Enabling Weakened Security
Updated: June 25, 2007
Applies To: Windows Server 2008
Message Queuing servers running on domain controllers can operate using weakened security for Active Directory Domain Services. Enable weakened security in an environment where Message Queuing 2.0 users are logged on with local user accounts. Note that:
Dependent clients cannot run under a local user account.
Any computer that sends queries about Message Queuing objects to Active Directory Domain Services on a domain controller directly, rather than through a Message Queuing server, will not be able to access Message Queuing objects in Active Directory Domain Services when it logs on with a local user account, even if the security for Active Directory Domain Services is weakened.
If weakened security is enabled, a Message Queuing server running on a domain controller will access Active Directory Domain Services within its own security context. This access will be under the Network Service account on the applicable domain controller. You can view the properties of Active Directory Domain Services objects, including msmq (MSMQ configuration) objects and queue objects. You can also check security settings for operating systems requiring the Windows 2000 Client Support service or Windows XP clients. You cannot bypass any security restrictions on creating objects or setting object security.
You can also check how Message Queuing is configured and modify this setting after installation using ADSI Edit. For information about how to do this, see Weaken Security Using ADSI Edit.
It is also possible to support MSMQ 2.0 users logged on with local user accounts without explicitly weakening security as described in the topic Weaken Security Using ADSI Edit. In this case, you must grant the Everyone group the List Content permission on all computer objects in each domain. This, however, greatly compromises domain security.