Configure ArcGIS Enterprise to use a group-managed Service Account

Summary

A Managed Service Account (MSA) is a managed domain account commonly used to increase the security of Windows service accounts.

Windows services can be configured to run as these accounts without needing to enter or change the password. Active Directory manages and changes the password on a regular basis (every 30 days by default), eliminating the need for an administrator to manage it. The MSA is is treated as a domain account and can be granted rights to files, folders, and domain resources, but it cannot be used for an interactive login by a human user.

There are two types of MSAs: standalone MSAs and group MSAs. A standalone MSA is restricted to use on only one machine, while a group MSA can be used on a group of machines. This document outlines how to configure ArcGIS Enterprise to use a group MSA to run the ArcGIS Server, Portal for ArcGIS, and ArcGIS Data Store services on Windows

Group MSAs are only available in Windows Server 2012 and higher. This assumes the MSA is already created and the server machines hosting ArcGIS Enterprise have been granted rights to use the MSA.
Instructions for creating the MSA can be found in the Microsoft documentation: Getting Started with Group Managed Service Accounts.

Note: 
The workflow outlined below is only for ArcGIS Enterprise 10.7.1 and prior. For changing the account running ArcGIS Enterprise in versions 10.8 and later, refer to the following documentation for each of the respective products:

• ArcGIS Server
• Portal for ArcGIS
• ArcGIS Data Store

Procedure

Note:
The sample group MSA used in these steps is domain\ArcGIS_MSA.

1. Install the ArcGIS Enterprise deployment using a regular local or domain account. The folders listed in step 3 below assume the ArcGIS Server site and portal website have already been created, but the changes to the Windows service account can be done between installation and configuration, if desired.
2. Test if the group MSA is ready for use on the server. This can be done by running the following command on the server using PowerShell.

Test-ADServiceAccount -Identity ArcGIS_MSA

If this returns True, the group MSA is ready. If this returns False, the server hostname may still need to be added to the MSA group or the server must be restarted for changes in Active Directory to take effect. If unable to run this command from PowerShell, the Active Directory admin tools for PowerShell can be installed with the following command:

Add-WindowsFeature -Name RSAT-AD-PowerShell

3. Update Windows permissions to grant the domain\ArcGIS_MSA$ service account access to the necessary files and folders listed below. The “$” is added to the end of the account name to indicate to Windows that it is a service account and not a regular user account. In some cases, Service Accounts must be selected from the list of Object Types for Windows to successfully find the MSA, as shown in the image below.

Update folder permissions in ArcGIS Server for "domain\ArcGIS_MSA$":
Grant read only on folder C:\Program Files\arcgis\server\
Grant full control on folder C:\Program Files\arcgis\server\framework\
Grant full control on folder C:\Program Files\arcgis\server\usr\
Grant full control on folder C:\Program Files\arcgis\server\bin\
Grant full control on folder C:\Program Files\arcgis\server\XMLSchema\
Grant full control on folder C:\Program Files\arcgis\server\DatabaseSupport\
Grant full control on folder C:\arcgisserver\ (or where the config-store and directories are located)
 
Update folder permissions in Portal for ArcGIS for “domain\ArcGIS_MSA$”:
Grant read only on folder C:\Program Files\arcgis\portal\
Grant full control on folder C:\Program Files\arcgis\portal\apps\
Grant full control on folder C:\Program Files\arcgis\portal\customizations\
Grant full control on folder C:\Program Files\arcgis\portal\etc\
Grant full control on folder C:\Program Files\arcgis\portal\framework\
Grant full control on folder C:\Program Files\arcgis\portal\tools\
Grant full control on folder C:\Program Files\arcgis\portal\usr\
Grant full control on folder C:\arcgisportal\ (or where the content, index, db, and temp directories are located)
 
Update folder permissions in ArcGIS Data Store for “domain\ArcGIS_MSA$”:
Grant full control on folder C:\Program Files\arcgis\datastore\
Grant full control on folder C:\arcgisdatastore\ (or location of ArcGIS Data Store content directory)

4.  Update the Log On As account for each of the ArcGIS Enterprise Windows services:
   • ArcGIS Data Store
   •  ArcGIS Server
   • Portal for ArcGIS 

Double-click the service to open the service properties, click the Log On tab, and enter the group MSA account without specifying any password. The account must have a “$” at the end to indicate it is a service account. Click OK, and restart each service for the changes to take effect.

Notes on upgrading ArcGIS Enterprise when using Managed Service Accounts:
The setup or upgrade utility for ArcGIS Enterprise 10.7.1 and earlier does not support specifying an MSA as a “Log On As” account for the ArcGIS Enterprise Windows services. Before upgrading in the future, the “Log On As” account must be manually changed back to a local or domain account for each Windows service in ArcGIS Enterprise. Once the upgrade has completed, steps 3 and 4 should be repeated to confirm the permissions are still accurate, then switch back to using the MSA.