Local and domain user accounts for the IBM MQ Windows service

When IBM® MQ is running, it must check that only authorized users can access queue managers or queues. This requires a special user account that IBM MQ can use to query information about the any user attempting such access.

Configuring special user accounts with the Prepare IBM MQ Wizard
Using IBM MQ with Active Directory
User rights required for an IBM MQ Windows service

Configuring special user accounts with the Prepare IBM MQ Wizard

The Prepare IBM MQ Wizard creates a special user account so that the Windows service can be shared by processes that need to use it (see Configuring IBM MQ with the Prepare IBM MQ Wizard).

A Windows service is shared between client processes for an IBM MQ installation. One service is created for each installation. Each service is named MQ_InstallationName, and has a display name of IBM MQ(InstallationName).

Because each service must be shared between non-interactive and interactive logon sessions, you must launch each under a special user account. You can use one special user account for all the services, or create different special user accounts. Each special user account must have the user right to Logon as a service, for more information see Table 1. If the user ID does not have the authority to run the service, the service does not start and it returns an error in the Windows system event log. Typically, you will have run the Prepare IBM MQ Wizard, and set up the user ID correctly. However, if you have configured the user ID manually, is it possible that you might have a problem that you will need to resolve.

When you install IBM MQ and run the Prepare IBM MQ Wizard for the first time, it creates a local user account for the service called MUSR_MQADMIN with the required settings and permissions, including Logon as a service.

For subsequent installations, the Prepare IBM MQ Wizard creates a user account named MUSR_MQADMINx, where x is the next available number representing a user ID that does not exist. The password for MUSR_MQADMINx is randomly generated when the account is created, and used to configure the logon environment for the service. The generated password does not expire.

This IBM MQ account is not affected by any account policies that are set up on the system to require that account passwords are changed after a certain period.

The password is not known outside this one-time processing and is stored by the Windows operating system in a secure part of the registry.

Using IBM MQ with Active Directory

In some network configurations, where user accounts are defined on domain controllers that are using the Active Directory directory service, the local user account that IBM MQ is running under might not have the authority that it requires to query the group membership of other domain user accounts. When you install IBM MQ, the Prepare IBM MQ Wizard identifies whether this is the case by carrying out tests and asking you questions about the network configuration.

If the local user account that IBM MQ is running under does not have the required authority, the Prepare IBM MQ Wizard prompts you for the account details of a domain user account with particular user rights. For information about how to create and set up a Windows domain account, see Creating and setting up Windows domain accounts for IBM MQ. For the user rights that the domain user account requires, see Table 1.

When you have entered valid account details for the domain user account into the Prepare IBM MQ Wizard, the wizard configures an IBM MQ Windows service to run under the new account. The account details are held in the secure part of the Registry and cannot be read by users.

When the service is running, an IBM MQ Windows service is launched and remains running for as long as the service is running. An IBM MQ administrator who logs on to the server after the Windows service is launched can use the IBM MQ Explorer to administer queue managers on the server. This connects the IBM MQ Explorer to the existing Windows service process. These two actions need different levels of permission before they can work:

The launch process requires a launch permission.
The IBM MQ administrator requires Access permission.

User rights required for an IBM MQ Windows service

The following table lists the user rights required for the local and domain user accounts under which the Windows service for an IBM MQ installation runs.

Table 1. User rights required for an IBM MQ Windows service
Permission	Description
Log on as batch job	Enables an IBM MQ Windows service to run under this user account.
Log on as service	Enables users to set the IBM MQ Windows service to log on using the configured account.
Shut down the system	Allows the IBM MQ Windows service to restart the server if configured to do so when recovery of a service fails.
Increase quotas	Required for operating system CreateProcessAsUser call.
Act as part of the operating system	Required for operating system LogonUser call.
Bypass traverse checking	Required for operating system LogonUser call.
Replace a process level token	Required for operating system LogonUser call.

Note: Debug programs rights might be needed in environments running ASP and IIS applications.

Your domain user account must have these Windows user rights set as effective user rights as listed in the Local Security Policy application. If they are not, set them using either the Local Security Policy application locally on the server, or by using the Domain Security Application domain wide.