Set permissions for computer and queue objects

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To set permissions for computer and queue objects

  1. Open Active Directory Users and Computers.

  2. On the View menu, click Users, Groups, and Computers as containers, and then click Advanced Features.

  3. Do one of the following:

    • To grant Message Queuing-specific permissions for a computer (an msmq object), in the console tree, right-click msmq (console tree location is: Active Directory Users and Computers/YourDomain/YourOrganizationalUnit (such as Computers or Domain Controllers)/*YourComputer/*msmq).

    • To grant Message Queuing-specific permissions for a queue, right-click the applicable queue. (console tree location is: Active Directory Users and Computers\ YourDomain\ YourOrganizationalUnit (such as Computers or Domain Controllers)\ YourComputer\ msmq\ YourQueueFolder (Private Queues for a private queue)\ YourQueue).

  4. Click Properties.

  5. On the Security page, set permissions for the object specified in StepĀ 3, as needed:

    • To grant permissions for this object to a group or user appearing under Group or user names, select the applicable group or user, and then in Permissions for GroupOrUser, select the check boxes in the Allow column following the names of the applicable permissions.

    • To deny a group or user permissions for this object, select the applicable group or user in Group or user names, and then in Permissions for GroupOrUser, select the check boxes in the Deny column following the names of the applicable permissions.

    • To add a new group or user for access, click Add. In the Select Users, Computers, or Groups dialog box, click Object Types, select the Group and/or Users check box as appropriate, clear the remaining check boxes, and click OK. In Enter the object name to select, type the name of a group or user or the names of several groups or users separated by semicolons, and click OK. Or, click Advanced to search for groups or users, enter the applicable parameters, click Find Now, select the group or user, click OK, and then click OK again. Then, select the group or user you just added and select the applicable check boxes as needed.

Notes

  • To open Active Directory Users and Computers, click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  • The queue objects for the queues residing on a particular computer are child objects of the msmq object of the applicable computer. For example, to create a queue, a user must have the Create All Child Objects permission for the msmq object under which the queue will be created.

  • You can grant or deny permissions for an object even to the Administrators group.

  • This procedure cannot be used to set permissions for a private queue on a remote computer.

Important

  • The default permission is that everyone can send messages to a queue. For tighter security, you can change the default security permissions for the queue. You can also specify properties for greater security when you create a queue, for example, to accept authenticated messages only. For instructions, see Allow only authenticated messages on queues.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Message Queuing and Active Directory
Access control for Message Queuing
Working with MMC console files