Discussion:
Security descriptor cannot be set
(too old to reply)
Dave Booker
2007-03-16 22:00:41 UTC
Permalink
I'm a member of the Administrators group on a Windows 2003 Server x64
machine, and I'm trying to change ownership and permissions on a Public
Message Queue, but every time I try to do something through Computer
Management to existing Queues I get a Message Queuing Error: "The security
descriptor cannot be set. Error: Access is denied."

Any tips or tricks I could try to modify the MQ's owner or security settings?
Frank Boyne
2007-03-19 07:22:09 UTC
Permalink
Post by Dave Booker
I'm a member of the Administrators group on a Windows 2003 Server x64
machine, and I'm trying to change ownership and permissions on a Public
Message Queue, but every time I try to do something through Computer
Management to existing Queues I get a Message Queuing Error: "The security
descriptor cannot be set. Error: Access is denied."
Any tips or tricks I could try to modify the MQ's owner or security settings?
Have you tried just changing ownership first? I don't do much security
stuff but my understanding is that an Administrator should always be
able to take ownership of a security descriptor even if there's a Deny
DACL that would otherwise prevent that. Similarly, the owner of a
Security Descriptor should always be able to set permissions in the
Security Descriptor even if a Deny DACL would otherwise prevent it.

So, if you first take ownership of the queue (and only do that) you
should be allowed to because you are an Administrator. Once you've
taken ownership then, as the owner, you should be able to change
permissions. You have to do it as two separate steps because otherwise
you are effectively trying to change permissions before you are the
owner.

If that doesn't work, you could try manipulating the queue's security
descriptor programmatically but that can get to be a bit of a pain.
Dave Booker
2007-03-19 13:28:08 UTC
Permalink
Even just trying to change MQ ownership we get this error!
Frank Boyne
2007-03-20 03:46:21 UTC
Permalink
Post by Dave Booker
Even just trying to change MQ ownership we get this error!
That's annoying.

You could try changing ownership programmatically. This post is almost
five years old but I _think_ it should still be valid (but I haven't
checked)...

http://groups.google.com/group/microsoft.public.msmq.security/browse_thread/thread/39a486cc11de7cb7/740ea8d57778bd15?lnk=st&q=&rnum=3&hl=en#740ea8d57778bd15

The post references another Microsoft article that defined the
SetPrivilege function. That reference isn't any use now, but this one
should work...

http://msdn2.microsoft.com/en-us/library/aa446619.aspx

The original post both took ownership and changed the DACL to null so
that Everyone could access the queue. If you just want to change
ownership then you I think you could omit all the DACL stuff.

I should note that basically this code just calls MQSetQueueSecurity so
you might end up suffering the same access denied error as you have in
the past.
Frank Boyne
2007-03-20 18:05:18 UTC
Permalink
Post by Frank Boyne
I should note that basically this code just calls MQSetQueueSecurity
so you might end up suffering the same access denied error as you have
in the past.
I should have mentioned that another thing you could try would be to
install and use "Active Directory Users and Computers".

Find a suitable Windows _Server_ CD or DVD (e.g., Windows 2000 or
Windows Server 2003) and you should be able to find an msi called
adminpak.msi (probably under support tools). Install that msi (on a
client or server system) and you'll find a bunch of Active Directory
tools under the Administrative Tools menu on Start | Programs.

Run the tool called "Active Directory Users and Computers" and you
should be able to use Find to look for MSMQ Queues - "Message Queuing
Queue" should be one of the types in the Find drop down box. Find your
problem queue and then right click on it and select Properties. This
should give you another route to the queue's security descriptior and (I
think) a route via Active Directory code rather than MSMQ code. Again I
think you'll need to take ownership of the queue first and then change
permissions.

I'm not sure but you may need to be a domain admin to get this to work.
Continue reading on narkive:
Loading...