Public and Private Queues

Updated: June 25, 2007

Applies To: Windows Server 2008

This topic describes the differences between public and private Message Queuing queues.

Private queues are queues that are not published in Active Directory Domain Services and are displayed only on the local computer that contains them. Private queues have the following features:

  • Message Queuing registers private queues locally by storing a description of the queue in the LQS (local queue storage) directory on the local computer. In this version of Message Queuing, the default location is %windir%\system32\msmq\storage\lqs. Note that a description of each public queue created on the local computer is also stored locally in a separate file in the LQS folder.

  • Private queues are registered on the local computer, not in the directory service, and typically cannot be located by other Message Queuing applications.

  • Private queues are accessible only by Message Queuing applications that know the full path name, the direct format name, or the private format name of the queue, as follows:

    • Path name:ComputerName\private$\QueueName.

    • Path name on local computer: .\private$\QueueName.

    • Direct format name: DIRECT=ComputerAddress\PRIVATE$\PrivateQueueName.

    • Private format name: PRIVATE=ComputerGUID\QueueNumber.

    For more information about path names and format names, see Queue Names.

  • Private queues have the advantage of no directory service overhead, making them quicker to create, no latency in accessing them, and no replication overhead.

  • Private queues are not dependent on the directory service, and thus can be created and deleted when the directory service is not working. This is useful for offline operation.

  • One way that private queues can be exposed to other applications is by setting a message property. To distribute the location of a private queue, an application can send a format name of the private queue as the response queue property of a message.

  • In a workgroup environment, only private queues are available.

  • For a Message Queuing application on the local computer to access a private queue, the application only needs to know the path name of the queue. For a Message Queuing application on a remote computer, the application requires a direct or private format name to access such a queue. To read messages from the queue, the remote Message Queuing application requires the Receive Message permission for that queue. For more information about this change see the section Default queue permissions for new queues do not grant everyone send access in the topic Security Enhancements that Affect the Default Behavior of Message Queuing.

In a domain environment, public queues are queues that are published in Active Directory Domain Services and hence are replicated throughout your Server family forest. Note that only the properties for these queues are replicated, not the actual queues themselves or their contents. Any computer within your forest can potentially access information regarding public queues provided the user has sufficient permissions to access the applicable queue objects. Generally speaking, any user in the forest with access to Active Directory Domain Services and the Send To permission for a given public queue can send messages to it.

In an Active Directory Domain Services environment, defining public queues ensures that queues are registered in the directory service, and that their registration is backed up. They are persistent and available to other applications.

By default, in Active Directory Domain Services, the Create Child Object permission that is required to create local public queues is granted to:

  • The Domain Administrator account

  • The domain user account of the local administrator that installed Message Queuing

  • Local System and Network Service accounts

To permit all other users to create local public queues by default, Message Queuing uses Message Queuing service elevation of privilege. The effect of this is that if the user account does not have Active Directory Domain Services permissions for this action, the user account privilege is elevated and the local public queue is created using Message Queuing service's Network Service account. This is the default Message Queuing setting. If you want to disable this behavior, and restrict the creation of local public queues, create the DWORD registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\EnableCreateQueueThroughService and set to a value of 0. After setting the registry, restart the Message Queuing service for the changes to take effect.

Incorrectly editing the registry may severely damage your system. It is recommended that you back up any valuable data on the computer before making changes to the registry.

Default security access for public queues grants send permissions to the queue creator, local Administrators, and members of <domain>\Enterprise Admins group. Specific permissions must be granted for read access.

The advantage of public destination queues is that they are registered in the directory service, where they can be located by other Message Queuing applications. Public queues are persistent, and their registration information can be backed up on the enterprise, making them good for long-term use.

Community Additions