Creating and setting up domain accounts for IBM WebSphere MQ

The following information is intended at Domain Administrators. Use this information to create and setup domain accounts for IBM® WebSphere® MQ.

About this task

Repeat Steps 1 and 2 for each domain that has user names that will install IBM WebSphere MQ, to create an account for IBM WebSphere MQ on each domain:

Procedure

  1. Create a domain group with a special name that is known to IBM WebSphere MQ and give members of this group the authority to query the group membership of any account:
    1. Log on to the domain controller as an account with domain administrator authority.
    2. From the Start menu, open Active Directory Users and Computers.
    3. Find the domain name in the navigation pane, right-click it and select New Group.
    4. Type a group name into the Group name field.
      Note: The preferred group name is Domain mqm. Type it exactly as shown.
      • Calling the group Domain mqm modifies the behavior of the Prepare IBM WebSphere MQ wizard on a domain workstation or server. It causes the Prepare IBM WebSphere MQ wizard automatically to add the group Domain mqm to the local mqm group on each new installation of IBM WebSphere MQ in the domain.
      • You can install workstations or servers in a domain with no Domain mqm global group. If you do so, you must define a group with the same properties as Domain mqm group. You must make that group, or the users that are members of it, members of the local mqm group wherever IBM WebSphere MQ is installed in a domain. You can place domain users into multiple groups. Create multiple domain groups, each group corresponding to a set of installations that you want to manage separately. Split domain users, according to the installations they manage, into different domain groups. Add each domain group or groups to the local mqm group of different IBM WebSphere MQ installations. Only domain users in the domain groups that are members of a specific local mqm group can create, administer, and run queue managers for that installation.
      • The domain user that you nominate when installing IBM WebSphere MQ on a workstation or server in a domain must be a member of the Domain mqm group, or of an alternative group you defined with same properties as the Domain mqm group.
    5. Leave Global clicked as the Group scope, or change it to Universal. Leave Security clicked as the Group type. Click OK.
    6. Follow these steps to assign permissions to the group based on the Windows version of the domain controller:
      On Windows Server 2008 and later versions:
      1. In the Server Manager action bar, click View > Advanced features.
      2. In the Server Manager navigation tree, click Users.
      3. In the Users window, right-click Domain mqm > Properties.
      4. Click Security > Advanced > Add. Type Domain mqm and click Check names > OK.

        The Name field is prefilled with the string, Domain mqm (domain name\Domain mqm).

      5. Click Properties. In the Apply to list, select Descendant User Objects.
      6. From the Permissions list, select the Read group membership and Read groupMembershipSAM Allow check boxes; click OK > Apply > OK > OK.
      On Windows 2003 Server:
      1. In the Server Manager action bar, click View > Advanced features > Active Directory Users and Computers.
      2. In the Server Manager navigation tree, search for the domain name. Select the domain name, right-click and select Properties.
      3. Click Security > Advanced > Add. Type Domain mqm and click Check names > OK.
      4. Click Properties. In the Apply to list, select User Objects
      5. From the Permissions list, select the Read group membership and Read groupMembershipSAM Allow check boxes; click OK > Apply > OK > OK.
      On Windows 2000 Server:
      1. In the Server Manager navigation tree, search for the domain name. Select the domain name, right-click and select Delegate Control Next.
      2. Click Selected Groups and Users > Add.... Select Domain mqm and click Add > OK.
      3. Select Domain mqm and click Next.
      4. Click Create a custom task to delegate and click Next.
      5. Select Only the following objects in the folder, and then check User Objects in the alphabetical list. Click Next.
      6. Check Property-specific, then select the following options from the list:
        • Read group membership
        • Read groupMembershipSAM
        Note: The list is in alphabetical order by the second word.
      7. Click OK to close each window.
  2. Create one or more accounts, and add them to the group:
    1. In Active Directory Users and Computers, create a user account with a name of your choosing and add it to group Domain mqm (or a group that is a member of the local mqm group).
    2. Repeat for all the accounts you want to create.
  3. Repeat Steps 1 and 2 for each domain that has user names that will install IBM WebSphere MQ, to create an account for IBM WebSphere MQ on each domain.
  4. Use the accounts to configure each installation of IBM WebSphere MQ:
    1. Either use the same domain user account (as created in Step 1) for each installation of IBM WebSphere MQ, or create a separate account for each one, adding each to the Domain mqm group (or a group that is a member of the local mqm group).
    2. When you have created the account or accounts, give one to each person configuring an installation of IBM WebSphere MQ. They must enter the account details (domain name, user name, and password) into the Prepare IBM WebSphere MQ wizard. Give them the account that exists on the same domain as their installing userid.
    3. When you install IBM WebSphere MQ on any system on the domain, the IBM WebSphere MQ install program detects the existence of the Domain mqm group on the LAN, and automatically adds it to the local mqm group. (The local mqm group is created during installation; all user accounts in it have authority to manage IBM WebSphere MQ). Thus all members of the Domain mqm group will have authority to manage IBM WebSphere MQ on this system.
    4. However, you do still need to provide a domain user account (as created in Step 1) for each installation, and configure IBM WebSphere MQ to use it when making its queries. The account details must be entered into the Prepare IBM WebSphere MQ wizard that runs automatically at the end of installation (the wizard can also be run at any time from the start menu).
  5. Set the password expiry periods:
    • If you use just one account for all users of IBM WebSphere MQ, consider making the password of the account never expire, otherwise all instances of IBM WebSphere MQ will stop working at the same time when the password expires.
    • If you give each user of IBM WebSphere MQ their own user account you will have more user accounts to create and manage, but only one instance of IBM WebSphere MQ will stop working at a time when the password expires.

    If you set the password to expire, warn the users that they will see a message from IBM WebSphere MQ each time it expires - the message warns that the password has expired, and describes how to reset it.

  6. Running IBM WebSphere MQ as a service.
    If you need to run IBM WebSphere MQ as a service, and then give the domain user (that you obtained from your domain administrator) the right to run as a service, carry out the following procedure:
    1. Click Start > Run....
      Type the command secpol.msc and click OK.
    2. Open Security Settings > Local Policies > User Rights Assignments.
      In the list of policies, right-click Log on as a service > Properties.
    3. Click Add User or Group...
      Type the name of the user you obtained from your domain administrator, and click Check Names
    4. If prompted by a Windows Security window, type the user name and password of an account user or administrator with sufficient authority, and click OK > Apply > OK.
      Close the Local Security Policy window.
    Note: On Windows Vista and Windows Server 2008 the User Account Control (UAC) is enabled by default.

    The UAC feature restricts the actions users can perform on certain operating system facilities, even if they are members of the Administrators group. You must take appropriate steps to overcome this restriction.