Here is an interesting little issue I came across the other day while setting up Kerberos on Windows Server 2008 R2: Everything went fine until I wanted to allow local activation permissions on the DCOM objects for the SharePoint service accounts, much to my surprise everything was disabled; it did not matter what account I was running with.
Turns out you need to make a registry change to enable you to change DCOM permissions:
- Open RegEdit and locate: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CLSID} (the CLSID can be found in the DCOM error message)
- Right Click and select Permissions
- Select Advanced and then select take ownership
- Close the registry editor and then restart the server
- Now you can make the changes.
Sweet.