The ArcGIS Server account

As ArcGIS Server does its work, it needs to start and stop processes, read and write data to locations on the file system, and communicate between machines. To do these things securely, it uses an operating system account that you specify when you install ArcGIS for Server. This is known throughout the documentation as the ArcGIS Server account.

When is the ArcGIS Server account used?

The ArcGIS Server account is used for the following purposes:

NoteNote:

The ArcGIS Server account is not the same as the primary site administrator that you define when you create the ArcGIS Server site. For more information, see Securing your ArcGIS Server site.

Which account should I designate as the ArcGIS Server account?

The ArcGIS Server account defaults to the name arcgis. Accepting this default is sufficient for most nonproduction deployments; however, for production systems, it's recommended that you create a domain or Active Directory account prior to installing ArcGIS Server. If your organization's security policy requires passwords to expire, be aware that you will need to run the Configure ArcGIS Server Account utility to update the expired password.

You are allowed to specify a local account or a domain account. A recommended approach is to export the setup configuration file and reuse it on subsequent installations of ArcGIS Server. In this manner, you can guarantee that the ArcGIS Server account is configured exactly the same on all the GIS servers in your site.

Using a local account

If you've chosen a local account, the local account and password must exist on each GIS server and be identical. In a site with multiple GIS servers, each GIS server must use the same ArcGIS Server account.

If you specify a local account that doesn't exist, the installation creates the account for you.

Using a domain account

A domain account makes it easier to access data on remote systems. In many scenarios a domain account is also preferable for security purposes because the account is centrally managed.

If you specify a domain account that does not exist, the installation returns an error.

If your log on settings deny login rights to the machine where ArcGIS Server is installed, you will encounter an error during the installation. It is not necessary to grant Log on locally group policy settings to the ArcGIS Server account. For more information, see Advanced considerations when using domain accounts.

I have a SOC account from a previous installation of ArcGIS Server. Can I designate this as the ArcGIS Server account?

Previous versions of ArcGIS Server required you to create an account called the SOC account and grant it permissions to all data folders. If you already have a SOC account and its permissions in place, you can specify it as the ArcGIS Server account if you choose. This can reduce or eliminate the reassigning of permissions you need to perform during migration.

Can I use Local System as the Log On As account for running ArcGIS Server?

People often ask if the ArcGIS Server Windows service can be configured to run under Windows’ native LocalSystem account. You can do this by right-clicking the ArcGIS Server service in the Windows Services dialog box and configuring the properties of the service such that it logs on as LocalSystem. When configuring the service in this manner, keep the following in mind:

  • The LocalSystem account is highly privileged with security implications that you need to be aware of. For details, see The LocalSystem Account in the Microsoft Development Center.
  • The LocalSystem account is not intended for accessing network locations. In order for the account to access your service and site data, the data will need to be stored locally.
  • In a site with multiple GIS servers, do not use LocalSystem as the ArcGIS Server account.

What permissions do I need to grant to the ArcGIS Server account?

The ArcGIS for Server installation grants permissions to the ArcGIS Server account to perform basic functions such as starting and stopping server processes. It also gives the account read permissions to all folders in the ArcGIS for Server installation directory and full control permissions to the following folders:

Before you create your site, you should grant the ArcGIS Server account:

When you create your site, the ArcGIS Server account is given permissions to read and write to the ArcGIS Server logs directory. If you create a new log location, you will need to manually grant the ArcGIS Server account read and write permissions to it.

The ArcGIS Server account does not need to be in the Administrators group on any machine in your site.

Changing the ArcGIS Server account

You don't need to rerun the ArcGIS Server installation to change the ArcGIS Server account. After you install, you can change the account by running the Configure ArcGIS Server Account utility that is included with the software. You might do this to respond to a change in security policy, or when troubleshooting your server.

It's recommended that you use this utility instead of trying to manually change the ArcGIS Server account with your operating system tools. The utility has been designed to apply permissions to all necessary directories (as explained above) across all the machines in your deployment. If you try to change the account manually and you make a mistake, you could experience server failure and downtime.

To change the ArcGIS Server account using the utility, follow these steps:

  1. On one GIS server in your site, browse to the utility from the Windows Start menu under ArcGIS > ArcGIS 10.1 for Server > Configure ArcGIS Server Account.
  2. Specify the name and password for the account you want to designate as the ArcGIS Server account. Click Next.
  3. Optionally, specify the root server directory and configuration store locations used by your ArcGIS Server site. For example:
    • If your root server directory and configuration store are available through local, drive letter paths, and you specify these directories in the utility, the utility automatically grants the new account read and write permissions to the directories.
    • If your root server directory and configuration store use network (UNC) paths, leave these fields empty and manually grant the new account read and write permissions to the directories after completing the utility.
  4. Optionally, specify the logs directory location. If you enter a location, the utility automatically grants the new account read and write permissions to the directory. If you leave this field empty, you'll need to manually grant the new account read and write permissions to the directories on every GIS server in your deployment after completing the utility.
    NoteNote:

    The logs directory is not related to the server directories or the configuration store location. If you change the location of the logs directory, try to keep the location at the root level of your GIS server. You cannot designate a network directory as the log location. For more information, see About server logs.

  5. Click Next.
  6. On the Export server configuration file dialog box, consider the following:
    • If you only have one GIS server in your deployment, you can optionally save the configuration file. Be sure to store it in a secure location. Click Next.
    • If you have multiple GIS servers in your deployment, export the configuration file. This saves you from reentering the information into the utility for the remaining machines in your site. In this manner, you can guarantee that the ArcGIS Server account is configured exactly the same on all the GIS servers in your site. Specify a secure location for the configuration file and click Next.
  7. On the summary panel, review the account properties and click Configure. Your new account is configured as the ArcGIS Server account. Close the utility.
  8. Run the utility on each of the remaining machines in your site. You can point the utility to the configuration file you created earlier, or reenter the information you provided above.
  9. Grant the new account read permissions to the data directories and database connection files you've registered with the server. If you're using Windows authentication instead of database authentication, you'll need to also grant the account write access to the connection files. For instructions on how to do this, see Registering your data with ArcGIS Server using ArcGIS for Desktop.

Changing the ArcGIS Server account from the command line

You can alternatively change the ArcGIS Server account using the command line utility in <ArcGIS for Server installation location>\bin\ServerConfigurationUtility.exe. Updating the account might be a convenient action to script after applying updates to your organization's security policy.

The available parameters are as follows:

ServerConfigurationUtility [/readconfig] | [/writeconfig] | [/username] | [/password] | [/rsdir] | [/csdir] | [/logsdir]

  • <readconfig>—Optional path to a configuration file that you have saved from a previous run of the utility
  • <writeconfig>—Optional path where a configuration file will be saved so that you can apply the same properties in future runs of the utility
  • <username>—The name to use for the ArcGIS Server account
  • <password>—The password for the ArcGIS Server account
  • <rsdir>—The path of the root server directory. This parameter is optional, but if you don't supply it you'll need to manually grant the ArcGIS Server account read and write permissions to the root server directory.
  • <csdir>—The configuration store directory. This parameter is optional, but if you don't supply it you'll need to manually grant the ArcGIS Server account read and write permissions to the configuration store.
  • <logsdir>—The path to the ArcGIS Server logs directory. This parameter is optional, but if you don't supply it you'll need to manually grant the ArcGIS Server account read and write permissions to the logs directory.

Example: ServerConfigurationUtility /writeconfig c:\temp\myconfig.xml /username arcgisnew /password secret /rsdir c:\arcgisserver\directories /csdir c:\arcgisserver\config-store /logsdir c:\arcgisserver\logs

12/13/2012