The installation user account is the account of the user performing the installation. The installation user account must be defined before running the DB2 Setup wizard. The setup user accounts can be defined before installation or you can have the DB2 Setup wizard create them for you.
All user account names must adhere to your system naming rules and to DB2 User, user ID and group naming rules.
If you use an installation user account that contains non-English characters which are not specified in DB2 naming rules, the DB2 installation will fail.
DB2 products offer extended Windows security. If the extended security feature is selected, you must add the users who will administer or use the DB2 product to either the DB2ADMNS or DB2USERS group as appropriate.
The DB2 installer creates these two new groups. You can either specify a new name or accept the default names during installation.
To enable this security feature, select the Enable operating system security check box on the Enable operating system security for DB2 objects panel during the DB2 installation. Accept the default values for the DB2 Administrators Group field, and the DB2 Users Group field. The default group names are DB2ADMNS and DB2USERS. If there is a conflict with existing group names, you will be prompted to change the group names. If required, you can specify your own group names.
Alternatively, a non-Administrator user account can be used. This alternative requires that a member of the Windows Administrators group first configure the Windows elevated privileges settings to allow a non-Administrator user account to perform an installation.
On Windows 2008 and Windows Vista or higher, a non-administrator can perform an installation, but will be prompted for administrative credentials by the DB2 Setup wizard.
The user right "Access this computer from the network" is required for the installation user account.
The installation user ID must belong to the Domain Administrators group on the domain if the installation requires a domain account to be created or verified.
You may also use the built-in LocalSystem account as your Service Logon account for all products, except DB2 Enterprise Server Edition
If you are performing a response file installation, you can also specify the Local System account in the response file. For more details, refer to the sample response files in the db2\windows\samples directory.
The LocalSystem account is available for all products, except DB2 Enterprise Server Edition and can be selected through the DB2 Setup wizard.
The DAS is a special DB2 administration service used to support the GUI tools and assist with administration tasks on local and remote DB2 servers. The DAS has an assigned user account that is used to log the DAS service on to the computer when the DAS service is started.
You can create the DAS user account before installing DB2 or you can have the DB2 Setup wizard create it for you. If you want to have the DB2 Setup wizard create a new domain user account, the user account you use to perform the installation must have authority to create domain user accounts. The user account must belong to the Administrators group on the computer where you will perform the installation. This account will be granted the following user rights:
If extended security is enabled, the DB2ADMNS group will have all these privileges. You can add users to that group and you do not need to add these privileges explicitly. However, the user still needs to be a member of the Local Administrators group.
The "Debug programs" privilege is only needed when DB2 group lookup is explicitly specified to use the access token.
If the user account is created by the install program, the user account will be granted these privileges and if the user account already exists, this account will also be granted these privileges. If the install grants the privileges, some of them will only be effective on first log on by the account that was granted the privileges or upon reboot.
It is recommended that the DAS user have SYSADM authority on each of the DB2 systems within your environment so that it can start or stop other instances if required. By default, any user that is part of the Administrators group has SYSADM authority.
A local or domain user account is required for the DB2 instance because the instance is run as a Windows service and the service will be executing in the security context of the user account. When you use a domain user account to perform a database operation (such as, creating a database) against a DB2 instance, the DB2 service needs to access the domain to authenticate and search for the user's group membership. By default, a domain will only allow a domain user to query the domain and hence, the DB2 service needs to be running in the security context of a domain user. An error will occur if you use a domain user account to perform a database operation against a DB2 service running with either a Local user account or a LocalSystem account.
You may also use the built-in LocalSystem account to run the installation for all products, except for DB2 Enterprise Server Edition.
If extended security is enabled, then the DB2ADMNS group will have all these privileges. You can add users to that group and you do not need to add these privileges explicitly. However, the user still needs to be a member of the Local Administrators group.
The "Debug programs" privilege is only needed when DB2 group lookup is explicitly specified to use the access token.
If the user account is created by the install program, the user account will be granted these privileges and if the user account already exists, this account will also be granted these privileges. If the install grants the privileges, some of them will only be effective on first log on by the account that was granted the privileges or upon reboot.