Error message if you select a Windows Server 2003 Service Pack 1-based domain controller when you use the Group Policy Modeling Wizard: "Access is denied"

If you select a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based domain controller when you use the Group Policy Modeling Wizard in the Group Policy Management Console (GPMC), you may receive the following error message:This problem occurs if one or more of the following conditions are true:

• You are not logged on to the local computer by using the administrator account.
• The administrator has delegated control of the following Resultant Set of Policy (RSoP) tasks in Active Directory:
  • Generate Resultant Set of Policy (logging)
  • Generate Resultant Set of Policy (planning)

This problem occurs because the default Component Object Model (COM) permissions have been changed in Windows Server 2003 SP1. The Windows Server 2003 SP1 COM permissions restrict remote calls that are not authenticated. Therefore, a COM program may work locally, but remote calls that are not authenticated fail.

To resolve this problem, use one of the following methods.

Method 1: Few domain controllers in the domain

1. Click Start, click Run, type <drive>:\WINDOWS\system32\Com\comexp.msc, and then click OK.
   Note <drive> is a placeholder for the drive where Windows is installed.
2. In the left pane, expand Component Services, and then expand Computers.
3. Right-click My Computer, and then click Properties.
4. On the COM Security tab, click Edit Limits in the Launch and Activation Permissions field.
5. Click the user name in the Group or user names field that you want to be able to run the Group Policy Modeling Wizard, and then click to select Allow for the Remote Activation permission.
6. Click OK two times.

Method 2: Many domain controllers in the domain

1. Create a new Group Policy on the domain controller's organizational unit (OU).
2. In the Domain Controllers Group Policy console, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
3. In the list of available policies, double-click DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax.
4. Click Edit Security, click the user name in the Group or user names field that you want to be able to run the Group Policy Modeling Wizard, and then click to select Allow for the Remote Activation permission.
5. Click OK two times.
6. Exit Group Policy Object Editor.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For more information, click the following article number to view the article in the Microsoft Knowledge Base: For more information, visit the following Microsoft TechNet Web site:

Technical support for x64-based versions of Microsoft Windows

Your hardware manufacturer provides technical support and assistance for x64-based versions of Windows. Your hardware manufacturer provides support because an x64-based version of Windows was included with your hardware. Your hardware manufacturer might have customized the installation of Windows with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your x64-based version of Windows. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.

For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site: For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site: