All geek questions in one place

Failed to configure MSMQ ACL using PowerShell cmdlet

My MSMQ queue is created using the PowerShell DSC engine. I see how queues are created. Because the DSC engine is launched from the SYSTEM account, the queue owner also receives the SYSTEM value. When I try to install ACM MSMQ from the PowerShell console, I constantly get the following error:

PS C:\Users\Administrator.DOMAIN> whoami; Get-MsmqQueue queue1 | Set-MsmqQueueACL -UserName "Everyone" -Allow FullControl DOMAIN\administrator Set-MsmqQueueACL : Failed to set security descriptor. Error code: 3222143013 At line:1 char:50 + whoami; Get-MsmqQueue incredipay_atm_processor | Set-MsmqQueueACL -UserName "Eve ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidResult: (FullControl:MessageQueueAccessRights) [Set-MsmqQueueACL], Win32Exception + FullyQualifiedErrorId : Failed to set security descriptor. Error code: 3222143013,Microsoft.Msmq.PowerShell.Commands.SetMSMQQueueACLCommand

I also can not install ACM MSMQ using a DSC user resource, which basically does the same thing only from the SYSTEM account. So the question is, is there a way to set MSMQ permissions from the PowerShell DSC kernel using the Set-MSMQQueueACL cmdlet. Or at least if I can solve the error mentioned above, then maybe I can solve the DSC problem as well. I am running Windows 2012 and WMF 4.0.

Thanks in advance.

+5
source share
4 answers

I was able to overcome this problem using the following code in my DSC user resource:

  $ScriptBlock={ param( [String] $QueueName, [String] $Username, [String[]] $MessageQueueAccessRight, [ValidateSet("Allow","Deny")] [String] $MessageQueueAccessType ) $params = @{} $queue = Get-MSMQQueue -Name $QueueName $params.Add("InputObject",$queue) $params.Add("Username",$Username) switch ($MessageQueueAccessType) { "Allow" {$params.Add("Allow","$MessageQueueAccessRight"); Break;} "Deny" {$params.Add("Deny","$MessageQueueAccessRight"); Break;} } Set-MsmqQueueACL @params } Foreach($MessageQueueAccessRight in $MessageQueueAccessRights) { Invoke-Command -ScriptBlock $ScriptBlock -ComputerName . -Credential $DomainAdministratorCredential -ArgumentList $QueueName,$Username,$MessageQueueAccessRight,$MessageQueueAccessType }

Of course, you must use the same approach when the MSMQ queue is created by DSC. Thus, the creation of the MSMQ queue must be performed by the same account that was originally going to configure the ACL.

+1
source

I did something similar recently and posed the same problem. First you must take charge of the queue (you need administrator rights), and then you can change the permissions.

First try manually following these steps in the Computer Management snap-in to see if your error fixes and then figure out how to reproduce it using PowerShell.

  • Start → Run → compmgmt.msc
  • Expand "Computer Management (Local) → Services and Applications → Message Queuing → Private Queues"
  • Right-click -> Properties -> Security -> Advanced -> Owner -> Other Users or Groups ...
  • Enter your username (DOMAIN \ administrator)
  • Click OK, then OK again
  • Now you can edit security via script

I ended up writing PInvoke code to take on the role of a queue using C #, which I compiled using Add-Type in PowerShell. I cannot share this, unfortunately, with its property, but this question can give you some pointers:

How to set the owner of a message queue?

PS error code 3222143013 is 0xC00E0025, which corresponds to MQ_ERROR_ACCESS_DENIED (see http://msdn.microsoft.com/en-us/library/ms700106%28v=vs.85%29.aspx )

+2
source

To do this in DSC, you can run your command using different credentials by specifying your own DSC resource with the [PSCredential] parameter.

To do this, you need to make significant changes to the DSC infrastructure. See my answer to this question: https://serverfault.com/questions/632390/protecting-credentials-in-desired-state-configuration-using-certificates/#632836

If you just want to test before making these changes, you can tell DSC to allow your credentials to be stored in clear text using PSDscAllowPlainTextPassword = $true in your configuration data ( see here for more details ).

0
source

I also created my own DSC resource for setting up / modifying MSMQ queues in my web farm. Since DSC works as SYSTEM, you must make sure that the SYSTEM account has access to create / modify MSMQ on node.

There is a way to run DSC as an account. If so, you should make sure that you log in to this account when trying to create / modify your MsmqQueue.

I understand that I am responding to an old thread. But someone else in the near future may run into the same problem and run into this thread.

Enjoy and good luck!

0
source

Source: https://habr.com/ru/post/1206638/

More articles:


All Articles