Problem Note 13521: ALLOWXCMD and NONOXCMD options fail with the Object Spawner on Windows
When submitting code to an Integration Technologies IOM server that uses
a Shell or operating system command such as FILENAME PIPE or SYSTASK
COMMAND, the code fails with
ERROR: Access is denied.
ERROR: Insufficient authorization for SYSTASK COMMAND.
For security reasons, the Object Spawner is started with the system
option of NOXCMD, which prevents the client from submitting any type of
SHELL or Operating System command.
With Administrative privileges, the Object Spawner can be restarted
with an option (ALLOWXCMD or NONOXCMD) that permits the client to issue
SHELL or Operating System commands. This works for all Windows
operating systems EXCEPT for Window 2003 Server.
To correct the problem on Windows 2003, Read & Execute permissions must
be granted to the "BATCH" group found on the Security tab of the cmd.exe
The "BATCH" group is a group identifier that is added to the token of
any process currently logged on as a batch user.
To verify if the "BATCH" group has been added and to view the
permissions on the group, open a COMMAND Window and issue the following:
C:\WINDOWS\system32> cacls %COMSPEC%
If the permissions are set correctly, you will see something similar to
The following are the steps to add the "BATCH" group to the system
command (cmd.exe) and to set Read & Execute permissions:
1.) You must be logged into the Windows 2003 Server with an
2.) From a Windows Explorer Window, navigate to the following:
3.) With the Right Mouse button, select "cmd.exe" and select
"properties". On the "Security" tab, select the "Advanced"
4.) On the "Permissions" tab of the Advanced Security Settings for
cmd.exe Window, select the "ADD" button.
5.) In the "Enter object name to select" field, type BATCH
(or hostname\BATCH) and then select the "CHECK NAMES" button.
The group BATCH should be underlined. Select OK.
6.) On the Permission Entry for cmd.exe window, under the "ALLOW"
column check the following items:
Traverse Folder / Execute File
List Folder / Read Data
Read Extended Attributes
7.) The Permissions tab should now show:
Allow BATCH Read & Execute <not inherited>
8.) Select "APPLY" and a security warning will be displayed.
Select "YES" to accept the changes.
Operating System and Release Information
SAS Integration Technologies
Microsoft Windows Server 2003 Standard Edition
Microsoft® Windows® for 64-Bit Itanium-based Systems
Microsoft Windows XP Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Professional
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be