Platform Common Services accounts and OS groups
- Last UpdatedOct 07, 2025
- 2 minute read
For System Platform 2023 R2 SP1, Platform Common Services creates and uses the following user accounts, service accounts, and user groups.
|
Name |
Category |
Description |
|---|---|---|
|
AsbCoreServices |
Group |
This user group contains the file system and registry permissions required by the core services of the PCS framework. Since these processes are started by the AVEVA Watchdog, the only user account in this group should be the NT SERVICE\Watchdor_Service virutal service account. |
|
ArchestrAWeb Hosting |
Group |
Members of this user group can listen to the shared HTTP (default=80) and HTTPS ports (default=443). Members of this group also have access to the private key of the security certificate used to bind to the HTTPS port. To enable a secure SuiteLink connection, add the standard user to this group on the server side. For details, see "Secured SuiteLink Connection" in the AVEVA Communication Drivers Pack User Guide, available at [Installation Media]\InstallFiles\CD-OIEngine\Docs\OICore.pdf |
|
ASBSolution |
Group |
Membership in this user group provides the File Syste m and Registry permissions required by the PCS Framework. |
|
NT SERVICE\ Watchdog_Service |
Windows Service Account |
Watchdog_Service runs as a high-privileged virtual service account. The group policy for this service requires AeServiceLogonRight. |
|
NT SERVICE\ AsbService Manager |
Windows Service Account |
AsbServiceManager runs as the low-privileged virtual service account. The group policy for this service requires AeServiceLogonRight. |
|
ASBCertificate RenewalService |
Local Service Account |
ASBCertificateRenewalService runs a local account, and is normally in a stopped state. It is only triggered by the Asb.Watchdog process, based on the validity of the local certificate. When the certificate is renewed, the service is stopped. The group policy for this service requires AeServiceLogonRight. |
|
NT SERVICE\ AIMTokenHost |
Windows Service Account |
AIMTokenHost runs as a virtual service account once the System Management Server is configured. This is for the PCS.IdentityManager.Host. |
|
NT SERVICE\ ArchestraData Store |
Windows Service Account |
ArchestraDataStore runs as a virtual service account. It starts and should continue to run once the installation is complete. |
PCS account group membership
The following accounts and groups support Historian functionality:
|
Group |
Account |
Description |
|---|---|---|
|
ArchestrAWeb Hosting |
AIMTokenHost |
All processes which need access to the private key of certificates should be part of the ArchestrAWebHosting user group. To enable a secure SuiteLink connection, add the standard user to this group on the server side. For details, see "Secured SuiteLink Connection" in the AVEVA Communication Drivers Pack User Guide, available at [Installation Media]\InstallFiles\CD-OIEngine\Docs\OICore.pdf. |
|
AsbService Manager |
||
|
ASBSolution |
InTouchData Service |
These two Windows Service Accounts are not technically PCS services, but are added to this group to support the InTouch Web Client. |
|
InTouchWeb |
||
|
Users |
AsbService Manager |
NT SERVICE\AsbServiceManager is added to Users group is for backward compatibility. The legacy ASBService user was part of the Users group, and was replaced by the AsbServiceManager as of ASB version 4.2. If not needed for compatibility, AsbServiceManager can be removed. |