ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral DiscussionMQ Domain MQM group

Post new topicReply to topic
MQ Domain MQM group View previous topic :: View next topic
Author Message
rammer
PostPosted: Tue Jul 18, 2017 6:53 am Post subject: MQ Domain MQM group Reply with quote

Partisan

Joined: 02 May 2002
Posts: 343
Location: England majority USA the rest..

Hi Ladies & Gentleman

I dont have an environment to test on just yet but I have hopefully a quick question.

Env Windows 2012
MQ 8.0.x

MQ is installed and the service is set to run as a user account that is part of the "domain mqm" account.

Domain mqm is embedded into the mqm local group on the windows server.

My user ID is NOT part of Domain mqm group.

If its added to the local mqm group does that mean I will have access to manage MQ locally.

Thank you in advance
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Tue Jul 18, 2017 7:07 am Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1184
Location: Derby City, USA

If you are in the same DOMAIN as the account that runs MQ, you will be good. If not, I think you will have trouble.

This is one of the reasons I try to avoid Windows for MQ Servers. Works fine, so long as you keep things simple.
Back to top
View user's profile Send private message AIM Address
rammer
PostPosted: Tue Jul 18, 2017 7:16 am Post subject: Reply with quote

Partisan

Joined: 02 May 2002
Posts: 343
Location: England majority USA the rest..

Yea its years since I did anytihng on Windows and at moment I dont have access to a server to test it.

I wont be in the same DOMAIN Group just local mqm and possibly admin group.

I just cant rmemeber if it worked for me back then! and I cant find my notes grrrrr
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Jul 18, 2017 1:15 pm Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 5773

Try it and see what happens - you will not be surprised, pleasantly or otherwise.

From memory, any attempt to create a queue manager as a non-domain account, in a domain environment, should get a failure because the local ID should fail the look-up in the DC, irrespective of the fact the non-domain ID is in the mqm group (I'm almost sure that a look-up is done each time you try and do something to a domain-created/controlled queue manager and isn't cached); and being in the Windows Admin group no longer gives you the same access that you got pre-V8.0, they've finally fixed that back-door.

Mind you, it's a long time since I did anything 'domainy' on Wintel so I may well be talking spherical dangly things , in which case I'm sure someone will be along soon and to trout me.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Jul 19, 2017 2:46 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19499
Location: LI,NY

exerk wrote:
Try it and see what happens - you will not be surprised, pleasantly or otherwise.

From memory, any attempt to create a queue manager as a non-domain account, in a domain environment, should get a failure because the local ID should fail the look-up in the DC, irrespective of the fact the non-domain ID is in the mqm group (I'm almost sure that a look-up is done each time you try and do something to a domain-created/controlled queue manager and isn't cached); and being in the Windows Admin group no longer gives you the same access that you got pre-V8.0, they've finally fixed that back-door.

Mind you, it's a long time since I did anything 'domainy' on Wintel so I may well be talking spherical dangly things , in which case I'm sure someone will be along soon and to trout me.


You escaped the trout this time. However if you are in the local admin group, you can run as "administrator" and that still gives you all rights on MQ.
Privileged users on Windows are users in the local mqm group and users in the local admin group.... I suspect you could do some cross domain stuff but the service account would need the same rights on the "cross domain" (not guaranteed to work. Untested...)



Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
exerk
PostPosted: Wed Jul 19, 2017 3:12 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 5773

fjb_saper wrote:
...However if you are in the local admin group, you can run as "administrator" and that still gives you all rights on MQ...

That's where I got a bit woolly - on my sandbox I had to put my admin ID in the mqm group to get everything to work, even though my admin ID was already in the Administrators group, but it is a stand-alone box and not on a domain.

Thank you for clearing that up.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral DiscussionMQ Domain MQM group
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.