Switching Tentacle from Local ystem to AD account

We are successfully using Octopus for over a year on DTAP environments street with over 50 tentacles of different types (IIS, Sql Server, File Server, Management Server), all tentacles running under the default Local System account.

All our application services run under specific locked down AD accounts. So we would also like the Octopus Tentacles service to run under it’s own specific AD account.

We’re wondering if this is fully supported by Octopus?

I found a few relevant threads here, such as the one-time difficulty for such a migration, regarding permissions for the MSI uninstall/install for the first tentacle update: https://help.octopus.com/t/octopus-tentacle-permissions/8399

Also, I encountered a topic on MSA accounts, Managed Service Accounts, which is new to me (<blush>), but which may seem to be a best practice for all application services. We’ll further need to study this.

Could you please give us some advice? How big of an endeavour is it going to be for us to migrate the service accounts of all 50+ tentacles on the four DTAP environments (two separate AD forests)?

The immediate reason we’re looking at this now, is because for some deployment projects, for the first time, we need a tentacle to reach out to remote resources, e.g. run an executable located on a remote share. And Local System is by default very limited in accessing remote resources.

Hi @saintnick

Thanks for getting in touch!

Running Tentacle under a separate user account is indeed full supported. Once you checked and confirmed that the account in question has the required permissions feel free to go ahead and change the account.

There are a couple of caveats, the main two are that you will need to do this account switch manually for each Tentacle, and you will need to be aware that if you reinstall a Tentacle using the Tentacle Manager, the Windows Service account will revert to Local System.

Hopefully that helps, let me know if you have any other questions!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.