When submitting code to an Integration Technologies IOM server that uses
a Shell or operating system command such as FILENAME PIPE or SYSTASK
COMMAND, the code fails with

   ERROR: Access is denied.
Or
   ERROR: Insufficient authorization for SYSTASK COMMAND.

For security reasons, the Object Spawner is started with the system
option of NOXCMD, which prevents the client from submitting any type of
SHELL or Operating System command.

With Administrative privileges, the Object Spawner can be restarted
with an option (ALLOWXCMD or NONOXCMD) that permits the client to issue
SHELL or Operating System commands.  This works for all Windows
operating systems EXCEPT for Window 2003 Server.

To correct the problem on Windows 2003, Read & Execute permissions must
be granted to the "BATCH" group found on the Security tab of the cmd.exe
system command.

The "BATCH" group is a group identifier that is added to the token of
any process currently logged on as a batch user.

To verify if the "BATCH" group has been added and to view the
permissions on the group, open a COMMAND Window and issue the following:

   C:\WINDOWS\system32> cacls %COMSPEC%

If the permissions are set correctly, you will see something similar to
the following:

   C:\WINDOWS\system32\cmd.exe BUILTIN\Administrators:F
                               NT AUTHORITY\BATCH:R
                               NT AUTHORITY\INTERACTIVE:R
                               NT AUTHORITY\SERVICE:R
                               NT AUTHORITY\SYSTEM:F
                               PCR64DUAL2\TelnetClients:R

The following are the steps to add the "BATCH" group to the system
command (cmd.exe) and to set Read & Execute permissions:

   1.) You must be logged into the Windows 2003 Server with an
       Administrative account.

   2.) From a Windows Explorer Window, navigate to the following:
       C:\WINDOWS\system32\cmd.exe

   3.) With the Right Mouse button, select "cmd.exe" and select
       "properties".  On the "Security" tab, select the "Advanced"
       button.

   4.) On the "Permissions" tab of the Advanced Security Settings for
       cmd.exe Window, select the "ADD" button.

   5.) In the "Enter object name to select" field, type BATCH
       (or hostname\BATCH) and then select the "CHECK NAMES" button.
       The group BATCH should be underlined.  Select OK.

   6.) On the Permission Entry for cmd.exe window, under the "ALLOW"
       column check the following items:

       Traverse Folder / Execute File
       List Folder / Read Data
       Read Attributes
       Read Extended Attributes
       Read Permissions

   7.) The Permissions tab should now show:

       Allow   BATCH   Read & Execute   <not inherited>

   8.) Select "APPLY" and a security warning will be displayed.
       Select "YES" to accept the changes.

Operating System and Release Information