We are successfully using Octopus for over a year on DTAP environments street with over 50 tentacles of different types (IIS, Sql Server, File Server, Management Server), all tentacles running under the default Local System account.
All our application services run under specific locked down AD accounts. So we would also like the Octopus Tentacles service to run under it’s own specific AD account.
We’re wondering if this is fully supported by Octopus?
I found a few relevant threads here, such as the one-time difficulty for such a migration, regarding permissions for the MSI uninstall/install for the first tentacle update: https://help.octopus.com/t/octopus-tentacle-permissions/8399
Also, I encountered a topic on MSA accounts, Managed Service Accounts, which is new to me (<blush>), but which may seem to be a best practice for all application services. We’ll further need to study this.
Could you please give us some advice? How big of an endeavour is it going to be for us to migrate the service accounts of all 50+ tentacles on the four DTAP environments (two separate AD forests)?
The immediate reason we’re looking at this now, is because for some deployment projects, for the first time, we need a tentacle to reach out to remote resources, e.g. run an executable located on a remote share. And Local System is by default very limited in accessing remote resources.