Solved

How do you delete a MSMQ object in AD

Posted on 2011-02-23
14
2,840 Views
Last Modified: 2012-05-11
I am trying to set up our Help Desk members to be able to delete Computer accounts in AD. I set up the necessary permissions and they keep getting access denied. Long story short, all our Computer objects have a child object called MSMQ (cn=msmq) and this is causing the access denied problems. I proved this by using ADSIEdit to delete this msmq child object and after that, the Help Desk was able to delete the Computer object. My question is what right or permission do I need to grant them to also delete the MSMQ object along with the Computer object. I have been experimenting with just about every right and nothing works, or, is it a right problem at all but something else that needs to be done. I certainly can't use ADSIEdit every time they need to delete a Computer object.
0
Comment
Question by:osiexchange
  • 7
  • 7
14 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 34961759
You can use the delagation wizard and create a custom task to deleagate. Select the MSMQ config object I think, you will have to test to get the correct one. Then give create\delete and full control to just that object for the call center group.
0
 

Author Comment

by:osiexchange
ID: 34961840
Well, thats the problem. I can't figure out what permission. I tried using the delegation wizard and ADUC also and setting anything to do with MSMQ like the MSMQ Config you mentioned and nothing works.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34961973
I just tested. It is the MSMQ configuration object. Going through the delagation wizard select cutom task and the MSMQ Configuration Object. Check Create and Delete then on the next screen check full control. This will allow them to delete the MSMQ object under the computer object.
0
 

Author Comment

by:osiexchange
ID: 34962265
OK, I'm a bit confused. I don't see the MSMQ configuration object. All I see if Create/Delete MSMQ Group Objects and Create/Delete MSMQ Queue Alias Objects. Let me tell you exactly what I am doing.

Using ADUC, I right click the OU with the workstations in it. Select Delegate Control to launch the wizard. Select Next, Add my security group, select Next and select Create a custom task to delegate. Select Next and leave the default on the Delegate Control of: screen.Select Next and I have 3 check boxes to select. General, Property specific and Creation/deletion of specific child objects. I checked them all. I don't see MSMQ Configuration here. Just the properties I mentioned above. The next screen brings me to Finish and thats it.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34962354
On the "Deleagte control of" screen seelct "Only the following objects in the folder" and you should see "MSMQ configuation objects" check both boaxes to Create\Delete click next. On the Permisisons screen select Full control and click next.
0
 

Author Comment

by:osiexchange
ID: 34962596
Still getting Access Denied. I looked right on the workstation object itself in the Security settings. Full Control is there for the MSMQ Configuration object. Is it because this object is a child of the workstation object. Really frustrating. How does this object get attached to the workstation object anyway? Not all workstations have it. For instance, if I just create one using ADUC, it doesn't have the child object attached.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34963170
Can you post a screen shot of the security settings?

On the workstation if you go into add\remove programs and I think windows companents there is an option to install message queuing.
0
 

Author Comment

by:osiexchange
ID: 34963428
Below are the security settings. This is right on the workstation object itself I am trying to delete, so there is no question about rights probagating down.

On the main Security tab page, the following boxes are checked after highlighing the account I am using to try and delete the workstation object:

Allow - Delete All Child Objects
Special Permissions

Clicking on the Advanced tab

Allow - Delete All Child Objects  - Apply to: This object only
Allow - Create/Delete MSMQ Configuration Objects - Apply to: This object and all child objects
Allow - Special  - Apply to: This object and all Child Objects
Allow - Full Control -  Apply to: MSMQ Configuration Object
Alllow - Delete  - Apply to: This object and all child objects

0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34963854
Are you trying to delete the computer object or just the MSMQ object? Are there any other objects under the computer object?
0
 

Author Comment

by:osiexchange
ID: 34963890
I am trying to delete the computer object. the msmq object is a child of the computer object. I can't see the msmq object using ADUC, just the computer object but if you use ADSIEdit, you can see the msmq object as a child of the computer object.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34963981
In ADUC select the "View" menu and select "User, Contacts, Groups, and computers as Containers". Then you will be able to see all the child objects. See if you can then delete the MSMQ object.
0
 

Author Comment

by:osiexchange
ID: 34964048
I totally forgot about that option. OK, when I view it that way, I can see the msmq object. If I delete the msmq object first, then I can delete the computer object. It looks like I just can't delete them together.
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 500 total points
ID: 34964159
I am not sure why they would not be able to delete them. I can test later tonight in my lab to see if I can figure anything out. You could also try a script. I Like using powershell and the quest AD cmdlets

get-qadcomputer COMPUTERNAME | Remove-qadobject -deletetree -force
0
 

Author Comment

by:osiexchange
ID: 34964193
Its almost as if the computer object itself has the delete right but won't let objects below it get deleted although I did check the computer object itself and it looks like the delete right is on it and all child objects.
0

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now