Installation permissions

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Installation permissions

The following table shows the administrative permissions required to install different Message Queuing software components and to create various Message Queuing computers. By default, logging on using an account with these permissions allows the applicable Message Queuing objects to be created in Active Directory during Message Queuing installation.

Message Queuing computer Permission level required

Message Queuing server on a domain controller

domain administrative permissions (or member of the Domain Admins group)

Message Queuing server on a nondomain controller with Routing Support

enterprise administrative permissions (or member of the Enterprise Admins group).

Message Queuing server on a nondomain controller without Routing Support

local administrative permissions (or member of the local Administrators group)

Independent client

local administrative permissions (or member of the local Administrators group)

Dependent client

local administrative permissions (or member of the local Administrators group)

For more information on administrative groups for Windows Server 2003 family, see Default groups, in the Active Directory Help file.

Notes

  • When installing a Message Queuing server on a nondomain controller with routing enabled, domain administrative permissions are sufficient, provided Setup can contact a Windows Server 2003 or Windows 2000 domain controller and provided you are granted the specific permissions for objects listed in the table that follows.

  • When installing Message Queuing in a server cluster, the user account under which the cluster service is running must be granted permissions to create computer objects and Message Queuing objects. This can be done only on a Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition. See the following table for specific permissions needed to create specific objects.

If you do not want to grant users such general or wide-ranging permissions to install Message Queuing, you can grant permissions to create those objects specifically required to create different Message Queuing computers. The following table lists the specific child objects in Active Directory that you must be granted permission to create for Message Queuing installation to complete.

Message Queuing computer Specific permissions required For which object

Message Queuing server (on a domain controller or on a nondomain controller with routing enabled)

Create MSMQ Configuration Objects

applicable domain controller object located in Active Directory Users and Computers

Message Queuing server (on a domain controller or on a nondomain controller with routing enabled)

Create All Child Objects

Servers container object located in Active Directory Sites and Services

Message Queuing server (on a nondomain controller with no routing)

Create MSMQ Configuration Objects

applicable computer object located in Active Directory Users and Computers

Independent client

Create MSMQ Configuration Objects

applicable computer object located in Active Directory Users and Computers

Dependent client

none

not applicable

You can grant these specific permissions to specific users or to all users in a domain using the Delegation of Control Wizard.

For more information on Message Queuing objects, where they are created, and where they are located in Active Directory, see Message Queuing and Active Directory.

For more information on permissions for objects, see Access control for Message Queuing.

For an example of how to grant permissions using the Delegation of Control Wizard, see Set installation permissions to enable upgrade from MSMQ 1.0.

Notes

  • To install Message Queuing, you may also need the Delete MSMQ Configuration Objects permission, because if Setup finds an msmq (MSMQ Configuration) object in Active Directory, it must delete it before creating a new one.

  • To uninstall Message Queuing, you must be granted the Delete MSMQ Configuration Objects permission.