Installing MSMQ can be a SELF-ish act

There's one thing with the documentation/help for installing MSMQ that confuses me - it talks about the Active Directory permissions required for the logged in account but I've noticed setup doesn't really care. For an independent client at least, all you need is for the SELF special account to have "Create All Child Objects" on the corresponding Computer Object in Active Directory.

I tried a simple test arrangement - a Windows Vista independent client-to-be and a Windows 2003 domain controller, both in the same domain. The logged in account is a domain user added to the local administrator group (I have to make some concessions). I tweaked the permissions on the Windows Vista machine's computer object as follows:

Permissions for the domain user account	Permissions for the SELF special account	Result of installing MSMQ on Vista machine
None	None	Event 2116 – Access Denied 0xC00E0025
None	“Create all child objects”	Success
“Create all child objects”	None	Event 2116 – Access Denied 0xC00E0025
“Create all child objects”	“Create all child objects”	Success

I found that even an Enterprise admin will get Access Denied if SELF doesn't have the access it needs - I think SELF here resolves to the machine account you are installing MSMQ on.

I must dig further into this to find out what's really happening.

 

Reference

Well-known security identifiers in Windows operating systems

SID: S-1-5-10
Name: Principal Self
Description: A placeholder in an inheritable ACE on an account object or group object in Active Directory.
When the ACE is inherited, the system replaces this SID with the SID for the security principal who holds the account.