In some network configurations, where user accounts are defined on domain controllers that are using Active Directory, the local user account MUSR_MQADMIN might not have the authority it requires to query the group membership of other domain user accounts. The Prepare WebSphere MQ Wizard identifies whether this is the case by carrying out tests and asking the user questions about the network configuration. If the local user account MUSR_MQADMIN does not have the required authority, the Prepare WebSphere MQ Wizard prompts the user for the account details of a domain user account with particular user rights. For the user rights that the domain user account requires see User rights required for AMQMSRVN. Once the user has entered valid account details for the domain user account into the Prepare WebSphere MQ Wizard, it configures AMQMSRVN to run under this account instead of the local user account MUSR_MQADMIN. The account details are held in the secure part of the Registry and cannot be read by users.
When the service is running, AMQMSRVN is launched and remains running for as long as the service is running. A WebSphere MQ administrator who logs onto the server after AMQMSRVN is launched can use the WebSphere MQ Explorer to administer queue managers on the server. This connects the WebSphere MQ Explorer to the existing AMQMSRVN process. These two actions need different levels of permission before they can work:
The following table details the user rights required for the domain user account under which WebSphere MQ and specifically the AMQMSRVN DCOM object run.
Logon as batch job | Enables WebSphere MQ Services COM server to run under this user account. |
Logon as service | Enables users to set the WebSphere MQ service to logon using the configured account. |
Shut down the system | Allows the WebSphere MQ Service to restart the server if configured to do so when recovery of a service fails. |
Debug programs | Enables WebSphere MQ to contact processes that are secured, such as ASP and IIS applications. |
Increase quotas | Required for operating system CreateProcessAsUser call. |
Act as part of the operating system | Required for operating system LogonUser call. |
Bypass traverse checking | Required for operating system LogonUser call. |
Replace a process level token | Required for operating system LogonUser call. |
Your domain user account must have these Windows user rights set as effective user rights as listed in the Local Security Policy application. If they are not, set them using either the Local Security Policy application locally on the server, or by using the Domain Security Application domain wide.
You might need to change the user name associated with WebSphere MQ Services from MUSR_MQADMIN to something else. (For example, you might need to do this if your queue manager is associated with DB2(R), which does not accept user names of more than 8 characters.)
To change the user name :
AMQMSRVN -user <domain\>NEW_NAME -password <password>
Where NEW_NAME is the new user name you have chosen. This can be qualified by a domain name if required. WebSphere MQ allocates the correct security rights and group membership to the new user account
If for any reason you need to reset the user account back to the default MUSR_MQADMIN account, use the following command:
AMQMJPSE -r
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
amqzag0669 |