Login/Register
Set-MsmqQueueACL - Allow - can't use list as per docs?
Asked Answered
Solved powershellmsmq
I

1

6

I'm trying to set ACL on a Msmq Queue using Powershell v5.1 (Win2k16) - but even though I'm following the documentation - I keep getting an error.

Get-MsmqQueue -Name "s009_ClientsServiceBus" -QueueType Private | Set-MsmqQueueAcl -UserName "domain.com\WfxServiceBus" -Allow Peek,Write

Error:

Set-MsmqQueueACL : Cannot convert 'System.Object[]' to the type
'System.Nullable`1[Microsoft.Msmq.PowerShell.Commands.MessageQueueAccessRights]' required by parameter 'Allow'. Specified method is
not supported.
At line:1 char:128
+ ... t-MsmqQueueAcl -UserName "domain.com\WfxServiceBus" -Allow Peek,Write
+                                                                ~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Set-MsmqQueueACL], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgument,Microsoft.Msmq.PowerShell.Commands.SetMSMQQueueACLCommand

The Docs show the following example:

Get-MsmqQueue –Name Order* –QueueType Private | Set-MsmqQueueAcl –UserName “REDMOND\madmax” –Allow Delete,Peek,Receive,Send –Deny TakeOwnership

Running that (granted some of the parameters are incorrect for my environment, but same error)...

PS C:\Users\user> Get-MsmqQueue -Name Order* -QueueType Private | Set-MsmqQueueAcl -UserName "REDMOND\madmax" -Allow Delete,Peek,Receive,Send -Deny TakeOwnership 
Set-MsmqQueueACL : Cannot convert 'System.Object[]' to the type
'System.Nullable`1[Microsoft.Msmq.PowerShell.Commands.MessageQueueAccessRights]' required by parameter 'Allow'. Specified method is
not supported.
At line:1 char:100
+ ... cl -UserName "REDMOND\madmax" -Allow Delete,Peek,Receive,Send -Deny T ...
+                                          ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Set-MsmqQueueACL], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgument,Microsoft.Msmq.PowerShell.Commands.SetMSMQQueueACLCommand

So it seems the documentation is out of date, or something changed.. question is - how do I do what I need to do with Powershell? I've tried lots of combinations such as:

.... -Allow "Peek,Send"
.... -Allow "Peek","Send"
.... -Allow 'Peek,Send'

etc..

If I only include one option i.e: 'Send' or 'Peek' then it works fine, but I can't send an array of rights as per the documentation.

Thanks!

Update - using -Allow "Peek, Send":

    PS C:\Users\meaton> Get-MsmqQueue -Name "s009_ClientsServiceBus" -QueueType Private | Set-MsmqQueueAcl -UserName "domain.com\WfxServic
eBus" -Allow "Peek,Write"
Set-MsmqQueueACL : Cannot bind parameter 'Allow'. Cannot convert value "Peek,Write" to type
"Microsoft.Msmq.PowerShell.Commands.MessageQueueAccessRights". Error: "Unable to match the identifier name Peek,Write to a valid
enumerator name. Specify one of the following enumerator names and try again:
DeleteMessage, PeekMessage, ReceiveMessage, WriteMessage, DeleteJournalMessage, ReceiveJournalMessage, SetQueueProperties,
GetQueueProperties, DeleteQueue, GetQueuePermissions, GenericWrite, GenericRead, ChangeQueuePermissions, TakeQueueOwnership,
FullControl"
At line:1 char:128
+ ... MsmqQueueAcl -UserName "domain.com\WfxServiceBus" -Allow "Peek,Write"
+                                                              ~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Set-MsmqQueueACL], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.Msmq.PowerShell.Commands.SetMSMQQueueACLCommand

Changing it to "PeekMessage,SendMessage" as per error yields the exact same error:

...Set-MsmqQueueACL : Cannot bind parameter 'Allow'. Cannot convert value "PeekMessage,WriteMessage" to type
"Microsoft.Msmq.PowerShell.Commands.MessageQueueAccessRights" due to enumeration values that are not valid. Specify one of....
Interfertile answered 24/4, 2017 at 20:2 Comment(0)
N
5

The docs are likely missing quotes; it's expecting an enum that supports bitfields, so most likely you'd do it like this (I don't have the msmq cmdlets or types on my 2016 PS 5.1 boxes so I can't test), using bitwise or:

$allows = [Microsoft.Msmq.PowerShell.Commands.MessageQueueAccessRights]::Peek -bor
          [Microsoft.Msmq.PowerShell.Commands.MessageQueueAccessRights]::Send -bor
          [Microsoft.Msmq.PowerShell.Commands.MessageQueueAccessRights]::Receive

Set-MsmqQueueAcl -UserName "REDMOND\madmax" -Allow $allows

It should work by putting all the values in quotes (that is, not an array, a string with commas in it), but you said you tried it that way and it didn't work; did that produce a different error?

Numerary answered 24/4, 2017 at 20:17 Comment(4)
@MichaelEaton the string to enum parsing might not be working because of it being a nullable enum, but the explicit bitwise version I posted should work; or possibly expicit casting of the string to the enum first ($allows = [Microsoft.Msmq.PowerShell.Commands.MessageQueueAccessRights]'Peek,Send,Receive').Numerary
I've updated my question to show errors using your suggestion. I'll have to re-do my powershell script tomorrow with your bitwise suggestion.Interfertile
I finally got the following to work: $allows = [Microsoft.Msmq.PowerShell.Commands.MessageQueueAccessRights]::PeekMessage -bor [Microsoft.Msmq.PowerShell.Command s.MessageQueueAccessRights]::WriteMessage -bor [Microsoft.Msmq.PowerShell.Commands.MessageQueueAccessRights]::ReceiveMessage I'm going to mark this as the answer - although its a workaround and not a solution to the documentation issue. Thanks @NumeraryInterfertile
This outputs the error Set-MsmqQueueACL : Cannot convert 'System.Object[]' to the type 'System.Nullable1[Microsoft.Msmq.PowerShell.Commands.MessageQueueAccessRights]' required by parameter 'Allow'.Softener

© 2022 - 2024 — McMap. All rights reserved.