Service user IDs under which components run. Refer to:
On all platforms, you must add broker service user IDs to the mqbrkrs local group.
On Windows, there are additional requirements for
a runtime component's service user ID. Because the broker runs as a service,
the service user ID must be allowed to log on as a service. If this is not
granted, you are able to create the component, but the mqsistart command fails.
No users are automatically allowed to log on as a
service (including those in the Administrators group). The permission needs
to be granted separately, and is a requirement for all runtime components'
ServiceUserIds (ConfigMgr, Broker and UserNameServer).
To grant permission, select Control Panel→Administrative Tools→Local
Security Policy. Then open Local Policies→User Rights Assignment and change
the setting Log on as a service. Add the service user IDs to the list.
This needs to be done only once for each service ID, but it must be done
locally on each machine that runs brokers. So, if you are using a domain ID
as the service user ID, the security policy change must be made on each machine
in the domain that runs brokers (not only on the domain controller).