Summary
To re-create the Ctx_CpsvcUser account, Citrix recommends using a tool published in the Citrix Knowledge Center as CTX113554 – CTX_CpsvcUser Re-creation Tool for 32-bit and 64-bit Versions of Presentation Server 4.5. This tool automates the process of re-creating the Ctx_CpsvcUser account using the same processes that create the account during the Presentation Server 4.5 installation.
Warning! Citrix Technical Support does not recommend manually creating or re-creating this account.
This article highlights the re-creation tool and provides administrators with a checklist containing the settings normally granted to this account in the event that server hardening must take place or for troubleshooting purposes.
Background
The Ctx_CpsvcUser account provides the Citrix Print Manager Service with a server-local account to perform certain functions. By default, the account has only the necessary permissions, group memberships, and rights needed to perform those functions. Any deviation from this set of permissions and rights for the purpose of hardening or locking down the server might cause printers to not autocreate in an ICA session.
Giving the account local administrator permissions or setting the service to the Local System account may be a necessary, temporary step to isolate printing problems. These changes, if left permanent, defeat the purpose of the account’s creation. Therefore, if these steps are taken during troubleshooting, Citrix Technical Support recommends that you use CTX113554 – CTX_CpsvcUser Re-creation Tool for 32-bit and 64-bit Versions of Presentation Server 4.5 to re-create the account after completing the troubleshooting procedures.
Local Group Membership
The Ctx_CpsvcUser account belongs to the Power Users Group. Membership to this group gives account access to many resources not given to regular users. In addition, there are many security rights assigned specifically to this group. See the following Microsoft documentation for more details:
Microsoft TechNet – Account Privileges
Microsoft TechNet – Account Logon Rights
Another useful step in understanding the extent to which this group appears in the access control lists (ACLs) of various server resources is to use a tool from Sysinternals called AccessEnum to show all of the accounts and groups with access to a certain set of resources either in the file system or in the registry. When using this tool to assess the extent of the Power Users group’s access, remember that the Power Users group is also a member of the Everyone group.
Another tool available from Sysinternals is a command line utility called AccessChk, which you can use to determine the access the Power Users have to resources or, more specifically, what access the Ctx_CpsvcUser account has to resources.
Rights Assigned to the Ctx_CpsvcUser Account
To see a list of rights assigned to the Ctx_CpsvcUser account use the following procedure.
1. Go to the Local Security Policy for the server.
2. Under the User Rights Assignment node, check the following rights assignments:
These rights… |
Should be assigned to… |
Allow Log on Locally |
Power User local group |
Impersonate a client after authentication |
Ctx_CpsvcUser |
Log on as a batch job |
Ctx_CpsvcUser |
Load and unload device drivers |
Ctx_CpsvcUser |
Log on as a service |
Ctx_CpsvcUser |
3. Under the Security options node, enable the Strengthen default permissions of internal system objects effective permission.
Permissions to Other Resources
The Ctx_CpsvcUser account has been configured with special permissions to the ICA-TCP Listener port. You must re-create these permissions each time the ICA-TCP Listener port is re-created.
To configure the permissions of the ICA Listener port use the following procedure.
1. Go to Administrative Tools > Terminal Services Configuration > ICA-tcp > Properties > Permissions.
2. Add the Ctx_CpsvcUser account to the ACL for the listener. By default, Windows allows Guest permissions to the account in the ACL, but these permissions are not enough. The Guest permissions check box should be cleared.
3. ClickAdvanced and select the Ctx_CpsvcUser account from the list.
4. Click Edit . In the Advanced ACL, clear the Logon permission check box and select both Query Information and Virtual Channels. Click OK to proceed.
5. Click OK to apply the changes.
More Information
• If hardened security to server-local accounts is necessary (like the Ctx_CpsvcUser account), the account should have User cannot change password and password never expires selected. This scenario ensures that the Citrix Print Manager Service continues to start and that the system-generated password for the account does not expire.
• While troubleshooting a problem with permissions to the Ctx_CpsvcUser account, instead of re-creating the account, try assigning the account to the Administrators machine-local group or to a Full Citrix Administrator in the Presentation Server Console. With either method, you must restart the Citrix Print Manager for the changes to take effect.
