Information for domain administrators
WebSphere MQ has a component, running as a Windows DCOM process, that checks that any user account attempting to access WebSphere MQ is authorized. As part of the check, the component must confirm that the account belongs to a group that is a member of the local mqm group, such as...
DOMAIN\domain mqmThe component itself by default runs under a local user account...
MUSR_MQADMIN...that WebSphere MQ creates at installation.
If any domain controller on your network is running on Windows 2000 or Windows 2003, that domain can be set up so that local user accounts do not have authority to query the group membership of its domain user accounts. Such a setup prevents WebSphere MQ from completing its check, and access fails. To resolve this, each installation of WebSphere MQ on the network must be configured to run its service under a domain user account that has the required authority.
If an installer carries on anyway and configures WebSphere MQ without a special account, many or all parts of WebSphere MQ will not work, depending upon the particular user accounts involved, as follows:
- An installer currently logged on with a Windows 2000 or Windows 2003 domain user account will not be able to complete the Default Configuration, and the Postcard and API Exerciser will not work.
- WebSphere MQ connections to queue managers running under Windows 2000 or Windows 2003 domain accounts on other computers may fail.
- Typical errors include "AMQ8066: Local mqm group not found" and "AMQ8079: Access was denied when attempting to retrieve group membership information for user 'abc@xyz'".
Parent topic:
Configuring WebSphere MQ accounts