Unsafe TeamCity data directory permissions warning
Hi,
Server Health shows “Unsafe TeamCity data directory permissions”
The following principals have write access to the TeamCity data directory (C:\TeamCityData):
TEST\TeamCity_Server
For security reasons, it is recommended to allow read and write access only to TeamCity and Administrator user accounts.
But why is this shown if this is the exact account the TeamCity server is running under? :-D
Please sign in to leave a comment.
Please share <TeamCity Server Home>/logs/teamcity-server.log files (I need the logs covering the last TeamCity server startup).
You can upload the logs to https://uploads.jetbrains.com/ and share the upload ID.
Best regards,
Anton
Upload id: 2025_09_04_KGwnguGqMo7A4rRV9VJyiM (file: teamcity-server.log)
In logs there is
jetbrains.buildServer.STARTUP - OS: Windows Server 2016, version 10.0, amd64, Current user: TeamCity_Server, Time zone: CEST (UTC+02:00)Maybe comparison of account names for this warning is done without domain/computer name?
Just to confirm, could you check the user in Windows Services > TeamCity Server > Log On? The user in the logs should be exactly as specified in the service properties.
If it's specified differently from the user in the data directory folder access permissions, then this health item will be displayed.
Best regards,
Anton
Thanks, I double-checked in Windows Services the Log On account is shown as “.\TeamCity_Server”. In the folder ACLs it’s displayed as “TEST\TeamCity_Server”. They both resolve to the same local user, but Windows shows them differently depending on context.
It seems the health check compares names as strings rather than SIDs, which might explain the false warning. Could you confirm if this is expected behavior or if it’s a bug in the validation logic?
I also reproduced the same behavior. It looks not expected to me, so I reported it in our issue tracker and provided more details: https://youtrack.jetbrains.com/issue/TW-95700
Please vote for the issue and subscribe to receive updates.
Best regards,
Anton
TW-95700 marks this issue as fixed in 207946. I've just upgraded my Sandbox setup, from 2020.1.2 (78726) to 2025.11 (207946).
Service was running under Windows as “EXAMPLE\TeamCityUser” and the permissions for the Data folder showed as “TeamCityUser@example.com”. I'm pretty sure when I setup the permissions it was originally a domain security group, so I updated and changed for “EXAMPLE\TeamCityUser” but it shows in the GUI as “TeamCityUser@example.com”. So I've just updated the service to run as TeamCityUser@example.com and the service and IIS site have restarted, it still warns that EXAMPLE\TeamCityUser shouldn't be granted access to the data folder.
Subsequently I've checked the teamcity-server.log file and despite changing the account for the Service, the current user is showing only as TeamCityUser, no suffix or prefix. So it looks like maybe it's no longer comparing the domain part of the username. But even though, even the case is the same, both TeamCityUser, it's reporting an issue.
I just double-checked on 2025.11 the scenario described in https://youtrack.jetbrains.com/issue/TW-95700 and no warning was shown.
Could you check if it's reproduced when you open the TeamCity UI in a new incognito browser window after the service has been restarted?
If yes, is my understanding correct that it shows the warning for all listed combinations?
Best regards,
Anton
Hi Anton,
Thanks for getting back to me. I've just tried again, the server was shutdown over the weekend as it's a test instance. The jumpbox in that environment has the Edge browser, so I opened an “InPrivate” browser window and logged in. The warning wasn't on the home page, but when I navigated to the Admin section of the UI, it reappeared. I have warnings for the build queue being paused, the Domain Isolation for artifacts warning and the warning for the Service Account for the TeamCity service having write access to the TeamCity data directory. The warning only lists the account once, in the format like “DOMAIN\ServiceAccountName”, where DOMAIN is the domain name and ServiceAccountName is the user name of the account used to run the TeamCity service.
Kind Regards,
Will.
Having referred to the issue referenced, this scenario does differ from that issue, in that I'm using a domain joined server with a domain service account rather than a local account.
Was it the same before the update?
Best regards,
Anton
I was running a pretty old version, 2020.1.2 I think, before the update, so the warning didn't exist I don't think. Thanks.
Will this be fixed in a future update? Thanks.
Sorry for the wait. Could you please share the screenshot of TeamCity Server Windows service Log On settings, the data directory permissions screenshot, and the warning message screenshot? You can upload them safely using https://uploads.jetbrains.com/.
Best regards,
Anton
Hi Anton,
Apologies, I thought in my “live” environment, I was using the service account, it appears I had unresolved issues in the past and I'm not currently using the Service Account to run the Windows Service, so can't provide the screenshot right now. I mean I could, but it wouldn't be much use if it's not configured as expected.
I'll need to raise a change to try updating the configuration to what I expected and test this doesn't break anything and I could return to this thread to confirm if it's resolved when running as the service account or provide screenshots as requested if it's still warning. Thanks for getting back to me.
Kind Regards,
Will.