Installation Permissions
Applies To: Windows Server 2008, Windows Vista
The following table shows the administrative permissions required to install different Message Queuing software features. By default, logging on using an account with these permissions allows the applicable Message Queuing objects to be created in Active Directory Domain Services during Message Queuing installation.
Message Queuing computer | Permission level required |
---|---|
Message Queuing server on a domain controller |
domain administrative permissions (or member of the Domain Admins group) |
Message Queuing server on a nondomain controller with Routing Support |
enterprise administrative permissions (or member of the Enterprise Admins group) |
Message Queuing server on a nondomain controller without Routing Support |
local administrative permissions (or member of the local Administrators group) |
Independent client |
local administrative permissions (or member of the local Administrators group) |
Dependent client |
Message Queuing 5.0 cannot be installed as a dependent client. A Windows Server 2008 R2 computer with Message Queuing 5.0 installed can still act as a supporting server for computers with earlier versions of Message Queuing that are installed as a dependent client. |
Note
When installing Message Queuing in a server cluster, the user account under which the cluster service is running must be granted permissions to create computer objects and Message Queuing objects. See the table below for specific permissions needed to create specific objects.
Note
If you do not want to grant users such general or wide-ranging permissions to install Message Queuing, you can grant permissions to create those objects specifically required to create different Message Queuing computers. The following table lists the specific child objects in Active Directory Domain Services that you must be granted permission to create for Message Queuing installation to complete.
Message Queuing computer | Specific permissions required | For which object |
---|---|---|
Message Queuing server (on a domain controller or on a nondomain controller with routing enabled) |
Create MSMQ Configuration Objects |
applicable domain controller object located in Active Directory Users and Computers |
Message Queuing server (on a domain controller or on a nondomain controller with routing enabled) |
Create All Child Objects |
Servers container object located in Active Directory Sites and Services |
Message Queuing server (on a nondomain controller with no routing) |
Create MSMQ Configuration Objects |
applicable computer object located in Active Directory Users and Computers |
Independent client |
Create MSMQ Configuration Objects |
applicable computer object located in Active Directory Users and Computers |
Dependent client |
none |
not applicable |
You can grant these specific permissions to specific users or to all users in a domain using the Delegation of Control Wizard.
For more information about Message Queuing objects, where they are created, and where they are located in Active Directory Domain Services, see Message Queuing and Active Directory Domain Services.
For more information about permissions for objects, see Access Control for Message Queuing.
Note
To install Message Queuing, you may also need the Delete MSMQ Configuration Objects permission, because if Setup finds an msmq (MSMQ Configuration) object in Active Directory Domain Services, it must delete it before creating a new one.
Note
To uninstall Message Queuing, you must be granted the Delete MSMQ Configuration Objects permission.
Setting Permissions in Active Directory Domain Services Before Installing the Routing Service Feature of Message Queuing on a Non Domain Controller
The successful installation of the Routing Service feature on a Server computer that is not a domain controller requires that specific permissions are set in Active Directory Domain Services. Permissions must be granted for the computer object to the Servers objects in Active Directory Domain Services (ADDS) before installing the Routing Service feature on a computer that is not a domain controller. Follow these steps to grant the appropriate permissions in Active Directory Domain Services before installing this feature.
To grant appropriate permissions to the computer object in ADDS before installing the Routing Service feature on a non domain controller.
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services to launch Active Directory Sites and Services.
Click to expand Active Directory Sites and Services, click to expand Sites, and then click to expand the site which this computer will be a member of.
Right-click Servers and select Properties to display the Servers Properties dialog box.
Click the Security tab of the Servers Properties dialog box.
Click the Add button to display the Select Users, Computer, or Groups dialog box.
Click the Object Types button to display the Object Types dialog box, click to enable Computers, and then click OK.
Enter the name of the computer for which the Routing Service or Directory Service Integration feature will be installed, click Check Names, and then click OK.
Enable the following permissions for this computer object:
Allow Read
Allow Write
Allow Create all child objects
After enabling these permissions, click Advanced to display the Advanced Security Settings for Servers dialog box.
Select the computer object from the list of permission entries and click the Edit button.
Select This object and all descendant objects from the Apply to: dropdown list and click OK.
Click OK to close the Advanced Security Settings for Servers dialog box.
Click OK to close the Server Properties dialog box.
Setting Permissions in Active Directory Domain Services Before Installing the Directory Service Integration Feature of Message Queuing on a Domain Controller
The successful installation of the Directory Service Integration feature on a Server computer that is a domain controller requires that specific permissions are set in Active Directory Domain Services.
Follow these steps to grant the appropriate permissions in Active Directory Domain Services before installing this feature.
Note
These steps are not required when installing the Directory Service Integration feature of Message Queuing on a non domain controller.
To grant the Network Service account the Create MSMQ Configuration Objects permission to the computer object in Active Directory Domain Services before installing the Directory Services Integration feature on a computer that is a domain controller
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers to launch Active Directory Users and Computers.
Click the View menu and click to enable the options for Users, Groups, and Computers as containers and Advanced Features.
Click to expand the Domain container for the domain, click to expand the Computers container, right click the computer object on which the Directory Services Integration feature is being installed, and click Properties to display the computer properties dialog box.
Click to select the Security tab of the computer properties dialog box.
Click the Advanced button to display the Advanced Security Settings for <computer> dialog box.
Click the Add button to display the Select User, Computer, or Group dialog box.
Type <domain>\Network Service into the Enter the object name to select edit box, click Check Names, and then click OK. Substitute the actual Active Directory Domain Services domain name for <domain>.
Click to enable Allow for the Create MSMQ Configuration objects permission and then click OK to close the Permissions Entry for <computer> dialog box.
Click OK to close the Advanced Security Settings for <computer> dialog box.
Click OK to close the computer properties dialog box.