The importance of owner for some registry keys - DCOM Launch and Activation

Very often application such as SharePoint Server and SQL Server are installed with the Administrator account right after an OS build in a dev/VM envrionment. Then the VM is joined to some domain, and you switch to use a domain account that's added to local Admin group. All is fine. From time to time, you may get a local activation permission error, like this one for SharePoint:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID

{61738644-F196-11D0-9953-00C04FD919C1}

to the user \mossService SID (S-1-5-21-). This security permission can be modified using the Component Services administrative tool.

That GUID is the ID for IIS WAMREG Admin Service. So you go to Component Services -> Computers -> My Computer -> DCOM Config -> IIS WAMREG Admin Service -> Properties -> Secuirty tab, ! everything's grayed out! How do you change it?

The reason is that despite being logged in as an account with local admin access, the particular security registry key is readonly. THE correct way to make it writeable:

1. Start regedit (please disable UAC, which is troublesome on server)
2. Go to the key [HKEY_CLASSES_ROOT\AppID\{61738644-F196-11D0-9953-00C04FD919C1}] , or the key with the GUID that you're trying to modify.
3. Right click on the key -> Permissions. If you select Administrators and click Full Control and Apply, it doesn't let you do it.
4. Click on the Advanced button, go to the Owner tab, change to Administrators (or the currently logged in account, or another account/groups). OK
5. Back on the Permissions window, now you can give the Administrators group Full Control.

After done the above, exit Component Services, and start it again, go to IIS WAMREG Admin Service, now you can change the settings of Local Activation etc.