xcompp.bat fails with Access Denied with CA XCOM for Windows
Article ID: 203228
Updated On:
Products
Issue/Introduction
A transfer fails due to the xcompp.bat failing with message "OpenWindowStation failed. Err:5(Access Denied). An XCOM trace show the user doesn't have the correct permissions for xcompp.bat processing.
Environment
Release : 11.6 SP03
Component : CA XCOM Data Transport for Windows
Resolution
Make sure to have the following setup:
1. Make sure that the XCOMD service is "Log on as" a Local System Account and the "Allow service to interact with desktop" box is checked in the Properties of the service
2. Make sure to create the "CA-XCOM-Batch-Interactive" group in Windows
3. Assign the proper userids to the "CA-XCOM-Batch-Interactive" group
See online documentation:
CA XCOM Data Transport for Windows 11.6 Service Packs > Administrating > How to Configure CA XCOM Data Transport > Create the CA XCOM Batch Interactive Group
CA XCOM Data Transport for Windows 11.6 Service Packs > Administrating > Operating Environment > How to Use CA XCOM Data Transport Processing Scripts
Additional Information
When Windows NT came out, it allowed popups from services. They were displayed on the active logon session. As pointed out, this is a potential security exposure and Microsoft implemented proper controls as of Windows 7. All services use Windows station 0, WinSta0. With XCOM’s implementation, we wanted to satisfy two customer requests:
1. Spawn child processes which run beyond the duration of the XCOM transfer
2. Offer interactive dialogues for the purpose of debugging scripts
The initial solution was
- search among the logged on users, and if there is a match with the XCOM transfer user, use that session for interactive displays.
- create an entry in WinSta0 if the XCOM userid is not logged on and leave the entry beyond the XCOM transfer.
The latter case created a new ACE for every transfer. The system would eventually run out of storage and often needed to be re-booted. At this point, the CA-XCOM-Batch-Interactive group helps. If a user is defined in that group, XCOM creates the ACE for that user only once and then re-uses it for subsequent script processing for that user.
Feedback
