During ArcGIS Monitor operation, it starts and stops processes, reads and writes configuration and log files to the Monitor installation location, and communicates between machines. To do these things securely, Monitor uses an operating system account that you specify when you install it. This is referred to as the ArcGIS Monitor account.
ArcGIS Monitor account uses
The ArcGIS Monitor account is used for the following:
- Start and stop processes that support ArcGIS Monitor.
- Read and write configuration and log messages to the installation directory.
- Inherit credentials to remotely monitor specific components.
The ArcGIS Monitor account is not the same as the initial administrator account that you create when you first sign in to Monitor.
Designate the ArcGIS Monitor account
The ArcGIS Monitor account defaults to the name arcgis. Accepting this default is sufficient for most nonproduction deployments; however, for production systems, it is recommended that you create a domain or Active Directory account prior to installing ArcGIS Monitor. If your organization's security policy requires passwords to expire, you must use the ArcGIS Monitor Account Utility to update the expired password.
You can specify a local account or a domain account. You can export the setup configuration file when you install Monitor Server on the first machine in your deployment and use the configuration file when you install Monitor Agent on the other machines in your deployment. That way, you guarantee that the ArcGIS Monitor account is configured the same on all the machines in your deployment.
A domain account allows you to access data on remote systems. A domain account is also preferable for security purposes because the account is centrally managed.
When specifying a domain account, use the format DOMAIN\username. If you do not specify the domain, the Monitor installation wizard creates a local account with the username you specified. If you specify a domain account that does not exist, or your login settings deny login rights to the machine where Monitor is installed, the installation returns an error. It is not necessary to grant Log on locally group policy settings to the ArcGIS Monitor account.
If you chose a local account, the local account and password must exist on the Monitor Server machine and on each ArcGIS Monitor Agent machine. They do not need to be identical. You can create the local account with the same password on each machine before installing ArcGIS Monitor, or you can allow the ArcGIS Monitor installation wizard to create the local account.
If you created a local account as part of the installation, the password you specify for the account must adhere to your operating system's local security policy. If the password does meet the minimum strength requirements of your operating system, the installation returns an error. Consult the Microsoft documentation for the version of Windows you are using to learn how to check the security policy on your machines.
Group managed service account
A group managed service account (gMSA) is a special Active Directory domain account that provides automatic password management. The account cannot be used for interactive logins and is restricted for use on only a predefined group of servers.
Using a gMSA provides a secure way of managing a service account when it governs software on multiple machines, such as a multiple-environment ArcGIS Monitor deployment. Because the gMSA works at the domain level, it can be configured to regularly change the service account password on each machine automatically.
You can configure Monitor services to run under a gMSA during the software installation.
Using the Windows LocalSystem account to run the ArcGIS Monitor service
You can use the Windows LocalSystem account to run the ArcGIS Monitor service; however, it is not recommended for the following reasons:
- The Windows LocalSystem account is highly privileged, and this has security implications. Refer to the Microsoft Development Center for more information about the LocalSystem account.
- The LocalSystem account is not intended for accessing network locations and may impact remote monitoring capabilities.
ArcGIS Monitor account permissions
The ArcGIS Monitor installation grants permissions to the ArcGIS Monitor account to perform basic functions such as starting and stopping server processes. It also gives the account read permissions to all folders in the ArcGIS Monitor installation directory and full control permissions to the following folders:
- <ArcGIS Monitor installation directory>\framework
- <ArcGIS Monitor installation directory>\bin
- C:\Users\<ArcGIS Monitor account username>\AppData\Local\ESRI\ArcGISMonitor\config-store-<server or agent>
The ArcGIS Monitor account does not need to be in the Windows Administrators group.
Change the ArcGIS Monitor account
You don't need to rerun the ArcGIS Monitor installation to change the ArcGIS Monitor account. After you install ArcGIS Monitor, you can change the account. You can do this to respond to a change in security policy or when troubleshooting.
To change the ArcGIS Monitor account, complete these steps:
- Sign into the Monitor machine with an account that has access to the Monitor installation location.
- Back up the Monitor configuration store in the C:\Users\<ArcGIS Monitor account username>\AppData\Local\ESRI\ArcGISMonitor\config-store-<server or agent> directory, where <ArcGIS Monitor account username> represents the username of the current ArcGIS Monitor account.
- Copy the backup of the Monitor configuration store to the C:\Users\<ArcGIS Monitor account username>\AppData\Local\ESRI\ArcGISMonitor\config-store-<server or agent> directory, where <ArcGIS Monitor account username> represents the username of the account that you want to use as the new ArcGIS Monitor account.
Ensure that the new ArcGIS Monitor account retains full read/write permissions to the configuration store directory.
- Start the Windows Services manager.
- Right-click the ArcGIS Monitor Server or ArcGIS Monitor Agent service and click Properties.
- Click the Log On tab.
- Update the ArcGIS Monitor account's username and password as necessary.
Use domain\user syntax for remote user accounts.
All registered components that inherit credentials from the ArcGIS Monitor account are also updated to use the credentials that you provide.
If you designate a different user account as the ArcGIS Monitor account, it must have access to all components that were registered using inherited credentials and must meet their requirements for monitoring.
- Click Apply to save the changes.
- Click OK to close the dialog box.
- Right-click the ArcGIS Monitor Server or ArcGIS Monitor Agent service in the Windows Services manager and click Restart.
The service is restarted, and the ArcGIS Monitor account is updated to use the credentials that you provided.