Required user accounts for installation of DB2 server products (Windows)

 

If you are installing a DB2® server product on Windows®, you require the following user accounts:

The installation user account is the account of the user performing the installation. The installation user account must be defined prior to running the DB2 Setup wizard. The setup user accounts can be defined prior to installation or you can have the DB2 Setup wizard create them for you.

All user account names must adhere to your system naming rules and to DB2 naming rules.

Extended security on Windows

DB2 products offer extended Windows security. If the extended security feature is selected, add the users who will administer or use the DB2 product to either the DB2ADMNS or DB2USERS group as appropriate.

The DB2 installer creates these two new groups. You can either specify a new name or accept the default names during installation.

To enable this security feature, select the Enable operating system security check box on the Enable operating system security for DB2 objects panel during the DB2 installation. Accept the default values for the DB2 Administrators Group field, and the DB2 Users Group field. The default group names are DB2ADMNS and DB2USERS. If there is a conflict with existing group names, you will be prompted to change the group names. If required, you can specify your own values.

DB2 server user accounts

Installation user account

A local or domain user account is required to perform the installation. Normally, the user account must belong to the Administrators group on the computer where you will perform the installation.

Alternatively, a non-Administrator user account can be used. This alternative requires that a member of the Windows Administrators group first configure the Windows elevated privileges settings to allow a non-Administrator user account to perform an installation.

On Windows Vista, a non-administrator can perform an installation, but will be prompted for administrative credentials by the DB2 Setup wizard.

The user right "Access this computer from the network" is required for the installation user account.

The installation user ID must belong to the Domain Administrators group on the domain if the installation requires a domain account to be created or verified.

You may also use the built-in LocalSystem account as your Service Logon account for all products, except DB2 Enterprise Server Edition

User rights granted by the DB2 installer

The DB2 installation program does not grant the Debug Programs user right. The DB2 installer grants the following user rights:

DB2 Administration Server (DAS) user account

A local or domain user account is required for the DB2 Administration Server (DAS).

If you are performing a response file installation, you can also specify the Local System account in the response file. For more details, refer to the sample response files in the db2\windows\samples directory.

The LocalSystem account is available for all products, except DB2 Enterprise Server Edition and can be selected through the DB2 Setup wizard.

The DAS is a special DB2 administration service used to support the GUI tools and assist with administration tasks on local and remote DB2 servers. The DAS has an assigned user account that is used to log the DAS service on to the computer when the DAS service is started.

You can create the DAS user account before installing DB2 or you can have the DB2 Setup wizard create it for you. If you want to have the DB2 Setup wizard create a new domain user account, the user account you use to perform the installation must have authority to create domain user accounts. The user account must belong to the Administrators group on the computer where you will perform the installation. This account will be granted the following user rights:

If extended security is enabled, then the DB2ADMNS group will have all these privileges. You can simply add users to that group and you do not need to add these privileges explicitly. However, the user still needs to be a member of the Local Administrators group.

The "Debug programs" privilege is only needed when DB2 group lookup is explicitly specified to use the access token.

If the user account is created by the install program, the user account will be granted these privileges and if the user account already exists, this account will also be granted these privileges. If the install grants the privileges, some of them will only be effective on first log-on by the account that was granted the privileges or upon reboot.

It is recommended that the DAS user have SYSADM authority on each of the DB2 systems within your environment so that it can start or stop other instances if required. By default, any user that is part of the Administrator group has SYSADM authority.

DB2 instance user account

The user account must belong to the Administrators group on the computer where you will perform the installation.

A local or domain user account is required for the DB2 instance. Every DB2 instance has one user that is assigned when the instance is created. DB2 logs on with this user name when the instance is started. An error will occur if you use a domain user account to perform a database operation (such as, creating a database) against a DB2 instance created with either a Local user account or the LocalSystem account. If you know you will be a domain user account with your DB2 product, you should create the instance using a domain user account.

You may also use the built-in LocalSystem account to run the installation for all products, except for DB2 Enterprise Server Edition.

You can create the DB2 instance user account before installing DB2 or you can have the DB2 Setup wizard create it for you. If you want to have the DB2 Setup wizard create a new domain user account, the user account you use to perform the installation must have authority to create domain user accounts. This account will be granted the following user rights:

If extended security is enabled, then the DB2ADMNS group will have all these privileges. You can simply add users to that group and you do not need to add these privileges explicitly. However, the user still needs to be a member of the Local Administrators group.

The "Debug programs" privilege is only needed when DB2 group lookup is explicitly specified to use the access token.

If the user account is created by the install program, the user account will be granted these privileges and if the user account already exists, this account will also be granted these privileges. If the install grants the privileges, some of them will only be effective on first log-on by the account that was granted the privileges or upon reboot.

Parent topic: DB2 servers and IBM data server clients

Related concepts
User, user ID and group naming rules

Related tasks
Setting up Windows elevated privileges prior to installing a DB2 product (Windows)