Create the CA XCOM Batch Interactive Group

The CA-XCOM-Batch-Interactive group helps resolve some rather complex Windows security problems. Create a CA-XCOM-Batch-Interactive group to circumvent dll initialization failures, as well as affecting send jobs, pre-, and post-processing scripts and remote SMTP mail notifications.
xdtw11
The CA-XCOM-Batch-Interactive group helps resolve some rather complex Windows security problems.
Introduction
When Windows NT came out, it allowed popups from Windows services. If there was an active logon session, those popups were displayed on it. This created a potential security exposure. Microsoft implemented proper controls as of Windows 7. All services now use Windows station 0, WinSta0.
With XCOM’s implementation, we wanted to satisfy the following two customer requests:
  1. Spawn child processes which run beyond the duration of the
    CA XCOM Data Transport for Windows
    (
    CA XCOM Data Transport
    ).
  2. Offer interactive dialogues for debugging scripts.
The initial XCOM solution performed the following steps:
  • Search among the logged on users, and if there is a match with the XCOM transfer user, use that session for interactive displays.
  • Create an entry in WinSta0 if the XCOM userid is not logged on and leave the entry beyond the XCOM Transfer.
The latter case created an access control entry (ACE) for every transfer. The system would eventually run out of storage and often must be re-booted. At this point, the CA-XCOM-Batch-Interactive group helps. If a user is defined in that group, XCOM creates an ACE for that user only once and then re-uses it for subsequent script processing.
The CA-XCOM-Batch-Interactive group does not require to give any permissions or rights.
Create the CA-XCOM-Batch-Interactive group
We strongly recommend that you to create a CA-XCOM-Batch-Interactive group to circumvent dll initialization failures, as well as affecting defining the right environment for send jobs, pre-, and post-processing scripts and remote SMTP mail notifications.  All jobs, scripts, and remote SMTP notifications received by XCOM Transfer are submitted to the operating system by creating a process. The new process runs in the security context of the user receiving the XCOM transfer that caused the process to be created.
CA XCOM Data Transport
adds an access control entry (ACE) to the window station and desktop to allow the process to interact with the user. Once the process is complete, the entry point is removed from the window station and desktop. If the process created by the transfer creates an additional process, this additional process will not have access to the window station or desktop after
CA XCOM Data Transport
has removed the entry control point that is created by the original process.
To allow this additional process to interact with the user, create a local group that is named CA-XCOM-Batch-Interactive and include the user receiving the transfer in it.
CA XCOM Data Transport
adds an access control point to the window station and desktop that will not be removed when the initial process completes.
For instructions to create local user groups and to add users to the local user group, see your Windows operating system documentation.
Consider the following points when you create a group:
  • Any user whose
    CA XCOM Data Transport
    transfer starts a background job that interacts with the window station or desktop must be a member of this group.
  • The only access that is permitted by this group is to the window station and desktop.
  • Local group names are case-sensitive.
The CA XCOM Batch Interactive group is used only for interactive scripts running in session0.