Setting up Windows elevated privileges before installing a Db2 product (Windows)
The usual method to install a Db2 database product on Windows is to use an Administrator user account. However, Db2 database products can be installed using a non-administrator account. To do so, a Windows Administrator must configure the elevated privileges feature in Windows.
About this task
This task explains how a Windows Administrator can set up a computer with elevated privileges to allow installation using a non-Administrator user account. The related task of granting Db2 administration authorities to non-Administrator users is also covered.
Typically a Windows Administrator would perform this task to enable another person who does not have an Administrator account to install a Db2 database product. The role of this person might be only to install Db2 database products or to also administer Db2 database products once installed.
Restrictions
- Non-Administrator users can only install fix packs, add-on products, or upgrade Db2 database products if prior installations or upgrades were also performed by the same non-Administrator user.
- Non-Administrator users cannot uninstall a Db2 database product.
Procedure
Results
- Any user in the system administrative (SYSADM) or system control (SYSCTRL) authority group defined in the database manager configuration for the instance can create and use Db2 databases within the Db2 instance.
- Only a user with local Administrator authority can run Db2 instance utilities, such as db2icrt, db2idrop, db2iupdt, or db2iupgrade.
- The authorization requirements for running the db2start or db2stop command is defined in the topics START DATABASE MANAGER command, and STOP DATABASE MANAGER command.
What to do next
- Using regedit instead of the Windows Group Policy Editor
-
An alternative to using the Windows Group Policy Editor is to use regedit.
In the registry branch HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows, add the key installer
- Edit the key installer with the following values:
- For AlwaysInstallElevated, enter REG_DWORD=1
- For AllowLockdownBrowse, enter REG_DWORD=1
- For AllowLockdownMedia, enter REG_DWORD=1
- For AllowLockdownPatch, enter REG_DWORD=1
- For DisableMSI, enter REG_DWORD=0
- For EnableUserControl, enter REG_DWORD=1
In the registry branch HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows, add the key installer
- Edit the key installer with the following values:
For AlwaysInstallElevated, enter REG_DWORD=1
- Removing elevated privileges
-
After you have given elevated privileges, you can reverse this action. To do so, remove the registry key Installer under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows.
- Granting a non-administrator user Db2 administration authorities
-
At this point, only members of the Windows Administrators group will have Db2 administration authorities. The Windows Administrator has the option to grant one or more Db2 authorities, such as SYSADM, SYSMAINT, or SYSCTRL to the non-Administrator user who installed the Db2 database product.