3.1.7.1.3.1 Create Default Queue Security Descriptor
Let MachineSid be an SID ([MS-DTYP] section 2.4.2), initialized to zero.
If the message queuing system is operating in Directory-Integrated mode:
A Get Object Properties Using LDAP ([MS-MQDSSM] section 3.1.6.14) event MUST be generated with the following arguments:
iPath := a distinguished name of the form specified for a computer object in [MS-MQDSSM] section 2.2.1, where "<computer name>" is the computer name portion of the value of iDirectoryObject.Pathname, as specified in [MS-MQMQ] section 2.1.1.
iAttributes := a list of names consisting of one element, "objectSid".
If the Get Object Properties Using LDAP operation fails, the value of MachineSid MUST be unchanged. Otherwise, the value of MachineSid MUST be set to the value returned for the objectSid ([MS-ADA3] section 2.45) attribute.
Let SuppliedSecurity and FinalSecurity be SECURITY_DESCRIPTOR ([MS-DTYP] section 2.4.6) structures, initialized to be empty.
If iQueue.Security is set, the value of iQueue.Security MUST be copied to the SuppliedSecurity structure.
Let OwnerSid be an SID, initialized to zero.
If SuppliedSecurity is not empty:
OwnerSid MUST be set to the SuppliedSecurity.OwnerSid field.
If the SuppliedSecurity.Dacl field is populated, the value MUST be copied to the FinalSecurity.Dacl field.
If the SuppliedSecurity.Sacl field is populated, the value MUST be copied to the FinalSecurity.Sacl field.
If OwnerSid is zero, it MUST be set to the SID of the user under whose identity the current thread is running.
If the user referenced by the SID in OwnerSid is not a domain user, OwnerSid MUST be set to the well-known SID with string representation S-1-5-7 (relative identifier SECURITY_ANONYMOUS_LOGON_RID combined with identifier authority SECURITY_NT_AUTHORITY).
If the FinalSecurity.Dacl field was not updated in step 7:
Let WorldAccess, OwnerAccess, MachineAccess, and AnonymousAccess be MQQUEUEACCESSMASK ([MS-MQMQ] section 2.2.24) enumerated values initialized to be zero.
If OwnerSid is a guest SID (equal to the SID designated by DOMAIN_USER_RID_GUEST, as specified in [MS-SAMR] section 2.2.1.14) or the user referenced by the SID in OwnerSid is not a domain user, WorldAccess MUST be set to MQSEC_QUEUE_GENERIC_ALL. Otherwise, WorldAccess MUST be set to (MQSEC_GET_QUEUE_PROPERTIES | MQSEC_GET_QUEUE_PERMISSIONS), and OwnerAccess MUST be set to MQSEC_QUEUE_GENERIC_ALL.
If MachineSid is nonzero, MachineAccess MUST be set to (MQSEC_GET_QUEUE_PROPERTIES | MQSEC_GET_QUEUE_PERMISSIONS).
If messages can be sent to this queue using the Message Queuing (MSMQ): SOAP Reliable Messaging Protocol (SRMP) [MC-MQSRM], MQSEC_WRITE_MESSAGE SHOULD<20> be added (bitwise ORed) to the current value of WorldAccess, and AnonymousAccess SHOULD be set to MQSEC_WRITE_MESSAGE.
An ACCESS_ALLOWED_ACE ([MS-DTYP] section 2.4.4.2) structure with a Mask field set to WorldAccess and containing the well-known SID with string representation S-1-1-0 (relative identifier SECURITY_WORLD_RID combined with identifier authority SECURITY_WORLD_SID_AUTHORITY) MUST be added to the FinalSecurity.Dacl field.
If AnonymousAccess is nonzero, an ACCESS_ALLOWED_ACE structure with a Mask field set to AnonymousAccess and containing the well-known SID with string representation S-1-5-7 (relative identifier SECURITY_ANONYMOUS_LOGON_RID combined with identifier authority SECURITY_NT_AUTHORITY) MUST be added to the FinalSecurity.Dacl field.
If MachineAccess is nonzero, an ACCESS_ALLOWED_ACE structure with a Mask field set to MachineAccess and containing the SID in MachineSid MUST be added to the FinalSecurity.Dacl field.
If OwnerAccess is nonzero, an ACCESS_ALLOWED_ACE structure with a Mask field set to OwnerAccess and containing the SID in OwnerSid MUST be added to the FinalSecurity.Dacl field.
The SECURITY_DESCRIPTOR structure in FinalSecurity MUST be converted to self-relative format (see [MS-DTYP] section 2.4.6).