search

FGF-College-Work / Forum

:beer: Espaço dedicado a discussões e tira dúvida sobre disciplinas e conteúdo tecnológico.
MIT License
13 stars 4 forks source link

7019010: Event ID 10016 while settting up O365 PowerShell Script 4.2 #176

Open marcialwushu opened 5 years ago

marcialwushu commented 5 years ago

This document (7019010) is provided subject to the disclaimer at the end of this document.

Environment Retain 4.2

O365 PowerShell Script 4.2

Windows Server 2016 Situation When running the script for the first time the Scheduled Task does not run at the end of the script as expected.

In the Event log an error similar to the below appears:

The application-specific permission settings do not grant Local Activation permission for the COM
 Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITYLOCAL SERVICE 
SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container 
Unavailable SID (Unavailable). This security permission can be modified using the 
Component Services administrative tool.

Resolution

This appears to be a Windows permissions issue.

Guidance can be found at: https://https://answers.microsoft.com/en-us/windows/forum/windows_8-performance/event-id-10016-the-application-specific-permission/9ff8796f-c352-4da2-9322-5fdf8a11c81e

https://https://social.technet.microsoft.com/Forums/systemcenter/en-US/dfc465bc-7bbd-483e-b98b-2ba56fa98313/the-applicationspecific-permission-settings-do-not-grant-local-launch-permission-for-the-com-server?forum=configmgrgeneral

https://https://shauncassells.wordpress.com/2015/09/28/windows-10-event-10016-fix-the-application-specific-permission-settings-do-not-grant-local-activation-permission-for-the-com-server-application-with-clsid-d63b10c5-bb46-4990-a94f-e40b9d520160-and-a/

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

http://intelligentsystemsmonitoring.com/knowledgebase/novell/7019010-event-id-10016-while-settting-up-o365-powershell-script-4-2/

marcialwushu commented 5 years ago

A ID de evento DCOM 10016 é registrada no Windows

Sintomas

Em um computador que esteja executando o Windows 10, o Windows Server 2016 ou o Windows Server 2019, você percebe que o seguinte evento está registrado nos logs de eventos do sistema.

Origem:        Microsoft-Windows-DistributedCOM
ID do Evento:      10016
Descrição: As configurações de permissão específicas para o aplicativo não atribuem a permissão Ativação Local para o aplicativo Servidor COM com a CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
e APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
para o usuário NT AUTHORITY \ SYSTEM SID (S-1-5-18) do endereço LocalHost (usando LRPC) em execução no contêiner de aplicativo SID Não Disponível (Não Disponível). Essa permissão de segurança pode ser modificada usando a ferramenta administrativa Serviços de componentes.

Motivo

Esses eventos 10016 são gravados quando os componentes da Microsoft tentam acessar os componentes DCOM sem as permissões necessárias. Nesse caso, isso é esperado e por design.

Foi implementado um padrão de codificação em que o código primeiro tenta acessar os componentes DCOM com um conjunto de parâmetros. Se a primeira tentativa não for bem sucedida, tentará novamente com outro conjunto de parâmetros. A razão pela qual ele não pula a primeira tentativa é porque existem cenários em que ele pode ter êxito. Nesses cenários, isso é preferível.

Solução alternativa

Esses eventos podem ser ignorados com segurança porque não afetam a funcionalidade e são por design. Essa é a ação recomendada para esses eventos.

Caso desejem, usuários avançados e profissionais de TI podem suprimir esses eventos de exibição no Visualizador de Eventos criando um filtro e editando manualmente a consulta de XML do filtro, de forma semelhante ao seguinte:

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*</Select>
    <Suppress Path="System">
      *[System[(EventID=10016)]]
      and
      *[EventData[
        (
          Data[@Name='param4'] and Data='{D63B10C5-BB46-4990-A94F-E40B9D520160}' and
          Data[@Name='param5'] and Data='{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}' and
          Data[@Name='param8'] and Data='S-1-5-18'
        ) 
        or
        (
          Data[@Name='param4'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}' and
          Data[@Name='param5'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}'
        ) 
        or
        (
          Data[@Name='param4'] and Data='{C2F03A33-21F5-47FA-B4BB-156362A2F239}' and
          Data[@Name='param5'] and Data='{316CDED5-E4AE-4B15-9113-7055D84DCC97}' and
          Data[@Name='param8'] and Data='S-1-5-19'
        )
        or
        (
          Data[@Name='param4'] and Data='{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}' and
          Data[@Name='param5'] and Data='{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}' and
          Data[@Name='param8'] and Data='S-1-5-19'
        ) 
      ]]
    </Suppress>
  </Query>
</QueryList>

Nesta consulta, param4 corresponde ao CLSID de aplicativo do servidor COM, param5 corresponde ao APPID e param8 corresponde ao contexto de segurança SID. Todos esses estão registrados no log de eventos 10016

Para obter mais informações sobre a construção manual de consultas do Visualizador de Eventos, consulte Eventos Consuming.

Você também pode contornar esse problema modificando as permissões nos componentes DCOM para evitar que esse erro seja registrado. No entanto, não recomendamos esse método porque esses erros não afetam a funcionalidade, e a modificação das permissões pode ter efeitos colaterais indesejáveis.

https://support.microsoft.com/pt-br/help/4022522/dcom-event-id-10016-is-logged-in-windows-10-windows-server

marcialwushu commented 5 years ago

Consuming Events

You can consume events from channels or from log files. To consume events, you can consume all events or you can specify an XPath expression that identifies the events that you want to consume. To determine the elements and attributes of an event that you can use in your XPath expression, see Event Schema.

Windows Event Log supports a subset of XPath 1.0. For details on the limitations, see XPath 1.0 limitations.

The following examples show simple XPath expressions.

// The following query selects all events from the channel or log file
XPath Query: *

// The following query selects all the LowOnMemory events from the channel or log file
XPath Query: *[UserData/LowOnMemory]

// The following query selects all events with a severity level of 1 (Critical) from the channel or log file
XPath Query: *[System/Level=1]

// The following query shows a compound expression that selects all events from the channel or log file
// where the printer's name is MyPrinter and severity level is 1.
XPath Query: *[UserData/*/PrinterName="MyPrinter" and System/Level=1]

// The following query selects all events from the channel or log file where the severity level is
// less than or equal to 3 and the event occurred in the last 24 hour period.
XPath Query: *[System[(Level <= 3) and TimeCreated[timediff(@SystemTime) <= 86400000]]]

You can use the XPath expressions directly when calling the EvtQuery or EvtSubscribe functions or you can use a structured XML query that contains the XPath expression. For simple queries that query events from a single source, using an XPath expression is fine. If the XPath expression is a compound expression that contains more than 20 expressions or you are querying for events from multiple sources, then you must use a structured XML query. For details on the elements of a structured XML query, see Query Schema.

A structured query identifies the source of the events and one or more selectors or suppressors. A selector contains an XPath expressions that selects events from the source and a suppressor contains an XPath expression that prevents events from being selected. You can select events from more than one source. If a selector and suppressor identify the same event, the event is not included in the result.

The following shows a structured XML query that specifies a set of selectors and suppressors.

https://docs.microsoft.com/pt-br/windows/win32/wes/consuming-events