Skip to main content

ArcGIS Server account

ArcGIS Server starts and stops processes, reads and writes data to locations on the file system, and communicates between machines. To do these things securely, it uses an operating system account that you specify when you install ArcGIS Server. This is known throughout the documentation as the ArcGIS Server account.

When the ArcGIS Server account is used

The ArcGIS Server account is used for the following purposes:

  • Start and stop processes that support ArcGIS Server and services.

  • Read the GIS data behind your services when the registered database uses operating system authentication.

  • Read and write files to the ArcGIS Server directories. For example, when you create a map cache, the ArcGIS Server account writes the cache tiles into your server cache directory.

  • Read and write files to the configuration store.

  • Read and write files to the ArcGIS Server installation location and system temp directory. For example, the account writes log files that you can use to troubleshoot the server.

  • Read and write log messages to the logs directory.

Note:

The ArcGIS Server account is not the same as the primary site administrator that you define when you create the ArcGIS Server site. For more information, see Secure your ArcGIS Server site.

Which account to designate as the ArcGIS Server account

The ArcGIS Server account is the one you used when you installed the software. The installation makes this account the owner of all files that it places on the system. In a site with multiple ArcGIS Server machines, the user ID (UID) for the ArcGIS Server account should be the same across all machines so that they can access data, the configuration store, and the server directories using the same NFS permissions.

For security reasons, the root account cannot be used as the ArcGIS Server account and cannot be used to install the software.

The ArcGIS Server account requires no special permissions on the operating system other than file access to the data, configuration store, and server directories. The ArcGIS Server account does not need to be an administrator on the machine.

The ArcGIS Server account defaults to the name arcgis. Accepting this default is sufficient for most nonproduction deployments; however, for production systems, it is recommended that you create a domain or Active Directory account prior to installing ArcGIS Server. If your organization's security policy requires passwords to expire, you must run the Configure service account utility to update the expired password.

Note:

For security reasons, use an account that is not a member of the Administrators group and that has minimal privileges.

You are allowed to specify a local account or a domain account. You can export the setup configuration file when you install ArcGIS Server on the first machine in your site and use the configuration file when you install ArcGIS Server on the other machines in your site. That way, you guarantee that the ArcGIS Server account is configured the same on all the machines in your site.

You can change the ArcGIS Server account after installation by using the Configure service account utility.

Domain account

A domain account allows you to access data on remote systems. A domain account is also preferable for security purposes because the account is centrally managed.

When specifying a domain account, use the format DOMAIN\username. If you do not specify the domain, the ArcGIS Server installation wizard creates a local account with the username you specified. If you specify a domain account that does not exist, the installation returns an error.

If your login settings deny login rights to the machine where ArcGIS Server is installed, you will encounter an error during the installation. It is not necessary to grant Log on locally group policy settings to the ArcGIS Server account. For more information, see Advanced considerations when using domain accounts.

Local account

If you chose a local account, the local account and password must exist on each machine in the ArcGIS Server site and be identical. You can create the local account with the same password on each machine before installing ArcGIS Server, or you can allow the ArcGIS Server installation wizard to create the local account, but be sure to use the same username and password on every machine in the site.

If you created a local account as part of the installation, the password you specify for the account must adhere to your operating system's local security policy. If the password does not meet the minimum strength requirements of your operating system, the installation returns an error.

To determine the password requirements on your local machine, open the Local Security Policy console. See the Microsoft Windows documentation for information on how to access your Local Security Policy.

Group managed service account

A group managed service account (gMSA) is a special Active Directory domain account that provides automatic password management. The account cannot be used for interactive logins and is restricted for use on only a predefined group of servers.

Using a gMSA is especially advantageous when a service account governs software on multiple machines, such as in a multiple-machine ArcGIS Server site. Because the gMSA works at the domain level, it can regularly change the service account password on each machine with no manual steps required.

The configureserviceaccount utility, which is described below, can be used to configure the ArcGIS Server service to run under a gMSA. For the username parameter, the group managed service account can be specified either with or without the $ symbol at the end. The password parameter is not needed. The readconfig and writeconfig parameters both function the same with a group managed service account.

A sample command to configure a gMSA as the ArcGIS Server account:

configureserviceaccount.bat --username mydomain\enterprise-gmsa$ --writeconfig c:\temp\domainaccountconfig.xml

Using the Windows native Local System account to run the ArcGIS Server service

It is not recommended that you use the Windows native Local System account to run the ArcGIS Server service for the following reasons:

  • The Windows LocalSystem account is highly privileged, and this has security implications. For details, see The LocalSystem Account in the Microsoft Development Center.

  • The LocalSystem account is not intended for accessing network locations. To access your service and site data using the LocalSystem account, you must store the data locally.

  • In a site with multiple machines, you cannot use LocalSystem as the ArcGIS Server account.

Permissions to grant to the ArcGIS Server account

The ArcGIS Server installation grants permissions to the ArcGIS Server account to perform basic functions such as starting and stopping server processes. It also gives the account read permissions to all folders in the ArcGIS Server installation directory and full control permissions to the following folders:

  • <ArcGIS Server installation directory>\bin

  • <ArcGIS Server installation directory>\DatabaseSupport

  • <ArcGIS Server installation directory>\framework

  • <ArcGIS Server installation directory>\usr

Before you create your site, you must grant the ArcGIS Server account the following permissions:

  • Full control permissions to the location where your server directories will be created. Keep in mind that you must grant the ArcGIS Server account read and write permissions to any new server directories that you create after configuring your site.

  • Full control permissions to the location where your configuration store will be created.

  • Full control permissions to the directory that will contain ArcGIS Server logs and permission to create this folder if you have not already manually created it. This directory is C:\arcgisserver\logs by default.

  • Read permissions to the directories containing the database connection files that you register with the ArcGIS Server site before publishing web services. If you use Windows authentication instead of database authentication, you must also grant the ArcGIS Server account write access.

  • Read permissions to the GIS data folders that you'll register with the ArcGIS Server site before publishing web services. If you allow the publishing process to copy your data to the server (see Copy data to the server automatically when publishing), the data is placed in your server directories where the ArcGIS Server account was already granted permissions. You do not have to apply any more permissions to your original server directories.

When you create your site, the ArcGIS Server account is given permissions to read and write to the ArcGIS Server logs directory. If you create a new log location, you must manually grant the ArcGIS Server account read and write permissions to it.

The ArcGIS Server account does not need to be in the Windows Administrators group on any machine in your site.

Specifying the locale of the ArcGIS Server account

The locale of the ArcGIS Server account is set to the locale of the Windows account specified during the installation. If no account is specified and the default is used (arcgis), the locale of the account is determined by your operating system settings. The locale is important, since all messages generated by ArcGIS Server, such as logs, are displayed in the locale of the ArcGIS Server account. To display the messages in a different language or format, change the display language for the ArcGIS Server account for each machine in your ArcGIS Server site. See the Microsoft documentation for specific instructions for the operating system version you are using.