Required user accounts for installation of Db2 server products (Windows)

Before you begin installation tasks you must have an installation user account. During the installation, you can also choose to create one or more setup user accounts, such as a Db2 Administration Server (DAS) user account or a Db2 instance user account.

The installation user account is the account of the user performing the installation. The installation user account must be defined before running the Db2 Setup wizard. The setup user accounts can be defined before installation or you can have the Db2 Setup wizard create them for you.

All user account names must adhere to your system naming rules and to Db2 User, user ID and group naming rules.

If you use an installation user account that contains non-English characters which are not specified in Db2 naming rules, the Db2 installation will fail.

Extended security on Windows

Db2 database products offer extended Windows security. If the extended security feature is selected, you must add the users who will administer or use the Db2 database product to either the DB2ADMNS or DB2USERS group as appropriate.

The Db2 installer creates these two new groups. You can either specify a new name or accept the default names during installation.

To enable this security feature, select the Enable operating system security check box on the Enable operating system security for Db2 objects panel during the Db2 installation. Accept the default values for the Db2 Administrators Group field, and the Db2 Users Group field. The default group names are DB2ADMNS and DB2USERS. If there is a conflict with existing group names, you will be prompted to change the group names. If required, you can specify your own group names.

Db2 server user accounts

Installation user account
A local or domain user account is required to perform the installation. Normally, the user account must belong to the Administrators group on the computer where you will perform the installation.

Alternatively, a non-Administrator user account can be used. This alternative requires that a member of the Windows Administrators group first configure the Windows elevated privileges settings to allow a non-Administrator user account to perform an installation.

On Windows operating system, a non-administrator can perform an installation, but will be prompted for administrative credentials by the Db2 Setup wizard.

The user right "Access this computer from the network" is required for the installation user account.

The installation user ID must belong to the Domain Administrators group on the domain if the installation requires a domain account to be created or verified.

You may also use the built-in LocalSystem account as your Service Logon account for all products.

User rights granted by the Db2 installer
The Db2 installation program does not grant the Debug Programs user right. The Db2 installer grants the following user rights:
  • Act as part of the operating system
  • Create token object
  • Lock pages in memory
  • Log on as a service
  • Increase quotas
  • Replace a process level token
Db2 Administration Server (DAS) user account
A local or domain user account is required for the Db2 Administration Server (DAS).
Important: The Db2 Administration Server (DAS) has been deprecated and might be removed in a future release. The DAS is not supported in Db2 pureScaleĀ® environments. Use software programs that use the Secure Shell protocol for remote administration. For more information, see Db2 administration server (DAS) has been deprecated .

If you are performing a response file installation, you can also specify the Local System account in the response file. For more details, refer to the sample response files in the db2\windows\samples directory.

The LocalSystem account is available for all products, except Db2 Enterprise Server Edition and can be selected through the Db2 Setup wizard.

The DAS is a special Db2 administration service used to support the GUI tools and assist with administration tasks on local and remote Db2 servers. The DAS has an assigned user account that is used to log the DAS service on to the computer when the DAS service is started.

You can create the DAS user account before installing Db2 or you can have the Db2 Setup wizard create it for you. If you want to have the Db2 Setup wizard create a new domain user account, the user account you use to perform the installation must have authority to create domain user accounts. The user account must belong to the Administrators group on the computer where you will perform the installation. This account will be granted the following user rights:

  • Act as part of the operating system
  • Debug programs
  • Create token object
  • Lock pages in memory
  • Log on as a service
  • Increase quotas (adjust memory quotas for a process on Windows Server 2003 operating systems)
  • Replace a process level token

If extended security is enabled, the DB2ADMNS group will have all these privileges. You can add users to that group and you do not need to add these privileges explicitly. However, the user still needs to be a member of the Local Administrators group.

The "Debug programs" privilege is only needed when Db2 group lookup is explicitly specified to use the access token.

If the user account is created by the install program, the user account will be granted these privileges and if the user account already exists, this account will also be granted these privileges. If the install grants the privileges, some of them will only be effective on first log on by the account that was granted the privileges or upon reboot.

It is recommended that the DAS user have SYSADM authority on each of the Db2 database systems within your environment so that it can start or stop other instances if required. By default, any user that is part of the Administrators group has SYSADM authority.

Db2 instance user account
The user account must belong to the Administrators group on the computer where you will perform the installation.

A local or domain user account is required for the Db2 instance because the instance is run as a Windows service and the service will be executing in the security context of the user account. When you use a domain user account to perform a database operation (such as, creating a database) against an instance, the Db2 service needs to access the domain to authenticate and search for the user's group membership. By default, a domain will only allow a domain user to query the domain and hence, the service needs to be running in the security context of a domain user. An error will occur if you use a domain user account to perform a database operation against a Db2 service running with either a Local user account or a LocalSystem account.

You may also use the built-in LocalSystem account to run the installation for all products, except for Db2 Enterprise Server Edition.

You can create the Db2 instance user account before installing Db2 or you can have the Db2 Setup wizard create it for you. If you want to have the Db2 Setup wizard create a new domain user account, the user account you use to perform the installation must have authority to create domain user accounts. This account will be granted the following user rights:
  • Act as part of the operating system
  • Debug programs
  • Create token object
  • Increase quotas
  • Lock pages in memory
  • Log on as a service
  • Replace a process level token

If extended security is enabled, then the DB2ADMNS group will have all these privileges. You can add users to that group and you do not need to add these privileges explicitly. However, the user still needs to be a member of the Local Administrators group.

The "Debug programs" privilege is only needed when Db2 group lookup is explicitly specified to use the access token.

If the user account is created by the install program, the user account will be granted these privileges and if the user account already exists, this account will also be granted these privileges. If the install grants the privileges, some of them will only be effective on first log on by the account that was granted the privileges or upon reboot.