During ArcGIS Monitor operation, it starts and stops processes, reads and writes configuration and log files to the Monitor installation location, and communicates between machines. To do these things securely, Monitor uses an operating system account that you specify when you install it. This is referred to as the ArcGIS Monitor account.
ArcGIS Monitor account uses
The ArcGIS Monitor account is used for the following:
- Start and stop processes that support ArcGIS Monitor.
- Read and write configuration and log messages to the installation directory.
- Inherit credentials to monitor specific components.
Note:
Certain components may require specific permissions for monitoring. Refer to the prerequisites section of the component type that you want to register for more information.
Note:
The ArcGIS Monitor account is not the same as the initial administrator account that you create when you first sign in to Monitor.
Designate the ArcGIS Monitor account
The ArcGIS Monitor account default name is arcgis. Accepting this default is sufficient for most nonproduction deployments; however, for production systems, it is recommended that you create a domain or Active Directory account before installing ArcGIS Monitor. If your organization's security policy requires passwords to expire, you must update the expired password for the ArcGIS Monitor account.
You can specify a local account or a domain account. You can export the setup configuration file when you install Monitor Server on the first machine in the deployment and use the configuration file when you install Monitor Agent on the other machines in the deployment. This assures that the ArcGIS Monitor account is configured the same on all the machines in the deployment.
Domain account
A domain account is preferable for security purposes because the account is centrally managed.
When specifying a domain account, use the format DOMAIN\username. If you do not specify the domain, the Monitor installation wizard creates a local account with the username you specified. If you specify a domain account that does not exist, or your login settings deny login rights to the machine where Monitor is installed, the installation returns an error. It is not necessary to grant Log on locally group policy settings to the ArcGIS Monitor account.
Learn more about using a domain account as the ArcGIS Monitor account
Local account
If you chose a local account, the local account and password must exist on the Monitor Server machine and on each ArcGIS Monitor Agent machine. They do not need to be identical. You can create the local account with the same password on each machine before installing ArcGIS Monitor, or you can allow the ArcGIS Monitor installation wizard to create the local account.
If you created a local account as part of the installation, the password you specify for the account must adhere to your operating system's local security policy. If the password does not meet the minimum strength requirements of your operating system, the installation returns an error. Consult the Microsoft documentation for the Windows version you are using to learn how to review the security policy on your machines.
Group managed service account
A group managed service account (gMSA) is an Active Directory domain account that provides automatic password management. The account cannot be used for interactive logins and is restricted for use on only a predefined group of servers.
Using a gMSA provides a secure way of managing a service account when it governs software on multiple machines, such as a multiple-environment ArcGIS Monitor deployment. Because the gMSA works at the domain level, you can configure it to regularly change the service account password on each machine automatically.
You can configure Monitor services to run under a gMSA during the software installation.
Use the Windows LocalSystem account to run the ArcGIS Monitor service
You can use the Windows LocalSystem account to run the ArcGIS Monitor service; however, it is not recommended for the following reasons:
- The Windows LocalSystem account is highly privileged, which has security implications. Refer to the Microsoft Development Center for more information about the LocalSystem account.
- The LocalSystem account is not intended for accessing network locations and may impact monitoring capabilities.
ArcGIS Monitor account permissions
The ArcGIS Monitor installation grants permissions to the ArcGIS Monitor account to perform basic functions such as starting and stopping server processes. It also gives the account read permissions to all folders in the ArcGIS Monitor installation directory and full control permissions to the following folders:
- <ArcGIS Monitor installation directory>\framework
- <ArcGIS Monitor installation directory>\bin
- C:\Users\<ArcGIS Monitor account username>\AppData\Local\ESRI\ArcGISMonitor\config-store-<server or agent>
The ArcGIS Monitor account must be in the Windows Performance Monitor Users group, but does not need to be in the Windows Administrators group.
Change the ArcGIS Monitor account
You don't need to rerun the ArcGIS Monitor installation to change the ArcGIS Monitor account. After you install ArcGIS Monitor, you can change the account when responding to a change in security policy or when troubleshooting.
To change the ArcGIS Monitor account, complete the following steps:
- Sign in to the Monitor machine with an account that has access to the Monitor installation location.
- Back up the Monitor configuration store in the C:\Users\<ArcGIS Monitor account username>\AppData\Local\ESRI\ArcGISMonitor\config-store-<server or agent> directory.
<ArcGIS Monitor account username> represents the username of the current ArcGIS Monitor account.
- Copy the backup of the Monitor configuration store to the C:\Users\<ArcGIS Monitor account username>\AppData\Local\ESRI\ArcGISMonitor\config-store-<server or agent> directory.
<ArcGIS Monitor account username> represents the username of the account that you want to use as the new ArcGIS Monitor account.
Ensure that the new ArcGIS Monitor account retains full read/write permissions to the configuration store directory.
- Start the Windows Services tool.
- Right-click the ArcGIS Monitor Server or ArcGIS Monitor Agent service and click Properties.
- Click the Log On tab.
- Update the ArcGIS Monitor account username and password as necessary.
Use domain\user syntax for domain user accounts.
Note:
All registered components that inherit credentials from the ArcGIS Monitor account will be updated to use the new credentials.
If you designate a different user account as the ArcGIS Monitor account, it must have access to all components that were registered using inherited credentials and must meet their requirements for monitoring.
- Click Apply to save the changes.
- Click OK to close the dialog box.
- Right-click the ArcGIS Monitor Server or ArcGIS Monitor Agent service in Windows Services Manager and click Restart.
The service is restarted, and the ArcGIS Monitor account is updated to use the credentials that you provided.
Update an expired password for the ArcGIS Monitor account
If your organization's security policy requires passwords to expire, you must update the expired password for the ArcGIS Monitor account on each Monitor machine in the deployment.
To update an expired password for the ArcGIS Monitor account, complete the following steps:
- Sign in to the Monitor machine with an account that has access to the Monitor installation location.
- Start Windows Services Manager.
- Right-click the ArcGIS Monitor Server or ArcGIS Monitor Agent service and click Properties.
- Click the Log On tab.
- Update the ArcGIS Monitor account password.
Note:
All registered components that inherit credentials from the ArcGIS Monitor account will be updated to use the new password.
- Click Apply to save the changes.
- Click OK to close the dialog box.
- Right-click the ArcGIS Monitor Server or ArcGIS Monitor Agent service in Windows Services Manager and click Restart.
The service is restarted, and the ArcGIS Monitor account is updated to use the new password that you provided.