As ArcGIS Server does its work, it needs to start and stop processes, read and write data to locations on the file system, and communicate between machines. To do these things securely, it uses an operating system account that you specify when you install ArcGIS Server. This is known throughout the documentation as the ArcGIS Server account.
When is the ArcGIS Server account used?
The ArcGIS Server account is used for the following purposes:
- Start and stop processes that support ArcGIS Server and services.
- Read the GIS data behind your services when the registered database uses operating system authentication.
- Read and write files to the ArcGIS Server directories; for example, when you create a map cache, the ArcGIS Server account writes the cache tiles into your server cache directory.
- Read and write files to the configuration store.
- Read and write files to the ArcGIS Server installation location and system temp directory; for example, the account writes log files that you can use to troubleshoot the server.
- Read and write log messages to the logs directory.
Note:
The ArcGIS Server account is not the same as the primary site administrator that you define when you create the ArcGIS Server site. For more information, see Secure your ArcGIS Server site.
Which account should I designate as the ArcGIS Server account?
The ArcGIS Server account defaults to the name arcgis. Accepting this default is sufficient for most nonproduction deployments; however, for production systems, Esri recommends that you create a domain or Active Directory account prior to installing ArcGIS Server. If your organization's security policy requires passwords to expire, you must run the Configure ArcGIS Server Account utility to update the expired password.
You are allowed to specify a local account or a domain account. You can export the setup configuration file when you install ArcGIS Server on the first machine in your site and use the configuration file when you install ArcGIS Server on the other machines in your site. That way, you guarantee that the ArcGIS Server account is configured exactly the same on all the machines in your site.
Domain account
A domain account makes it easier to access data on remote systems. A domain account is also preferable for security purposes because the account is centrally managed.
When specifying a domain account, use the format DOMAIN\username. If you do not specify the domain, the ArcGIS Server installation wizard creates a local account with the user name you specified. If you specify a domain account that does not exist, the installation returns an error.
If your logon settings deny login rights to the machine where ArcGIS Server is installed, you will encounter an error during the installation. It is not necessary to grant Log on locally group policy settings to the ArcGIS Server account. For more information, see Advanced considerations when using domain accounts.
Local account
If you chose a local account, the local account and password must exist on each machine in the ArcGIS Server site and be identical. You can create the local account with the same password on each machine before installing ArcGIS Server, or you can let the ArcGIS Server installation wizard create the local account; just be sure to use the same user name and password on every machine in the site.
If you created a local account as part of the installation, the password you specify for the account must adhere to your operating system's local security policy. If the password does meet the minimum strength requirements of your operating system, the installation returns an error. Consult the Microsoft documentation for the version of Windows you are using to learn how to check the security policy on your machines.
Group managed service account
A group managed service account (gMSA) is a special Active Directory domain account that provides automatic password management. The account cannot be used for interactive logins and is restricted for use on only a predefined group of servers.
Using a gMSA is especially advantageous when a service account governs software on multiple machines, such as in a multiple-machine ArcGIS Server site. Because the gMSA works at the domain level, it is able to regularly change the service account password on each machine with no manual steps required.
The ServerConfigurationUtility command line tool, which is described below, can be used to configure the ArcGIS Server service to run under a gMSA. For the user name parameter, the group managed service account can be specified either with or without the $ symbol at the end. The password parameter is not needed. The readconfig and writeconfig parameters both function the same with a group managed service account.
A sample command to configure a gMSA as the ArcGIS Server account:
ServerConfigurationUtility.exe /username mydomain\enterprise-gmsa$ /writeconfig c:\temp\domainaccountconfig.xml
Can I use the Windows native Local System account to run the ArcGIS Server service?
Yes; however, it is not recommended for the following reasons:
- The Windows LocalSystem account is highly privileged, and this has security implications. For details, see The LocalSystem Account in the Microsoft Development Center.
- The LocalSystem account is not intended for accessing network locations. To access your service and site data using the LocalSystem account, you must store the data locally.
- In a site with multiple machines, you cannot use LocalSystem as the ArcGIS Server account.
What permissions do I need to grant to the ArcGIS Server account?
The ArcGIS Server installation grants permissions to the ArcGIS Server account to perform basic functions such as starting and stopping server processes. It also gives the account read permissions to all folders in the ArcGIS Server installation directory and full control permissions to the following folders:
- <ArcGIS Server installation directory>\framework
- <ArcGIS Server installation directory>\usr
- <ArcGIS Server installation directory>\bin
- <ArcGIS Server installation directory>\XMLSchema
- <ArcGIS Server installation directory>\DatabaseSupport
Before you create your site, you should grant the ArcGIS Server account the following permissions:
- Full control permissions to the location where your server directories will be created. Keep in mind that you must grant the ArcGIS Server account read and write permissions to any new server directories that you create after configuring your site.
- Full control permissions to the location where your configuration store will be created.
- Full control permissions to the directory that will contain ArcGIS Server logs and permission to create this folder if you have not already manually created it. This directory is C:\arcgisserver\logs by default.
- Read permissions to the directories containing the database connection files that you register with the ArcGIS Server site before publishing web services. If you use Windows authentication instead of database authentication, you must also grant the ArcGIS Server account write access.
- Read permissions to the GIS data folders that you'll register with the ArcGIS Server site before publishing web services. If you allow the publishing process to copy your data to the server (see Copy data to the server automatically when publishing), the data is placed in your server directories where the ArcGIS Server account was already granted permissions. You do not have to apply any more permissions to your original server directories.
When you create your site, the ArcGIS Server account is given permissions to read and write to the ArcGIS Server logs directory. If you create a new log location, you need to manually grant the ArcGIS Server account read and write permissions to it.
The ArcGIS Server account does not need to be in the Windows Administrators group on any machine in your site.
Change the ArcGIS Server account
You don't need to rerun the ArcGIS Server installation to change the ArcGIS Server account. After you install, you can change the account by running the Configure ArcGIS Server Account utility, which is included with the software. You might do this to respond to a change in security policy or when troubleshooting your server.
Use this utility instead of trying to manually change the ArcGIS Server account with your operating system tools. The utility is designed to apply permissions to all necessary directories (as explained above), except for the Python 2.7 directory, across all the machines in your deployment. If you change the account manually and make a mistake, you could experience server failure and downtime.
Note:
The Configure ArcGIS Server Account utility tool does not grant permission for the Python 2.7 directory. You must manually grant permission on the Python 2.7 directory after using the utility.
To change the ArcGIS Server account using the utility, follow these steps:
- On one machine in your ArcGIS Server site, open the Configure ArcGIS Server Account utility.
- Specify the name and password for the account you want to designate as the ArcGIS Server account. Click Next.
- Optionally, specify the root server directory and configuration store locations used by your ArcGIS Server site. For example
- If your root server directory and configuration store are available through local drive letter paths, and you specify these directories in the utility, the utility automatically grants the new account read and write permissions to the directories.
- If your root server directory and configuration store use network (UNC) paths, leave these fields empty and manually grant the new account read and write permissions to the directories after completing the utility.
- Optionally, specify the logs directory location. If you enter a location, the utility automatically grants the new account read and write permissions to the directory. If you leave this field empty, you must manually grant the new account read and write permissions to the directories on every machine in your ArcGIS Server site after completing the utility.
Note:
The logs directory is not related to the server directories or the configuration store location. If you change the location of the logs directory, try to keep the location at the root level of your ArcGIS Server site. You cannot designate a network directory as the log location. For more information, see About server logs.
- Click Next.
- On the Export server configuration file dialog box, consider the following:
- If you have multiple machines in your ArcGIS Server site, export the configuration file. This saves you from reentering the information into the utility for the remaining machines in your site. In this manner, you can guarantee that the ArcGIS Server account is configured exactly the same on all the machines in your site. Specify a secure location for the configuration file and click Next.
- You can export and save the configuration file if you only have one machine in your ArcGIS Server site, you can optionally save the configuration file. Be sure to store it in a secure location and click Next.
- On the summary panel, review the account properties and click Configure. Your new account is configured as the ArcGIS Server account. Close the utility.
- Run the utility on each of the remaining machines in your site. You can point the utility to the configuration file you created earlier or reenter the information you provided above.
- Grant the new account read permissions to the data directories and database connection files you registered with the ArcGIS Server site. If you use Windows authentication instead of database authentication, you need to also grant the account write access to the connection files.
Changing the ArcGIS Server account from the command line
Rather than run the Configure ArcGIS Server Account utility wizard, you can run the executable from a command prompt. The ServerConfigurationUtility.exe command line utility is installed in <ArcGIS Server installation location>\bin. You can script updates to the ArcGIS Server account after applying updates to your organization's security policy.
The available parameters are as follows:
ServerConfigurationUtility /readconfig /writeconfig /username /password /rsdir /csdir /logsdir
- /readconfig—Optional path to a configuration file you have saved from a previous run of the utility.
- /writeconfig—Optional path where a configuration file will be saved so you can apply the same properties in future runs of the utility.
- /username—The name to use for the ArcGIS Server account.
- /password—The password for the ArcGIS Server account.
- /rsdir—The path of the root server directory. This parameter is optional, but if you don't supply it, you must manually grant the ArcGIS Server account read and write permissions to the root server directory.
- /csdir—The configuration store directory. This parameter is optional, but if you don't supply it, you must manually grant the ArcGIS Server account read and write permissions to the configuration store.
- /logsdir—The path to the ArcGIS Server logs directory. This parameter is optional, but if you don't supply it, you must manually grant the ArcGIS Server account read and write permissions to the logs directory.
Example: ServerConfigurationUtility /writeconfig c:\temp\myconfig.xml /username arcgisnew /password secret /rsdir c:\arcgisserver\directories /csdir c:\arcgisserver\config-store /logsdir c:\arcgisserver\logs
Specifying the locale of the ArcGIS Server account
The locale of the ArcGIS Server account is set to the locale of the Windows account specified during the installation. If no account is specified and the default is used (arcgis), the locale of the account is determined by your operating system settings. The locale is important, since all messages generated by ArcGIS Server, such as logs, are displayed in the locale of the ArcGIS Server account. To display the messages in a different language or format, change the display language for the ArcGIS Server account for each machine in your ArcGIS Server site. See Microsoft documentation for specific instructions for the operating system version you are using.