20,222 questions
Delegated permissions for removing MSMQ sub object in AD
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 62%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBW%3C/text%3E%3C/svg%3E)
Ben Wosjke
136
Reputation points
Hi all,
i need to remove the msmq sub-object in AD from computer accounts on a recurring basis.
Specifically i am referring the the MSMQ container that gets created at CN=MSMQ,CN=ServerName,OU=OUName,DC=Company,DC=Com when enabling AD integration for MSMQ within windows.
As an admin, i (or any of the other admins) can do this - but given we want to script this ability using a service account - we are trying to lock down the permissions for this service account to that specific purpose.
Now,. before you say it, I have delegated control (and verified the delegated permissions) with the following settings
and (just incase it was somehow different)
and neither of these allow the service account to delete the MSMQ container.
i dont want to allocate full control to the service account over these OU's.... and am looking for assistance in what delegation allows the object to be removed.
Windows for business | Windows Server | User experience | Other
Sign in to answer