Set Computer-wide Launch and Activation Permissions

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

The computer-wide launch and activation permissions determine which users are explicitly assigned or denied permission to start and activate Component Object Model (COM) applications. By using the Component Services snap-in, you can change either the computer-wide default launch and activation permissions or the computer-wide restriction policy.

Important

Modifying launch and activation permissions can affect the ability of applications to start, connect, function, or run securely. Therefore, we recommend that you modify application-specific permissions rather than change default launch and activation permissions.

Membership in Administrators , or equivalent, is the minimum required to complete this procedure.

To set computer-wide launch and activation permissions

  1. Open Component Services.

  2. In the Component Services snap-in, right-click the computer whose computer-wide launch permissions you want to modify, and then click Properties .

  3. Select the COM Security tab.

  4. Under Launch and Activation Permissions , click either Edit Limits or Edit Default , depending on whether you want to modify the computer-wide restriction policy or the computer-wide default settings. A Launch and Activation Permission dialog box appears.

  5. To remove a user account or group, select the group or user in the Group or user names list, and then click Remove. The selected user account or group no longer appears in the list.

  6. To add a user account or group, click Add . In the Select Users, Computers, or Groups dialog box, type the fully qualified name of the user or group that you want to add. If you do not know the name of the user or group that you want to add, click Advanced , and then click Find Now to view a list of users and groups in the selected domain. Select a user or group in the list, and then click OK . The added user account or group appears in the Group or user names list.

  7. In the Group or user names list, select the group or user whose computer-wide launch and activation permissions you want to change.

  8. In the Permissions list, select the Allow or Deny check boxes to either allow or deny the Local Launch permission, Local Activation permission, Remote Launch permission, and Remote Activation permission for the selected group or user name.

  9. Click OK to return to the COM Security tab.

  10. Click OK . The new computer-wide launch and activation settings are applied the next time that an application on the computer is started. Applications that are currently running are not affected until they are restarted.

Additional considerations

  • Component Services is no longer in Administrative Tools. To open Component Services, click Start . In the search box, type dcomcnfg , and then press ENTER.

  • When you set permissions, you must ensure that SYSTEM is included in the Group or user names list in the Launch and Activation Permission dialog box and that SYSTEM is allowed the Launch permission. SYSTEM is included implicitly in the group Everyone. However, for security reasons, we recommend that you not enable the Launch permission for the Everyone group.

Additional references