Set Permissions for Computer and Queue Objects

  • Article

Applies To: Windows Server 2008

Use this procedure to set permissions for Message Queuing computer and queue objects.

You can use this procedure to set permissions for Message Queuing computer and queue objects. Set permissions for Message Queuing computer and queue objects to regulate access to the specified objects.

Membership in <Domain>\Domain Users, or equivalent, is the minimum required to complete this procedure.

To set permissions for Message Queuing computer and queue objects using Active Directory Users and Computers

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. On the View menu, click Users, Groups, and Computers as containers, and then click Advanced Features.

  3. Do one of the following:

    • To grant Message Queuing-specific permissions for a computer (an msmq object), in the console tree, right-click msmq (console tree location is: Active Directory Users and Computers/YourDomain/YourOrganizationalUnit (such as Computers or Domain Controllers)/*YourComputer/*msmq).

    • To grant Message Queuing-specific permissions for a queue, right-click the applicable queue. (console tree location is: Active Directory Users and Computers\ YourDomain\ YourOrganizationalUnit (such as Computers or Domain Controllers)\ YourComputer\ msmq\ YourQueueFolder (Private Queues for a private queue)\ YourQueue).

  4. Click Properties.

  5. On the Security page, set permissions for the object specified in Step 3, as needed:

    • To grant permissions for this object to a group or user appearing under Group or user names, select the applicable group or user, and then in Permissions forGroupOrUser, select the check boxes in the Allow column following the names of the applicable permissions.

    • To deny a group or user permissions for this object, select the applicable group or user in Group or user names, and then in Permissions forGroupOrUser, select the check boxes in the Deny column following the names of the applicable permissions.

    • To add a new group or user for access, click Add. In the Select Users, Computers, or Groups dialog box, click Object Types, select the Group and/or Users check box as appropriate, clear the remaining check boxes, and click OK. In Enter the object name to select, type the name of a group or user or the names of several groups or users separated by semicolons, and click OK. Or, click Advanced to search for groups or users, enter the applicable parameters, click Find Now, select the group or user, click OK, and then click OK again. Then, select the group or user you just added and select the applicable check boxes.

To set permissions for queue objects using Computer Management

  1. Click Start, point to Run, type compmgmt.msc, and press ENTER to display the Computer Management MMC console.

  2. In the console tree, right-click the applicable queue.

    Where?

    • Computer Management/Services and Applications/Message Queuing/YourQueueFolder (such as Public Queues or Private Queues)/YourQueue

  3. Click Properties.

  4. On the Security page, set permissions for the queue as needed:

    • To grant permissions for this object to a group or user appearing under Group or user names, select the applicable group or user, and then in Permissions forGroupOrUser, select the check boxes in the Allow column following the names of the applicable permissions.

    • To deny a group or user permissions for this object, select the applicable group or user in Group or user names, and then in Permissions forGroupOrUser, select the check boxes in the Deny column following the names of the applicable permissions.

    • To add a new group or user for access, click Add. In the Select Users, Computers, or Groups dialog box, click Object Types, select the Group and/or Users check box as appropriate, clear the remaining check boxes, and click OK. In Enter the object name to select, type the name of a group or user or the names of several groups or users separated by semicolons, and click OK. Or, click Advanced to search for groups or users, enter the applicable parameters, click Find Now, select the group or user, click OK, and then click OK again. Then, select the group or user you just added and select the applicable check boxes.

Note

Membership in the local Administrators group is required to perform this task using Computer Management.

Additional considerations

  • The queue objects for the queues residing on a particular computer are child objects of the msmq object of the applicable computer. For example, to create a queue, a user must have the Create All Child Objects permission for the msmq object under which the queue will be created.

  • You can grant or deny permissions for an object even to the Administrators group.

  • This procedure cannot be used to set permissions for a private queue on a remote computer.

Important

The default permission for newly created queues in Message Queuing 5.0 may have changed from previous versions. For more information about this change see the section Default queue permissions for new queues do not grant everyone send access in the topic Security Enhancements that Affect the Default Behavior of Message Queuing. For tighter security, you can change the default security permissions for the queue. You can also specify properties for greater security when you create a queue, for example, to accept authenticated messages only. For instructions, see Allow Only Authenticated Messages on Queues.

Additional references