The ArcGIS Server account
In this topic
- When is the ArcGIS Server account used?
- Which account should I designate as the ArcGIS Server account?
- What permissions do I need to grant to the ArcGIS Server account?
- Changing the ArcGIS Server account
- Specifying the locale of the ArcGIS Server account
As ArcGIS Server does its work, it needs to start and stop processes, read and write data to locations on the file system, and communicate between machines. To do these things securely, it uses an operating system account that you specify when you install ArcGIS for Server. This is known throughout the documentation as the ArcGIS Server account.
When is the ArcGIS Server account used?
The ArcGIS Server account is used for the following purposes:
- Start and stop processes that support the GIS server and services.
- Read the GIS data behind your services.
- Read and write files to the ArcGIS Server directories; for example, when you create a map cache, the ArcGIS Server account writes the cache tiles into your server cache directory.
- Read and write files to the configuration store; for example, when you create a new cluster in Manager, the ArcGIS Server account writes the cluster configuration information to files in the configuration store.
- Read and write files to the ArcGIS Server installation location and system temp directory; for example, the account writes log files that you can use to troubleshoot the server.
- Read and write log messages to the logs directory.
Note:
The ArcGIS Server account is not the same as the primary site administrator that you define when you create the ArcGIS Server site. For more information, see Securing your ArcGIS Server site.
Which account should I designate as the ArcGIS Server account?
The ArcGIS Server account defaults to the name arcgis. Accepting this default is sufficient for most nonproduction deployments; however, for production systems, it's recommended that you create a domain or Active Directory account prior to installing ArcGIS Server. If your organization's security policy requires passwords to expire, be aware that you will need to run the Configure ArcGIS Server Account utility to update the expired password.
You are allowed to specify a local account or a domain account. A recommended approach is to export the setup configuration file and reuse it on subsequent installations of ArcGIS Server. In this manner, you can guarantee that the ArcGIS Server account is configured exactly the same on all the GIS servers in your site.
Using a local account
If you've chosen a local account, the local account and password must exist on each GIS server and be identical. In a site with multiple GIS servers, each GIS server must use the same ArcGIS Server account. If you specify a local account that doesn't exist, the installation creates the account for you.
If you're creating a new local account as part of the installation, the password you specify for the account must adhere to your operating system's local security policy. If the password does meet the minimum strength requirements of your operating system, the installation returns an error. You can view an explanation of the requirements on Windows by doing the following:
- From the Control Panel, open Local Security Policy and expand Account Policies.
- Select the Password Policy folder and double-click Password must meet complexity requirements.
- In the Password must meet complexity requirements Properties dialog box, click the Explain tab.
Using a domain account
A domain account makes it easier to access data on remote systems. In many scenarios a domain account is also preferable for security purposes because the account is centrally managed.
When specifying a domain account, use the format DOMAIN\username. If you do not specify the domain, a local account is created with the same user name. If you specify a domain account that does not exist, the installation returns an error.
If your logon settings deny login rights to the machine where ArcGIS Server is installed, you will encounter an error during the installation. It is not necessary to grant Log on locally group policy settings to the ArcGIS Server account. For more information, see Advanced considerations when using domain accounts.
I have an SOC account from a previous installation of ArcGIS Server. Can I designate this as the ArcGIS Server account?
Previous versions of ArcGIS Server required you to create an account called the SOC account and grant it permissions to all data folders. If you already have an SOC account and its permissions in place, you can specify it as the ArcGIS Server account if you choose. This can reduce or eliminate the reassigning of permissions you need to perform during migration.
Can I use Local System as the Log On As account for running ArcGIS Server?
People often ask if the ArcGIS Server Windows service can be configured to run under a Windows native LocalSystem account. You can do this by right-clicking the ArcGIS Server service in the Windows Services dialog box and configuring the properties of the service such that it logs on as LocalSystem. When configuring the service in this manner, keep the following in mind:
- The LocalSystem account is highly privileged with security implications that you need to be aware of. For details, see The LocalSystem Account in the Microsoft Development Center.
- The LocalSystem account is not intended for accessing network locations. In order for the account to access your service and site data, the data will need to be stored locally.
- In a site with multiple GIS servers, do not use LocalSystem as the ArcGIS Server account.
What permissions do I need to grant to the ArcGIS Server account?
The ArcGIS for Server installation grants permissions to the ArcGIS Server account to perform basic functions such as starting and stopping server processes. It also gives the account read permissions to all folders in the ArcGIS for Server installation directory and full control permissions to the following folders:
- <ArcGIS for Server installation directory>\framework
- <ArcGIS for Server installation directory>\geronimo
- <ArcGIS for Server installation directory>\usr
- <ArcGIS for Server installation directory>\bin
- <ArcGIS for Server installation directory>\XMLSchema
Before you create your site, you should grant the ArcGIS Server account the following:
- Read and write permissions to the location where your server directories will be created. Keep in mind that you'll need to grant the ArcGIS Server account read and write permissions to any new server directories that you create after configuring your site.
- Read and write permissions to the location where your configuration store will be created.
- Read and write permissions to <ArcGIS Server installation directory>\arcgisserver\logs and permission to create this folder if you have not already manually created it.
- Read permissions to the directories containing the database connection files that you'll register with the server before publishing. If you'll be using Windows authentication instead of database authentication, you'll need to also grant the account write access.
- Read permissions to the GIS data folders that you'll register with the server before publishing. If you allow the publishing process to copy your data to the server (see Copying data to the server automatically when publishing), the data is placed in your server directories where the ArcGIS Server account was already granted permissions. You do not have to apply any more permissions to your original server directories.
When you create your site, the ArcGIS Server account is given permissions to read and write to the ArcGIS Server logs directory. If you create a new log location, you will need to manually grant the ArcGIS Server account read and write permissions to it.
The ArcGIS Server account does not need to be in the Administrators group on any machine in your site.
Changing the ArcGIS Server account
You don't need to rerun the ArcGIS Server installation to change the ArcGIS Server account. After you install, you can change the account by running the Configure ArcGIS Server Account utility, which is included with the software. You might do this to respond to a change in security policy or when troubleshooting your server.
It's recommended that you use this utility instead of trying to manually change the ArcGIS Server account with your operating system tools. The utility has been designed to apply permissions to all necessary directories (as explained above) across all the machines in your deployment. If you try to change the account manually and you make a mistake, you could experience server failure and downtime.
To change the ArcGIS Server account using the utility, follow these steps:
- On one GIS server in your site, browse to the utility from the Windows Start menu under ArcGIS > ArcGIS for Server > Configure ArcGIS Server Account.
- Specify the name and password for the account you want to designate as the ArcGIS Server account. Click Next.
- Optionally specify the root server directory and configuration store locations used by your ArcGIS Server site. For example
- If your root server directory and configuration store are available through local drive letter paths, and you specify these directories in the utility, the utility automatically grants the new account read and write permissions to the directories.
- If your root server directory and configuration store use network (UNC) paths, leave these fields empty and manually grant the new account read and write permissions to the directories after completing the utility.
- Optionally specify the logs directory location. If you enter a location, the utility automatically grants the new account read and write permissions to the directory. If you leave this field empty, you'll need to manually grant the new account read and write permissions to the directories on every GIS server in your deployment after completing the utility.
Note:
The logs directory is not related to the server directories or the configuration store location. If you change the location of the logs directory, try to keep the location at the root level of your GIS server. You cannot designate a network directory as the log location. For more information, see About server logs.
- Click Next.
- On the Export server configuration file dialog box, consider the following:
- If you only have one GIS server in your deployment, you can optionally save the configuration file. Be sure to store it in a secure location. Click Next.
- If you have multiple GIS servers in your deployment, export the configuration file. This saves you from reentering the information into the utility for the remaining machines in your site. In this manner, you can guarantee that the ArcGIS Server account is configured exactly the same on all the GIS servers in your site. Specify a secure location for the configuration file and click Next.
- On the summary panel, review the account properties and click Configure. Your new account is configured as the ArcGIS Server account. Close the utility.
- Run the utility on each of the remaining machines in your site. You can point the utility to the configuration file you created earlier or reenter the information you provided above.
- Grant the new account read permissions to the data directories and database connection files you've registered with the server. If you're using Windows authentication instead of database authentication, you'll need to also grant the account write access to the connection files. For instructions on how to do this, see Registering your data with ArcGIS Server using ArcGIS for Desktop.
Changing the ArcGIS Server account from the command line
You can alternatively change the ArcGIS Server account using the command line utility in <ArcGIS for Server installation location>\bin\ServerConfigurationUtility.exe. Updating the account might be a convenient action to script after applying updates to your organization's security policy.
The available parameters are as follows:
ServerConfigurationUtility [/readconfig] | [/writeconfig] | [/username] | [/password] | [/rsdir] | [/csdir] | [/logsdir]
- <readconfig>—Optional path to a configuration file you have saved from a previous run of the utility.
- <writeconfig>—Optional path where a configuration file will be saved so you can apply the same properties in future runs of the utility.
- <username>—The name to use for the ArcGIS Server account.
- <password>—The password for the ArcGIS Server account.
- <rsdir>—The path of the root server directory. This parameter is optional, but if you don't supply it, you'll need to manually grant the ArcGIS Server account read and write permissions to the root server directory.
- <csdir>—The configuration store directory. This parameter is optional, but if you don't supply it, you'll need to manually grant the ArcGIS Server account read and write permissions to the configuration store.
- <logsdir>—The path to the ArcGIS Server logs directory. This parameter is optional, but if you don't supply it, you'll need to manually grant the ArcGIS Server account read and write permissions to the logs directory.
Example: ServerConfigurationUtility /writeconfig c:\temp\myconfig.xml /username arcgisnew /password secret /rsdir c:\arcgisserver\directories /csdir c:\arcgisserver\config-store /logsdir c:\arcgisserver\logs
Specifying the locale of the ArcGIS Server account
The locale of the ArcGIS Server account is set to the locale of the Windows account specified during the installation. If no account is specified and the default is used (arcgis), the locale of the account is determined by your operating system settings. The locale is important, since all messages generated by the server, such as logs, are displayed in the locale of the ArcGIS Server account. To display the server's messages in a different language or format, you'll need to do the following:
- On the machine hosting ArcGIS Server, log in as the ArcGIS Server account.
- Open Control Panel and select Region and Language.
- Click the Formats tab and select the desired country from the Format drop-down list.
- Click the Keyboards and Languages tab and change the Display language to the desired language.
- Click the Administrative tab and select the desired system locale by clicking the Change system locale button.
- Click OK.