Create the CA XCOM Batch Interactive Group
The CA-XCOM-Batch-Interactive group helps resolve some rather complex Windows security problems. Create a CA-XCOM-Batch-Interactive group to circumvent dll initialization failures, as well as affecting send jobs, pre-, and post-processing scripts and remote SMTP mail notifications.
The CA-XCOM-Batch-Interactive group helps resolve some rather complex Windows security problems.
When Windows NT came out, it allowed popups from Windows services. If there was an active logon session, those popups were displayed on it. This created a potential security exposure. Microsoft implemented proper controls as of Windows 7. All services now use Windows station 0, WinSta0.
With XCOM’s implementation, we wanted to satisfy the following two customer requests:
- Spawn child processes which run beyond the duration of theCA XCOM Data Transport for Windows(CA XCOM Data Transport).
- Offer interactive dialogues for debugging scripts.
- Search among the logged on users, and if there is a match with the XCOM transfer user, use that session for interactive displays.
- Create an entry in WinSta0 if the XCOM userid is not logged on and leave the entry beyond the XCOM Transfer.
The CA-XCOM-Batch-Interactive group does not require to give any permissions or rights.
Create the CA-XCOM-Batch-Interactive group
We strongly recommend that you to create a CA-XCOM-Batch-Interactive group to circumvent dll initialization failures, as well as affecting defining the right environment for send jobs, pre-, and post-processing scripts and remote SMTP mail notifications. All jobs, scripts, and remote SMTP notifications received by XCOM Transfer are submitted to the operating system by creating a process. The new process runs in the security context of the user receiving the XCOM transfer that caused the process to be created.
CA XCOM Data Transportadds an access control entry (ACE) to the window station and desktop to allow the process to interact with the user. Once the process is complete, the entry point is removed from the window station and desktop. If the process created by the transfer creates an additional process, this additional process will not have access to the window station or desktop after
CA XCOM Data Transporthas removed the entry control point that is created by the original process.
To allow this additional process to interact with the user, create a local group that is named CA-XCOM-Batch-Interactive and include the user receiving the transfer in it.
CA XCOM Data Transportadds an access control point to the window station and desktop that will not be removed when the initial process completes.
For instructions to create local user groups and to add users to the local user group, see your Windows operating system documentation.
Consider the following points when you create a group:
- Any user whoseCA XCOM Data Transporttransfer starts a background job that interacts with the window station or desktop must be a member of this group.
- The only access that is permitted by this group is to the window station and desktop.
- Local group names are case-sensitive.
The CA XCOM Batch Interactive group is used only for interactive scripts running in session0.