrators to be able to run DCOM without having to go to each and every computer and change the permissions by using a registry 'fix'.

      I happened to write up the post after a very long day of dealing with 'enhancements' that people weren't used to using. We went from 7.5 to 10.1 overnight and the change overwhelmed our (extremely) simple users, so I was a bit wiped out.

      Comment


      • #4
        So does this allow your non admin users to install Outlook Integration without UAC popups? Are your clients running Vista/7?

        Comment


        • #5
          Negative. We're running XP explicitly and all of the non-admin users can install the Outlook integration w/o needing Admin privs. Vista pretty much is bloatware and I'm waiting for the software we use to become Win7 complient. This merely fixed the non-administrative use of the ShoreTel use of DCOM::STClientLogin.

          Let me re-phrase the original post:

          I upgraded my servers & clients from 7.5 (12.15.9600.0) to 10.1 (15.21.1311.0) overnight. This was all done via a GPO which uninstalled the 7.5 client, installed the 10.1 client, and rebooted.

          The following day, most of the PCM was functioning and causing message to appear in the system event log:

          Event Type: Error
          Event Source: DCOM
          Event Category: None
          Event ID: 10016
          Date: 4/7/2010
          Time: 10:35:54 AM
          User: YO-MOMMA\JLadd
          Computer: IT-TESTIMAGE
          Description:
          The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
          {BC2F1934-D833-11D3-A76C-0050049EC1CD}
          to the user YO-MOMMA\JLadd SID (S-1-5-21-69696969-696969696-969696969-6969). This security permission can be modified using the Component Services administrative tool.

          In XP, tun dcomcnfg.exe. Component Services->Computers->My Computer->DCOM Config then look at the properties for STClientLogin. Non-administrators have NO rights to launch the DCOM process and therefore, they don't get the full functionality of the PCM. Under the Security tab, and Launch and Activation Permissions, I granted Authenticated users Local Launch & Local Activation to STClientLogin.

          I merely made the changes, found & exported the modified registry key, which is HKEY_CLASSES_ROOT\AppID\{BC2F1927-D833-11D3-A76C-0050049EC1CD}, an re-imported in the same GPO script that installs the PCM.

          I can't vouch for anyone here, but there's not a single user on my network that has Admin priveliges, so I've often got to work around the system because they're not capable of having it and not screwing up. _I_ don't even login to my local machine with admin access.

          99.44% (thanks Ivory) of the end-users are the same kinds of people that see a sign warning of wet paint on a wall, touching the wall and then saying "Wow, that paint is wet!".
          Last edited by redneckgeek; 04-12-2010, 09:07 AM.

          Comment

          Working...
          X