Summary
This article, originally titled “How to Recreate the Ctx_SmaUser Account,” has been changed to reflect an improved process to take in troubleshooting issues related to this account.
To re-create the account, Citrix recommends the use of a tool published in the Citrix Knowledge Base as CTX111464 – CTX_SmaUser Re-creation Tool. This tool automates the re-creation of the Ctx_SmaUser account using the same processes that create the account during the installation of Presentation Server 4.0.
Citrix Support does not recommend the manual creation or re-creation of this account.
The focus of this article is to highlight the re-creation tool and to provide administrators with a checklist containing the settings normally granted to this account in the event that server hardening has to take place or for the purposes of troubleshooting.
Background
The purpose of the Ctx_SmaUser account is to provide both the Citrix Print Manager Service and the Citrix SMA Service a server-local account to perform certain functions. By default, the account is given only the necessary permissions, group memberships, and rights needed to perform these functions. Any deviation from this set of permissions and rights for the purpose of hardening or locking down the server may result in undesirable effects (that is, printers may not autocreate in an ICA session or certain reporting components of the Access Suite Console may not function properly).
Giving the account Local Administrative permissions or setting either or both services to the Local System account may be a necessary, temporary step to isolate printing problems or issues related to the Access Suite Console. These changes, if left permanent, defeat the purpose of the account’s creation. Therefore, if these steps were taken during troubleshooting, it is recommended that CTX111464 - CTX_SmaUser Re-creation Tool be used to re-create the account after troubleshooting has been performed.
Local Group Membership
On both Windows 2000 Server and Windows Server 2003, the Ctx_SmaUser account is assigned to the Power Users Group. Membership to this group affords the account privileges to access many resources not given to regular users. In addition, there are many Security Rights that are assigned specifically to this group. See the Microsoft Documentation links below for more details:
• Microsoft TechNet – Account Privileges
• Microsoft TechNet – Account Logon Rights
Another useful step in understanding the extent to which this group appears in the access control lists (ACLs) of various server resources is to use a tool from Microsoft Sysinternals called AccessEnum. This tool can be used to show all of the accounts and groups with access to a certain set of resources either in the file system or in the Registry. Remember that the Power Users group is also a member of the Everyone group when using this tool to assess the extent of the Power Users group’s access. Another tool available from Sysinternals is a command-line utility called AccessChk, which can be used to determine the access the Power Users has over a set of resources or, more specifically, what access the Ctx_SmaUser account has over a set of resources. Consult the Sysinternals documentation for more details on the tools and how to use them.
Rights Assigned to the Ctx_SmaUser Account
To see a list of Rights assigned to the Ctx_SmaUser account, go into the Local Security Policy for the server.
For Windows 2000 Server, under the User Rights Assignment node, the following rights should be assigned to the account or to the Power User group:
• The Allow Log on Locally right should be assigned to the Power User local group.
• The Impersonate a client after authentication right should be assigned to the Ctx_SmaUser account.
• The Log on as a batch job right should be assigned to the Ctx_SmaUser account.
• The Log on as a service right should be assigned to the Ctx_SmaUser account.
• The Load and unload device drivers right should be assigned to the Ctx_SmaUser account.
• The Logon as a Service right should be assigned to the Ctx_SmaUser account.
For Windows 2000 Server, under the Security Options node, the following should be set:
• Verify that the Power Users group has been given the right to Log on locally.
For Windows Server 2003, under the User Rights Assignment node, the following rights should be assigned to the account or to the Power Users group:
• The Allow Log on Locally right should be assigned to the Power User local group.
• The Impersonate a client after authentication right should be assigned to the Ctx_SmaUser account.
• The Log on as a batch job right should be assigned to the Ctx_SmaUser account.
• The Log on as a service right should be assigned to the Ctx_SmaUser account.
Component Services
For Component Services on Windows 2000 Server, make sure that the Ctx_SmaUser account has the Allow DefaultLaunchPermission permission to My Computer. To verify this, perform the following steps:
1. From the Start menu, go to Programs > Administrative Tools > Component Services.
2. Expand the following nodes in the left pane: Component Services > Computers > My Computer.
3. Right-click My Computer and select Properties.
4. Go to the Default Security tab and click the Edit Default button in the Launch Permissions section.
5. Here, the Ctx_SmaUser should be listed in the ACL. Make sure that the account is set with the permission to Allow DefaultLaunchPermission.
For Component Services on Windows Server 2003, there are several items to which the Ctx_SmaUser account has to have permissions.
-------------------
A Note Regarding Enhancements in COM+ Permissions for Windows 2003:
The “Launch & Activation” section is a new functionality with Service Pack 1 for Windows 2003.
Before Service Pack 1 there was only one “Launch” permission, which would include activation permission. After upgrading this is separated into:
• Local Launch
• Local Activation
• Remote Launch
• Remote Activation
For more information see Microsoft article DCOM Security Enhancements.
----------------
1. From the Start menu, run dcomcnfg or go to Administrative Tools > Component Services.
2. Expand the following nodes in the left pane: Component Services > Computers > My Computer.
3. Right-click My Computer and select Properties.
4. Go to the COM Security tab to the Launch & Activation Permissions box and click the Edit Default button.
a. Ensure that Ctx_SmaUser account is present in the ACL.
b. By default, the Allow Local Launch permission is selected. Make sure to add allow Local Activation permission as well.
c. Click OK on both the ACL and in the My Computer Properties dialog box.
5. Expand the My Computer node in the left pane of Component Services to reveal and to select the DCOM Config folder.
6. After the DCOM Config folder has been selected, the right pane reveals a number of DCOM objects.
7. From the DCOM objects, select the Citrix IMA Service object, right-click and select Properties.
8. Go to the Security tab.
a. In the Access Permissions section, click the Edit button.
b. Make sure that the Ctx_SmaUser is on the ACL and ensure that both the Allow Local Access and the Allow Remote Access permissions have been assigned to the account.
c. Click OK on both the ACL and in the Security tab to continue.
9. From the list of DCOM objects, select the Citrix SMA Service DCOM object, right-click and select Properties.
a. Go to the Security tab.
b. Click the Edit button in the Launch & Activation section. Make sure that the Ctx_SmaUser account is in the ACL and make sure that both the Local Launch and the Local Activation permissions have been assigned.
c. Click the Edit button in the Access Permission section. Add the Ctx_SmaUser account to the ACL and make sure that both the Local Access and the Remote Activation permissions are assigned.
d. Click the Edit button in the Change Configuration Permission section. Make sure that both the Local Access and the Remote Activation permissions are assigned to the Power Users machine local group.
e. Click on the OK buttons in the ACL and in the Security tab to continue.
Permissions to Other Resources
On Windows 2000 Server and on Windows Server 2003, the Ctx_SmaUser account has been configured with special permissions to the ICA-TCP listener port. These permissions have to be re-created each time the ICA-TCP Listener port is re-created.
To configure the permissions of the ICA Listener port:
1. Go to Administrative Tools > Terminal Services Configuration > ICA-tcp > Properties > Permissions.
2. Add the Ctx_SmaUser account to the ACL for the listener. By default, Windows allows Guest permissions to the account in the ACL, but these permissions are not enough. The Guest permissions check box should be cleared.
3. Click the Advanced button and select the Ctx_SmaUser account from the list.
4. Click the Edit button. In the Advanced ACL, clear the Logon permission check box and select both the Query Information and the Virtual Channels check boxes. Click OK to proceed.
5. Click OK to apply. (Note: This is required for the Citrix Print Management Service to work properly.)
Additional Notes
• If it is necessary to harden security to server-local accounts (like the Ctx_SmaUser account), the account should have the check boxes User cannot change password and password never expires selected. This ensures that both the Citrix Print Manager Service and the Citrix SMA Service continues to start and that the system-generated password for the account does not expire.
• While troubleshooting a possible problem with permissions to the Ctx_SmaUser account, instead of re-creating the account, the account could be assigned to the Administrators machine-local group or the account could be assigned to be a Full Citrix Administrator in the Presentation Server Management Console. With either method, both the Citrix Print Manager Service and the Citrix SMA Service have to be restarted in order for any changes to take effect.
