Permissions and Rights Required for Ctx_CpsvcUser Account
Article ID: CTX113555
Updated On:
Description
This article highlights the re-creation tool and provides administrators with a checklist containing the settings normally granted to this account in the event that server hardening must take place or for troubleshooting purposes.
To re-create the Ctx_CpsvcUser account, Citrix recommends using a tool published in the Citrix Knowledge Center refer CTX113554 – CTX_CpsvcUser Re-creation Tool for 32-Bit and 64-Bit Versions of XenApp on 2003. This tool automates the process of re-creating the Ctx_CpsvcUser account using the same processes that create the account during the Presentation Server 4.5 installation.
Warning! Citrix Technical Support does not recommend manually creating or re-creating this account.
Background
The Ctx_CpsvcUser account provides the Citrix Print Manager Service with a server-local account to perform certain functions. By default, the account has only the necessary permissions, group memberships, and rights needed to perform those functions. Any deviation from this set of permissions and rights for the purpose of hardening or locking down the server might cause printers to not auto create in an ICA session.
Providing the account local administrator permissions or setting the service to the Local System account might be a temporary necessary step to isolate printing problems. These changes, if left permanent, defeat the purpose of creating the account. Therefore, if these steps are implemented during troubleshooting, Citrix Technical Support recommends to use CTX113554 – CTX_CpsvcUser Re-creation Tool for 32-Bit and 64-Bit Versions of XenApp on 2003 to re-create the account after completing the troubleshooting procedures.
Local Group Membership
The Ctx_CpsvcUser account belongs to the Power Users Group. Membership to this group gives account access to many resources not given to regular users. In addition, there are many security rights assigned specifically to this group. Refer to the following Microsoft documentation for more details:
Power Users Group may be able to gain administrator rights and permissions in Windows Server 2003, Windows 2000, or Windows XPAnother useful step in understanding the extent to which this group appears in the access control lists (ACLs) of various server resources is to use a tool from http://www.microsoft.com/technet/sysinternals/default.mspx called Access Enum to show all of the accounts and groups with access to a certain set of resources either in the file system or in the registry. When using this tool to assess the extent of the Power Users group access, remember that the Power Users group is also a member of the Everyone group.
Another tool available from Sysinternals is a command line utility called AccessChk, which can be used to determine the access the Power Users have to resources or, more specifically, determine the access Ctx_CpsvcUser account has to resources.
Rights Assigned to the Ctx_CpsvcUser Account
To view a list of rights assigned to the Ctx_CpsvcUser account, complete the following procedure.
-
Browse to the Local Security Policy for the server.
-
Under the User Rights Assignment node, check the following rights assignments:
|
These rights… |
Should be assigned to… |
|
Allow Log on Locally |
Power User local group |
|
Impersonate a client after authentication |
Ctx_CpsvcUser |
|
Log on as a batch job |
Ctx_CpsvcUser |
|
Load and unload device drivers |
Ctx_CpsvcUser |
|
Log on as a service |
Ctx_CpsvcUser |
- Under the Security options node, enable the Strengthen default permissions of internal system objects effective permission.
Permissions to Other Resources
The Ctx_CpsvcUser account has been configured with special permissions to the ICA-TCP Listener port. The permissions must be recreated each time the ICA-TCP Listener port is recreated.
Note: Minimum default permissions for ICA-TCP in XenApp 6.x and later will be identical to RDP-TCP.
To configure the permissions of the ICA Listener port, complete the following procedure:
-
Go to Administrative Tools > Terminal Services Configuration > ICA-tcp > Properties > Permissions.
-
Add the Ctx_CpsvcUser account to the ACL for the listener.
-
By default, Windows allows Guest permissions to the account in the ACL, but these permissions are insufficient. Clear the Guest permissions check box.
-
Click Advanced and select the Ctx_CpsvcUser account from the list.
-
Click Edit.
In the Advanced ACL, clear the Logon permission check box and select both Query Information and Virtual Channels. Click OK to proceed. -
Click OK to apply the changes.
Notes:
- If protected security to server-local accounts is necessary (like the Ctx_CpsvcUser account), the account should have User cannot change password and password never expires selected. This scenario ensures that the Citrix Print Manager Service continues to start and the system-generated password for the account does not expire.
- While troubleshooting a problem with permissions to the Ctx_CpsvcUser account, instead of recreating the account, try assigning the account to the Administrators machine-local group or to a Full Citrix Administrator in the Presentation Server Console. Restart the Citrix Print Manager, irrelevant of which method was used, the changes must take effect.
More Information
CTX119238 – FAQ: Permissions Required for the CTX_CPSVCUSER Account with XenDesktop
CTX125139 - How to Modify ICA-TCP Listener Remote Desktop Session Host Configuration for XenApp
Issue/Introduction
