Modifying the Automate Desktop 2024 service account breaks functionality

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT, v8.2.x and later

DISCUSSION

EFT administrators should not modify the Automate Desktop 2024 service (also known as the Task Service, AMTS.exe) as this will break functionality in EFT. The EFT help article Automate Desktop Service Account explains how to configure EFT's Automate Service Account on the Server > Administration tab in the EFT administration interface to continue to run event rules when the Windows session is logged out or locked, or the EFT server service account is logged out.

For use with EFT Event Rules, you should NOT change the permissions noted below. Creating an Automate Service account in EFT is all you need to do.

Here is the feedback from the Automate Team:

  • Service Log On Settings:

    • The customer attempted to assign a specific username and password under Service Properties > Log On tab. This alters the logon behavior from running under the default Local System Account to a specified user account. (Do not do this.) 

      • Automate Desktop 2024 can’t run in context of different user than Local System account, because it is critical for the service to execute WTSQueryUserToken to run AMEM.exe (Automate Desktop Event Monitor) under the specific user, otherwise Automate Desktop 2024 will not be able to function properly.

    • For the service to function properly with the Local System Account, the assigned user needs specific rights to execute certain Windows API functions (i.e., WTSEnumerateSessions and WTSQueryUserToken) and access certain system resources, such as files and directories.

    • Permissions for WTSEnumerateSessions and WTSQueryUserToken:

      • WTSEnumerateSessions  requires the user to have permission to enumerate remote desktop sessions. Typically, the user needs to be part of the Remote Desktop Users group or have SeRemoteInteractiveLogonPrivilege.

      • WTSQueryUserToken obtains the primary access token of the logged-on user specified by the session ID. To call this function successfully, the calling application must be running within the context of the LocalSystem account and have the SE_TCB_NAME privilege. (Per Microsoft’s documentation)

        Caution WTSQueryUserToken  is intended for highly trusted services. Service providers must use caution that they do not leak user tokens when calling this function. Service providers must close token handles after they have finished using them.

    • File System Access (Folder C:\ProgramData\Automate\Automate Desktop 2024\AutomateDesktop2024TaskFile.atl):

      • The user in this scenario needs read and write access to the file located at C:\ProgramData\Automate\Automate Desktop 2024\AutomateDesktop2024TaskFile.at
Posted 2 days ago @ 10:00 AM, Updated 2 days ago @ 11:21 AM
https://kb.globalscape.com/Knowledgebase/11645/Modifying-the-Automate-Desktop-2024-service-account-breaks-functionality