Trouble setting up MSMQ ACL using PowerShell cmdlet

Question

My MSMQ queue gets created by PowerShell DSC engine. I can see queues created. Since DSC engine runs from SYSTEM account, then queue owner also gets set to SYSTEM. When I try to set MSMQ ACL from PowerShell console I constantly get following error:

PS C:\Users\Administrator.DOMAIN> whoami; Get-MsmqQueue queue1 | Set-MsmqQueueACL -UserName "Everyone" -Allow FullControl
DOMAIN\administrator
Set-MsmqQueueACL : Failed to set security descriptor. Error code: 3222143013
At line:1 char:50
+ whoami; Get-MsmqQueue incredipay_atm_processor | Set-MsmqQueueACL -UserName "Eve ...
+                                                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidResult: (FullControl:MessageQueueAccessRights) [Set-MsmqQueueACL], Win32Exception
    + FullyQualifiedErrorId : Failed to set security descriptor. Error code: 3222143013,Microsoft.Msmq.PowerShell.Commands.SetMSMQQueueACLCommand

I also can't set MSMQ ACL using custom DSC resource, which is basically doing the same thing only from SYSTEM account. So the question is are there any way to set MSMQ permissions from within PowerShell DSC engine using Set-MSMQQueueACL cmdlet. Or at least if I'll be able to solve previously mentioned mentioned error, then maybe I'll be able to solve also DSC problem. I'm running Windows 2012 and WMF 4.0.

Thanks in advance.

Answer 1

I did something similar recently and hit the same problem. You have to take ownership of the queue first (admin rights required), and then you can change the permissions.

Try these manual steps in the Computer Management snap-in first to check it solves your error, and then work out how to reproduce it via PowerShell.

• Start -> Run -> compmgmt.msc
• Expand "Computer management (Local) -> Services and Applications -> Message Queuing -> Private Queues"
• Right click -> Properties -> Security -> Advanced -> Owner -> Other users or groups...
• Enter your user name (DOMAIN\administrator)
• Click OK, then OK again
• You should now be able to edit security via script

I ended up writing some PInvoke code to take ownership of the queue using C#, which I compiled on the fly with Add-Type in PowerShell. I can't share it unfortunately as it's proprietary, but this question might give you some pointers:

How do I set the owner of a message queue?

P.S. error code 3222143013 is 0xC00E0025, which translates to MQ_ERROR_ACCESS_DENIED (see http://msdn.microsoft.com/en-us/library/ms700106%28v=vs.85%29.aspx)

Answer 2

I've managed to overcome this issue by using following code in my custom DSC resource:

        $ScriptBlock={
        param(
            [String] $QueueName,
            [String]  $Username,
            [String[]] $MessageQueueAccessRight,
            [ValidateSet("Allow","Deny")]
            [String] $MessageQueueAccessType
        ) 
        $params = @{}
        $queue = Get-MSMQQueue -Name $QueueName
        $params.Add("InputObject",$queue)
        $params.Add("Username",$Username)
        switch ($MessageQueueAccessType)
        {
            "Allow" {$params.Add("Allow","$MessageQueueAccessRight"); Break;}
            "Deny" {$params.Add("Deny","$MessageQueueAccessRight"); Break;}
        }
        Set-MsmqQueueACL @params
    }
    Foreach($MessageQueueAccessRight in $MessageQueueAccessRights)
    {
        Invoke-Command -ScriptBlock $ScriptBlock -ComputerName . -Credential $DomainAdministratorCredential -ArgumentList $QueueName,$Username,$MessageQueueAccessRight,$MessageQueueAccessType
    }

Of course it's necessary to use the same approach when MSMQ queue gets created by DSC. So MSMQ queue creation should be made by the same account, whose initially going to adjust ACLs.