Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Viewing public queues from a trusted forest
387 views
Skip to first unread message
dveit
Jan 21, 2008, 2:19:53 PM1/21/08
to
Here's a challenge I'm running into with AD security and public queues in
MSMQ. For users with accounts in the domain/forest that a machine resides in
that has public queues built in the directory, those users can view public
and private queues from the Computer Management MMC just fine. However, when
a user with an account in a trusted domain in a separate forest tries to
view the public queue, they receive an error: Not all public queues can be
displayed. Only public queues cached locally can be displayed. Error: The
object was not found in Active Directory. I granted the "Domain Users" group
from the trusted domain permissions on the public queue one-by-one until I
finally added the Full Control permission. Still no luck. Auditing security
logs on the DCs I am seeing a failed event for directory service access for
the machine account that the queue is built under for Accesses: READ_CONTROL
and ACCESS_SYS_SEC for the mQMQQueue object. I added the machine account to
full control on the public queue but still no luck. I also elevated the
permissions for both the user and the computer account to the msmq root in
ADUC instead of the individual queue and am still getting the same errors
from both the user and the computer accounts. Any ideas on what permissions
are required (or is it possible) for a user account in a separate forest to
view MSMQ queues in Active Directory?
MSMQ. For users with accounts in the domain/forest that a machine resides in
that has public queues built in the directory, those users can view public
and private queues from the Computer Management MMC just fine. However, when
a user with an account in a trusted domain in a separate forest tries to
view the public queue, they receive an error: Not all public queues can be
displayed. Only public queues cached locally can be displayed. Error: The
object was not found in Active Directory. I granted the "Domain Users" group
from the trusted domain permissions on the public queue one-by-one until I
finally added the Full Control permission. Still no luck. Auditing security
logs on the DCs I am seeing a failed event for directory service access for
the machine account that the queue is built under for Accesses: READ_CONTROL
and ACCESS_SYS_SEC for the mQMQQueue object. I added the machine account to
full control on the public queue but still no luck. I also elevated the
permissions for both the user and the computer account to the msmq root in
ADUC instead of the individual queue and am still getting the same errors
from both the user and the computer accounts. Any ideas on what permissions
are required (or is it possible) for a user account in a separate forest to
view MSMQ queues in Active Directory?
John Breakwell (MSFT)
Jan 22, 2008, 7:35:33 AM1/22/08
to
Hi
A machine in ForestA can only query active directory in ForestA, even if
ForestB trusts it.
You cannot remotely view or administer queues in another forest because the
client's active directory does not know they exist.
Cheers
John Breakwell (MSFT)
"dveit" <darri...@csgsystems.com> wrote in message
news:uxk2aKGX...@TK2MSFTNGP05.phx.gbl...
0 new messages