Solved: added full control over C:\Program Files\Application folder to group containing "The launching user".
Using dcomcnfg I can configure a application identity, when launched from another application as COM.
When The launching user user is member of Administrators group my application can create COM object, but I want that my user have as low permissions as possible.
Using secpol I have added group with my user to:
- Impersonate a client after authentication
- Log on as batch job (needed for non interactive session)
- Log on as service (needed, my application runs as service)
- Obtain an impersonation token (…)
But that not resolved my problem. What secpol or other permissions are needed?
Note: I can't use other Identity options, It must be launching user.
Best Answer
You need to change the security settings for the COM object itself. By default the Administrators group has Full permissions and the Users group has read. Here's the delta in permissions. You'll have to experiment with the perms to get the minimum you need.