[Windows]

Creating and setting up Windows domain accounts for IBM MQ

This information is for Domain Administrators. Use this information to create and set up a special domain account for the IBM® MQ service. Do this if IBM MQ is to be installed on a Windows domain where local accounts do not have the authority to query the group membership of the domain user accounts.

About this task

After you add a local user to the mqm group, that user can administer IBM MQ on the system. This task describes how to do the same using Windows domain user IDs.

There is an IBM MQ component for checking Windows privileges. This component runs as a Windows service under a local user account created by IBM MQ at installation. This component checks that the account under which the IBM MQ services are run has the following privileges:
  • The account has the ability to query group memberships of domain accounts.
  • The account has the authority to administer IBM MQ.
If the account does not have the ability to query group memberships, the access checks made by the services fail.

Windows domain controllers running Windows Active Directory can be set up so that local accounts do not have the authority to query the group membership of the domain user accounts. This prevents IBM MQ from completing its checks, and access fails. If you are using Windows on a domain controller that has been set up in this way, you must instead use a special domain user account with the required permissions.

Each installation of IBM MQ on the network must be configured to run its service under a domain user account that has the required authority to check that users who are defined on the domains are authorized to access queue managers or queues. Typically, this special account has the IBM MQ administrator rights through membership of the domain group DOMAIN\Domain mqm. The domain group is automatically nested by the installation program under the local mqm group of the system on which IBM MQ is being installed.

Important:
  1. By default, Windows 10 version 1607 or later, and Windows Server 2016 or later, are more restrictive than earlier versions of Windows. These later versions restrict clients allowed to make remote calls to the Security Accounts Manager (SAM), and could prevent IBM MQ queue managers from starting. Access to SAM is critical for the functioning of IBM MQ when IBM MQ is configured as a domain account.
  2. The IBM MQ installer must be given the user ID and password details of the special domain user account. The installer can then use this information to configure the IBM MQ service after the product is installed. If an installer continues and configures IBM MQ without a special account, many or all parts of IBM MQ will not work, depending upon the particular user accounts involved, as follows:
    • IBM MQ connections to queue managers running under Windows domain accounts on other computers might fail.
    • Typical errors include AMQ8066: Local mqm group not found and AMQ8079: Access was denied when attempting to retrieve group membership information for user 'abc@xyz'.

You must repeat steps 1 and 8 of the following procedure for each domain that has user names that will administer IBM MQ. This creates an account for IBM MQ on each domain.

Procedure

Create a domain group with a special name that is known to IBM MQ (see 4) and give members of this group the authority to query the group membership of any account.

  1. Log on to the domain controller as an account with domain administrator authority.
  2. From the Start menu, open Active Directory Users and Computers.
  3. Find the domain name in the navigation pane, right-click it and select New Group.
  4. Type a group name into the Group name field.
    Note: The preferred group name is Domain mqm. Type it exactly as shown.
    • Calling the group Domain mqm modifies the behavior of the Prepare IBM MQ Wizard on a domain workstation or server. It causes the Prepare IBM MQ Wizard automatically to add the group Domain mqm to the local mqm group on each new installation of IBM MQ in the domain.
    • You can install workstations or servers in a domain with no Domain mqm global group. If you do so, you must define a group with the same properties as Domain mqm group. You must make that group, or the users that are members of it, members of the local mqm group wherever IBM MQ is installed in a domain. You can place domain users into multiple groups. Create multiple domain groups, each group corresponding to a set of installations that you want to manage separately. Split domain users, according to the installations they manage, into different domain groups. Add each domain group or groups to the local mqm group of different IBM MQ installations. Only domain users in the domain groups that are members of a specific local mqm group can create, administer, and run queue managers for that installation.
    • The domain user that you nominate when installing IBM MQ on a workstation or server in a domain must be a member of the Domain mqm group, or of an alternative group you defined with same properties as the Domain mqm group.
  5. Leave Global clicked as the Group scope, or change it to Universal. Leave Security clicked as the Group type. Click OK.
  6. Follow these steps to assign permissions to the group based on the Windows version of the domain controller:
    On Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022:
    1. In the Server Manager, click Tools then select Active Directory Users and Computers from the list box.
    2. Select View > Advanced Features.
    3. Expand your domain name, then click Users.
    4. In the Users window, right-click Domain mqm > Properties.
    5. On the Security tab, click Advanced > Add....
    6. Click Select principle, then type Domain mqm and click Check names > OK.

      The Name field is prefilled with the string Domain mqm (domain name\Domain mqm).

    7. In the Applies to list, select Descendant User Objects.
    8. In the Permissions list, select the Read group membership and Read groupMembershipSAM check boxes.
    9. Click OK > Apply > OK > OK.
    On Windows Server 2008 and Windows 2008 R2:
    1. In the Server Manager navigation tree, click Users.
    2. In the Server Manager action bar, click View > Advanced features.
    3. In the Users window, right-click Domain mqm > Properties.
    4. On the Security tab, click Advanced > Add, then type Domain mqm and click Check names > OK.

      The Name field is prefilled with the string Domain mqm (domain name\Domain mqm)

    5. Click Properties. In the Apply to list, select Descendant User Objects.
    6. In the Permissions list, select the Read group membership and Read groupMembershipSAM check boxes.
    7. Click OK > Apply > OK > OK.

Create one or more accounts, and add them to the group.

  1. Open Active Directory Users and Computers.
  2. Create one or more user accounts with names of your choosing.

    In the Server Manager navigation tree, right click Users to create a new user account.

  3. Add each new account to the group Domain mqm or a group that is a member of the local mqm group.
    Attention: You cannot use a user domain named mqm on Windows.

Create an account for IBM MQ on each domain.

  1. Repeat step sections 1 and 8 for each domain that has user names that will administer IBM MQ.

Use the accounts to configure each installation of IBM MQ.

  1. Either use the same domain user account (as created in Step 1 ) for each installation of IBM MQ, or create a separate account for each one, adding each to the Domain mqm group (or a group that is a member of the local mqm group).
  2. When you have created the account or accounts, give one to each person configuring an installation of IBM MQ. They must enter the account details (domain name, user name, and password) into the Prepare IBM MQ Wizard. Give them the account that exists on the same domain as their installing userid.
  3. When you install IBM MQ on any system on the domain, the IBM MQ installation program detects the existence of the Domain mqm group on the LAN, and automatically adds it to the local mqm group. (The local mqm group is created during installation; all user accounts in it have authority to manage IBM MQ ). Thus all members of the Domain mqm group will have authority to manage IBM MQ on this system.
  4. However, you do still need to provide a domain user account (as created in Step 1 ) for each installation, and configure IBM MQ to use it when making its queries. The account details must be entered into the Prepare IBM MQ Wizard that runs automatically at the end of installation (the wizard can also be run at any time from the start menu).

Set the password expiry periods.

  1. Choices:
    • If you use just one account for all users of IBM MQ, consider making the password of the account never expire, otherwise all instances of IBM MQ will stop working at the same time when the password expires.
    • If you give each user of IBM MQ their own user account you will have more user accounts to create and manage, but only one instance of IBM MQ will stop working at a time when the password expires.

    If you set the password to expire, warn the users that they will see a message from IBM MQ each time it expires - the message warns that the password has expired, and describes how to reset it.

Use a Windows domain account as the user ID for the IBM MQ service.

  1. Click Start > Run....
    Type the command secpol.msc then click OK.
  2. Open Security Settings > Local Policies > User Rights Assignments.
    In the list of policies, right-click Log on as a service > Properties.
  3. Click Add User or Group....
    Type the name of the user you obtained from your domain administrator, and click Check Names.
  4. If prompted by a Windows Security window, type the user name and password of an account user or administrator with sufficient authority, then click OK > Apply > OK.
    Close the Local Security Policy window.
    Note: User Account Control (UAC) is enabled by default. The UAC feature restricts the actions users can perform on certain operating system facilities, even if they are members of the Administrators group. You must take appropriate steps to overcome this restriction.