| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ Domain MQM group |
« View previous topic :: View next topic » |
| Author |
Message
|
| rammer |
 Posted: Tue Jul 18, 2017 6:53 am Post subject: MQ Domain MQM group |
 |
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
Hi Ladies & Gentleman
I dont have an environment to test on just yet but I have hopefully a quick question.
Env Windows 2012
MQ 8.0.x
MQ is installed and the service is set to run as a user account that is part of the "domain mqm" account.
Domain mqm is embedded into the mqm local group on the windows server.
My user ID is NOT part of Domain mqm group.
If its added to the local mqm group does that mean I will have access to manage MQ locally.
Thank you in advance |
|
| Back to top |
|
 |
| JosephGramig |
| Posted: Tue Jul 18, 2017 7:07 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
If you are in the same DOMAIN as the account that runs MQ, you will be good. If not, I think you will have trouble.
This is one of the reasons I try to avoid Windows for MQ Servers. Works fine, so long as you keep things simple. |
|
| Back to top |
|
|
| rammer |
| Posted: Tue Jul 18, 2017 7:16 am Post subject: |
|
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
Yea its years since I did anytihng on Windows and at moment I dont have access to a server to test it.
I wont be in the same DOMAIN Group just local mqm and possibly admin group.
I just cant rmemeber if it worked for me back then!  and I cant find my notes grrrrr |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Jul 18, 2017 1:15 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Try it and see what happens - you will not be surprised, pleasantly or otherwise.
From memory, any attempt to create a queue manager as a non-domain account, in a domain environment, should get a failure because the local ID should fail the look-up in the DC, irrespective of the fact the non-domain ID is in the mqm group (I'm almost sure that a look-up is done each time you try and do something to a domain-created/controlled queue manager and isn't cached); and being in the Windows Admin group no longer gives you the same access that you got pre-V8.0, they've finally fixed that back-door.
Mind you, it's a long time since I did anything 'domainy' on Wintel so I may well be talking spherical dangly things  , in which case I'm sure someone will be along soon and to trout me.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jul 19, 2017 2:46 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| exerk wrote: |
Try it and see what happens - you will not be surprised, pleasantly or otherwise.
From memory, any attempt to create a queue manager as a non-domain account, in a domain environment, should get a failure because the local ID should fail the look-up in the DC, irrespective of the fact the non-domain ID is in the mqm group (I'm almost sure that a look-up is done each time you try and do something to a domain-created/controlled queue manager and isn't cached); and being in the Windows Admin group no longer gives you the same access that you got pre-V8.0, they've finally fixed that back-door.
Mind you, it's a long time since I did anything 'domainy' on Wintel so I may well be talking spherical dangly things , in which case I'm sure someone will be along soon and to trout me. |
You escaped the trout this time. However if you are in the local admin group, you can run as "administrator" and that still gives you all rights on MQ.
Privileged users on Windows are users in the local mqm group and users in the local admin group.... I suspect you could do some cross domain stuff but the service account would need the same rights on the "cross domain" (not guaranteed to work. Untested...)
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jul 19, 2017 3:12 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
| ...However if you are in the local admin group, you can run as "administrator" and that still gives you all rights on MQ... |
That's where I got a bit woolly - on my sandbox I had to put my admin ID in the mqm group to get everything to work, even though my admin ID was already in the Administrators group, but it is a stand-alone box and not on a domain.
Thank you for clearing that up.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
