My MSMQ queue gets created by PowerShell DSC engine. I can see queues created. Since DSC engine runs from SYSTEM account, then queue owner also gets set to SYSTEM. When I try to set MSMQ ACL from PowerShell console I constantly get following error:

PS C:\Users\Administrator.DOMAIN> whoami; Get-MsmqQueue queue1 | Set-MsmqQueueACL -UserName "Everyone" -Allow FullControl
DOMAIN\administrator
Set-MsmqQueueACL : Failed to set security descriptor. Error code: 3222143013
At line:1 char:50
+ whoami; Get-MsmqQueue incredipay_atm_processor | Set-MsmqQueueACL -UserName "Eve ...
+                                                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidResult: (FullControl:MessageQueueAccessRights) [Set-MsmqQueueACL], Win32Exception
    + FullyQualifiedErrorId : Failed to set security descriptor. Error code: 3222143013,Microsoft.Msmq.PowerShell.Commands.SetMSMQQueueACLCommand

I also can't set MSMQ ACL using custom DSC resource, which is basically doing the same thing only from SYSTEM account. So the question is are there any way to set MSMQ permissions from within PowerShell DSC engine using Set-MSMQQueueACL cmdlet. Or at least if I'll be able to solve previously mentioned mentioned error, then maybe I'll be able to solve also DSC problem. I'm running Windows 2012 and WMF 4.0.

Thanks in advance.

I've managed to overcome this issue by using following code in my custom DSC resource:

        $ScriptBlock={
        param(
            [String] $QueueName,
            [String]  $Username,
            [String[]] $MessageQueueAccessRight,
            [ValidateSet("Allow","Deny")]
            [String] $MessageQueueAccessType
        ) 
        $params = @{}
        $queue = Get-MSMQQueue -Name $QueueName
        $params.Add("InputObject",$queue)
        $params.Add("Username",$Username)
        switch ($MessageQueueAccessType)
        {
            "Allow" {$params.Add("Allow","$MessageQueueAccessRight"); Break;}
            "Deny" {$params.Add("Deny","$MessageQueueAccessRight"); Break;}
        }
        Set-MsmqQueueACL @params
    }
    Foreach($MessageQueueAccessRight in $MessageQueueAccessRights)
    {
        Invoke-Command -ScriptBlock $ScriptBlock -ComputerName . -Credential $DomainAdministratorCredential -ArgumentList $QueueName,$Username,$MessageQueueAccessRight,$MessageQueueAccessType
    }

Of course it's necessary to use the same approach when MSMQ queue gets created by DSC. So MSMQ queue creation should be made by the same account, whose initially going to adjust ACLs.

I did something similar recently and hit the same problem. You have to take ownership of the queue first (admin rights required), and then you can change the permissions.

Try these manual steps in the Computer Management snap-in first to check it solves your error, and then work out how to reproduce it via PowerShell.

• Start -> Run -> compmgmt.msc
• Expand "Computer management (Local) -> Services and Applications -> Message Queuing -> Private Queues"
• Right click -> Properties -> Security -> Advanced -> Owner -> Other users or groups...
• Enter your user name (DOMAIN\administrator)
• Click OK, then OK again
• You should now be able to edit security via script

I ended up writing some PInvoke code to take ownership of the queue using C#, which I compiled on the fly with Add-Type in PowerShell. I can't share it unfortunately as it's proprietary, but this question might give you some pointers:

How do I set the owner of a message queue?

P.S. error code 3222143013 is 0xC00E0025, which translates to MQ_ERROR_ACCESS_DENIED (see http://msdn.microsoft.com/en-us/library/ms700106%28v=vs.85%29.aspx)

I've managed to overcome this issue by using following code in my custom DSC resource:

        $ScriptBlock={
        param(
            [String] $QueueName,
            [String]  $Username,
            [String[]] $MessageQueueAccessRight,
            [ValidateSet("Allow","Deny")]
            [String] $MessageQueueAccessType
        ) 
        $params = @{}
        $queue = Get-MSMQQueue -Name $QueueName
        $params.Add("InputObject",$queue)
        $params.Add("Username",$Username)
        switch ($MessageQueueAccessType)
        {
            "Allow" {$params.Add("Allow","$MessageQueueAccessRight"); Break;}
            "Deny" {$params.Add("Deny","$MessageQueueAccessRight"); Break;}
        }
        Set-MsmqQueueACL @params
    }
    Foreach($MessageQueueAccessRight in $MessageQueueAccessRights)
    {
        Invoke-Command -ScriptBlock $ScriptBlock -ComputerName . -Credential $DomainAdministratorCredential -ArgumentList $QueueName,$Username,$MessageQueueAccessRight,$MessageQueueAccessType
    }

Of course it's necessary to use the same approach when MSMQ queue gets created by DSC. So MSMQ queue creation should be made by the same account, whose initially going to adjust ACLs.

To do this in DSC, you can run your command using different credentials by having your custom DSC resource take a [PSCredential] parameter.

To do this securely requires some significant changes to your DSC infrastructure. See my answer to this question: https://serverfault.com/questions/632390/protecting-credentials-in-desired-state-configuration-using-certificates/#632836

If you just want to test before making those changes, you can tell DSC to allow storing your credentials in plaintext using PSDscAllowPlainTextPassword = $true in your configuration data (see here for details).

I also created a custom DSC resource to setup/modify my MSMQ queues within my web farm. Since DSC runs as SYSTEM you must ensure that the SYSTEM account has access to create/modify MSMQ's on the node.

There is a way to have DSC run as an account. If that is the case then you have to ensure that you are passing in that account when attempting to create/modify your MsmqQueue.

I understand I am responding to an old thread. But someone else in the near future may be facing the same issue and come across this thread.

Enjoy & Good Luck!