Cannot expand the COM+ list in the Component Services UI due to MSDTC service permission issue

MSDTC is the important Transaction service on window system. COM+ system, or other OLE/XA resource managers (such as SQL, 
MS Oracle client) heavily depend on it.

 

If the MSDTC doesn’t start, when we open Component Service UI or try to create transaction, will get similar error messages as below:

 

a.       0x8004D01B (The Transaction Manager is not available.)

b.      0x8004e00f (COM+ was unable to talk to the Microsoft Distributed Transaction Coordinator)

 

However, if the client process doesn’t have enough permission to query the MSDTC service status, the similar errors will also happen. After confirming the MSDTC service status is running, if the error still happens, we can check the service ACL and grant correct permissions. I resolved several problems with below steps:

 

sc sdshow msdtc

 

If the Authenticated Users group doesn't have query permission on the MSDTC service object, this means most users have no permission to get the MSDTC service status, for example:

 

(A;;CR;;;AU)

 

We need to run this command to grant enough permission for the Authenticated user, and then restart DLLHOST.exe (before do this, please backup the output information of “sc sdshow msdtc”):

 

sc sdset msdtc D:(A;;CCLCSWRPLOCRRC;;;S-1-2-0)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

 

Note: the key part is:  (A;;CCLCSWLOCRRC;;;AU), Other strings is taken from the "sc sdshow msdtc" result

 

For more information about the Description of ACL, please refer to:

 

914392  Best practices and guidance for writers of service discretionary access control lists

http://support.microsoft.com/default.aspx?scid=kb;EN-US;914392

 

Note: this permission change is for Service Object ACL, will not affect NTFS file properties.

 

Another friendly tool to set service ACL is : subinacl.exe , here are the sample commands to add the permissions on the server to set FULL access permissions:

subinacl.exe /service MSDTC /grant="<input the client identity name>"="F"
subinacl.exe /service MSDTC /grant=”authenticated users"="F"

 

Best Regards,

 

Freist Li