Enable Message Queuing to Access SACL Information

  • Article

Applies To: Windows Server 2008

Use this procedure to enable Message Queuing to access security access control list (SACL) information.

You can use this procedure to enable Message Queuing to access SACL information. You enable Message Queuing access to SACL information in order to audit "object open" security events such as Peek Message, Receive Message, and Send Message for the local computer's public queues.

Membership in <Domain>\Domain Admins, or equivalent, is the minimum required to complete this procedure.

To enable Message Queuing to access SACL information

  1. Click Start, point to Run, type MMC, and then click OK to display the Microsoft Management Console (MMC).

  2. Click the Add/Remove Snap-in option from the File menu.

  3. Select the Group Policy Management Editor from the list of available snap-ins and click Add.

Note

The Group Policy Management Editor snap-in is available by default on domain controllers. To make this snap-in available on a non domain controller install the Active Directory Domain Services Remote server administration tool feature that is available in the Add Features wizard in Server Manager.

  1. In the Select Group Policy Object dialog box click Browse.

  2. Click the Domains/OUs tab of the Browse for a Group Policy Object dialog box, select Default Domain Policy, and then click OK.

  3. In the Select Group Policy Object dialog box click Finish.

  4. In the Add or Remove Snap-ins dialog box click OK.

  5. Click to expand Default Domain Policy [Domain Name] Policy, open Computer Configuration, open Windows Settings, open Security Settings, open Local Policies, right-click User Rights Assignment, and then click Open.

  6. Double-click Manage Auditing and Security Log, check the option to Define these policy settings, and then click Add User or Group.

  7. Add the computer account name of the computer running the Message Queuing service, and then click OK.

  8. Wait for about 5 minutes to allow changes to take effect in Active Directory Domain Services, and then restart the computer that hosts the public queue or queues.

Additional considerations

  • After the Message Queuing service is enabled to access SACL information, you need to establish an audit policy. An audit policy specifies categories of security-related events that you want to audit. See the online help for your operating system for more information about establishing an audit policy.

Additional references