Weaken Security Using ADSI Edit
Applies To: Windows Server 2008
Use this procedure to weaken Message Queuing security using ADSI edit.
You can use this procedure to weaken Message Queuing security using ADSI edit on a Windows Server 2008 member server. Weaken Active Directory Domain Services security to support Message Queuing 2.0 clients logged on with local user accounts.
Note
The Windows 2000 Client Support feature has been removed from Message Queuing 5.0. To support message queuing on Windows 2000 down-level clients, at least one Windows Server 2003 or Windows Server 2008 domain controller with Windows 2000 Client Support feature must be configured in the domain.
Membership in <Domain>\Domain Admins, <Domain>\Enterprise Admins, or the local Administrators group or equivalent, is the minimum required to complete this procedure. Review the details in "Additional considerations" in this topic.
To weaken Message Queuing security using ADSI edit
Click Start, click Run, type adsiedit.msc, and then press Enter.
In the console tree, right-click CN=MsmqServices.
Where?
- Configuration Container/CN=Configuration,.../CN=Services/CN=MsmqServices
Click Properties.
On the Attribute Editor page, in Attributes, select mSMQNameStyle, and then click Edit.
In Boolean Attribute Editor, select True to weaken security, or False to tighten security.
Click OK.
Additional considerations
This procedure is used to weaken Active Directory Domain Services security to support Message Queuing 2.0 clients logged on with local user accounts.
Only users with the Write permission for the MsmqServices object can perform this procedure. By default, only members of the Domain Admins or Enterprise Admins groups of the root domain and members of the SYSTEM group (local system services running on a domain controller) have the Write permissions for this object.
In order to run the ADSI Edit MMC console, it may be necessary to manually register the file adsiedit.dll. To manually register adsiedit.dll follow these steps:
From the Start menu, click Run.
In the Run dialog box, type cmd.
At the commend prompt, type:
regsvr32 adsiedit.dll
Close the command prompt.
Dependent clients cannot run under a local user account. Also, any computer that sends queries about Message Queuing objects to Active Directory Domain Services on a domain controller directly, rather than through the Message Queuing directory service, will not be able to access Active Directory Domain Services when it logs on using a local user account even if weakened security for Active Directory Domain Services is enabled.
After performing this procedure, for the change to take effect, you must restart all instances of the Message Queuing Windows 2000 Client Support service running on Windows Server 2008 domain controllers.
For best security practice, it is recommended that Active Directory Domain Services security not be weakened unless necessary.