DB2 10.5 for Linux, UNIX, and Windows

Setting up Windows elevated privileges before installing a DB2 product (Windows)

The usual method to install a DB2® database product on Windows is to use an Administrator user account. However, DB2 database products can be installed using a non-administrator account. To do so, a Windows Administrator must configure the elevated privileges feature in Windows.

About this task

This task explains how a Windows Administrator can set up a computer with elevated privileges to allow installation using a non-Administrator user account. The related task of granting DB2 administration authorities to non-Administrator users is also covered.

Typically a Windows Administrator would perform this task to enable another person who does not have an Administrator account to install a DB2 database product. The role of this person might be only to install DB2 database products or to also administer DB2 database products once installed.

Restrictions

Before initiating this procedure, note the following restrictions on non-Administrator installation using elevated privileges:
  • Non-Administrator users can only install fix packs, add-on products, or upgrade DB2 database products if prior installations or upgrades were also performed by the same non-Administrator user.
  • Non-Administrator users cannot uninstall a DB2 database product. Those non-Administrator users on a Windows operating system can uninstall a DB2 database product.
This procedure uses the Windows Group Policy Editor.

Procedure

  1. Click Start > Run and type gpedit.msc. The Group Policy window opens.
  2. Click on Computer Configuration > Administrative Templates > Windows Components > Windows Installer.
  3. Enable the following Group Policy settings:
    • Always install with elevated privileges (mandatory)
    • Enable user control over installs (mandatory)
    • Disable Windows Installer. Then set it to Never.
    • Enable user to patch elevated products (optional)
    • Enable user to use media source while elevated (optional)
    • Enable user to browse for source while elevated (optional for new installations, mandatory for fix pack upgrades)
  4. Enable elevated privileges for the user account that will be performing the installation.
    1. Click User Configuration > Administrative Templates > Windows Components > Windows Installer.
    2. Enable the Always install with elevated privileges (mandatory) Group Policy setting.
  5. Perform setup related to the user account that will install the DB2 database product.
    • Identify the user account that will install the DB2 database product. If necessary, create that account.
    • Give that account write permission for the drive on which an installation is planned.
  6. Optional: Complete additional steps applicable to installing fix packs:
    1. Provide read access to the sqllib\cfg directory.
    2. Ensure that allowlockdownpatch is enabled (as described in the Windows Installer SDK documentation) because fix pack installations are considered minor upgrades to the product.
  7. Refresh the computer's security policy in any one of the following ways:
    • Reboot the PC.
    • At the command line, enter gpupdate.exe.

Results

By following this procedure you will have set up the computer with elevated privileges and set up a user account that will be able to install DB2 database server products, clients and fix packs.
After DB2 database product installation is complete:
  • Any user in the system administrative (SYSADM) or system control (SYSCTRL) authority group defined in the database manager configuration for the instance can create and use DB2 databases within the DB2 instance.
  • Only a user with local Administrator authority can run DB2 instance utilities, such as db2icrt, db2idrop, db2iupdt, or db2iupgrade.
  • The authorization requirements for running the db2start or db2stop command is defined in the topics START DATABASE MANAGER command, and STOP DATABASE MANAGER command.

What to do next

Using regedit instead of the Windows Group Policy Editor

An alternative to using the Windows Group Policy Editor is to use regedit.

  1. In the registry branch HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows, add the key installer

  2. Edit the key installer with the following values:
    • For AlwaysInstallElevated, enter REG_DWORD=1
    • For AllowLockdownBrowse, enter REG_DWORD=1
    • For AllowLockdownMedia, enter REG_DWORD=1
    • For AllowLockdownPatch, enter REG_DWORD=1
    • For DisableMSI, enter REG_DWORD=0
    • For EnableUserControl, enter REG_DWORD=1

  3. In the registry branch HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows, add the key installer

  4. Edit the key installer with the following values:

    • For AlwaysInstallElevated, enter REG_DWORD=1

Removing elevated privileges

After you have given elevated privileges, you can reverse this action. To do so, remove the registry key Installer under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows.

Granting a non-administrator user DB2 administration authorities

At this point, only members of the Windows Administrators group will have DB2 administration authorities. The Windows Administrator has the option to grant one or more DB2 authorities, such as SYSADM, SYSMAINT, or SYSCTRL to the non-Administrator user who installed the DB2 database product.

Related concepts:
Authorization, privileges, and object ownership