In the current environment there exists a policy where files within %system32% are only allowed to be owned by System and Administrators. An issue has arisen where after converting these permissions cmd.exe is unable to execute. The addition of the user that is currently logged in resolves this, however adding a group myGroup with the user contained fails. The command prompt informs me that I do not have the permissions which seems odd. Am I missing a registry edit or is there something else that I should be looking for here?
SnapOverflow
Under Win7 (should be similar to Vista)
Run gpedit.msc to start the Group Policy Editor
Navigate to: User Config -> Admin Templates -> System
Check the settings for: "Prevent access to the command prompt"
First of all - I don't think it is the uac. The uac will only prevent you starting cmd.exe as admin. But please try executing cmd as admin. This should work.
I would switch to another cmd:
http://www.powercmd.com/
And place it in %ProgramFiles%
Adding a group to cmd.exe should work like adding a user. I don't think that a gpo fixes your issue. Only if you don't modify all files in %system32%.
You've added a new group to cmd.exe - but why? You said that you just modified the owner - but by the way - there can only be one owner... I suppose that you modified the access rights to be only System and Administrators. Maybe your policy overwrites your changes?
Another question is - does this make sense? Why would I try to tighten rights that are already safe? And why would I allow more right to specific files without Admin rights?
Edit: Access rights needed for cmd.exe
Works on my system...
Edit2
Please try to run cmd.exe and analyse what failed with Process Monitor:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx