license manager registry keys caution re: permissions

1494
3
09-03-2019 11:30 AM
MattWilkie1
Occasional Contributor II

In FAQ: Does the ArcGIS Administrator allow switching of the License Manager or the software seat type? there's the caution:

In a network environment it is not recommended to give Domain Users or Authenticated Users permissions to these registry keys. If this is done, computer functionality will slow to a crawl. It is recommended to give full control permissions to the local users group in order to authenticate everything locally, rather than across the domain.

Can anyone unpack the full meaning of this for me? For instance:

  • Does "Domain Users" mean the specific Active Directory object container called "Domain Users" or any account that happens to be member of Domain Users? (probably the container, but let's be thorough and precise)
  • Does permission to "these keys" mean just the Esri keys named in the FAQ or does this warning apply to the parent container? If parent, how high up?
  • Does "local users group" mean MACHINE\Users?
  • Assuming yes, is the recommendation to have Domain-Users-the-AD-object a member of MACHINE\Users or should it be MYDOMAIN\myusername as member? or MYDOMAIN\our-gis-group?
  • Finally, once all these are answered, how do you push these to your users? Group policy? Regedit.exe scripts? something else?

Screenshots of my interpretation of the FAQ, which I'd like verified as correct:

3 Replies
curtvprice
MVP Esteemed Contributor

Hi Matt. Instead of futzing with registry group policy (which can have all kinds of nasty side effects, and may be rolled back by changes in group policy upstream of you) I suggest using scripts that use Windows environment variables to modify the seat type and license manager.  I think this is easy workaround that doesn't require any tricky Windows permission setups. I have posted an example script here. 

ArcMap Basic Standard Professional Startup Script

Another approach which I think is better (less risky) than wholesale registry permissions changes is to use a securely accessed script that is set up in Windows to crank up as elevated to do a specific task like this (modify registry keys to change seat licensing) that users can launch from Windows Software Center. 

Hope this helps!

MattWilkie1
Occasional Contributor II

Thanks Curtis. I'm familiar with env var to change license level (my scripts). The scenario which prompted this is users not being able to change the License Manager host names. I know that can be done with batch files too but if I ask users to edit batch files or environment variables I'll spend too much my time with supporting how to do that. I'm reluctant to go down that road. 😉

MattWilkie1
Occasional Contributor II

I should also say I'm particularly interested in the mechanics of "not recommended to give Domain Users or Authenticated Users permissions to these registry keys. If this is done, computer functionality will slow to a crawl." On multiple occasions I have spend many days troubleshooting why ArcMap (this/that) and/or Windows itself is unreasonably slow. With this teaser line I'm naturally wondering if mis-aligned registry permissions may have played a role in that.