I have used a domain level GPO to configure the following 2 settings:
Computer Config/Windows Settings/Security Settings/Local Policies/Security
Options - DCOM: Machine Access Restrictions and DCOM: Machine Launch
Restrictions. I would now like to remove these settings from a subset of my
PCs; and I haven't found a way to do it yet. Once I set these, the "Edit
Limits" button is greyed out for the computer in the DcomCnfg.exe COMSecurity
tab for the computer. Even though this is native GPO setting, I've not found
a way to remove it. A technet article at
says you can remove
it by specifying a blank value for the SDDL entry on the GPO, but that hasn't
worked for me. Upon refreshing the GPO and a reboot, the "Edit Limits" button
is still greyed out. Upon a second reboot, the PCs will hang while starting
up; indicating to me that DCOM has been corrupted.
Does anybody have any ideas on how I might be able to remove and reverse
this GPO DCOM setting?