IBM Support

Changing DB2 instance user account name 'db2admin' on Windows ?

Question & Answer


Question

Can I change the DB2 instance user account name 'db2admin' on Windows ?

Answer

Yes. If we want to change the default DB2 instance user account name 'db2admin' to other user name, we can do the following steps for change and check after the work.

1. Stop database instances and DAS

 $ db2stop
 $ db2admin stop

2. Create new account and set password.
For example, I used 'db2admin2' as user account on this page.

3. Add this new account to 'DB2ADMNS' and 'Administrators' roles in Windows Security administration.

4. Execute 'Start->Run and type 'services.msc'.
Then change the 'Log On As' attribute for all DB2 services from 'db2admin' to new account user name.


-
5. Check if new user has appropriate security policy and rights.
For the detail, refer the URL on this page.

(1) Click Start -> Run and type secpol.msc. On Windows 2008 and Windows Vista (or higher), click Start and type secpol.msc in the search bar. Click OK.


(2) Select Local Security Policy.
(3) In the left window pane, expand the Local Policies object, then select User Rights Assignment.
(4) In the right window pane, select the user right that you want to assign.
(5) From the menu, select Action -> Security...
(6) Click Add, then select a user or group to assign the right to, and click Add.
(7) Click OK

For example, you may need to give following right to the new user.

Act as part of the operating system
Debug programs
Create token object
Lock pages in memory
Log on as a service
Replace a process level token

This is the sample image capture of the work.

6. Reboot the operating system.

7. Compare the following results and check if those are same between the new user and old 'db2admin' user.

(1) SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID

SELECT * FROM TABLE (SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID('DB2ADMIN')) AS T;


SELECT * FROM TABLE (SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID('DB2ADMIN2')) AS T;

: It should have two groups 'DB2ADMNS' and 'ADMINISTRATORS'.

(2) SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID

SELECT AUTHORITY, D_USER, D_GROUP, D_PUBLIC, ROLE_USER, ROLE_GROUP, ROLE_PUBLIC, D_ROLE FROM TABLE (
SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID ('DB2ADMIN', 'U') ) AS T;

SELECT AUTHORITY, D_USER, D_GROUP, D_PUBLIC, ROLE_USER, ROLE_GROUP, ROLE_PUBLIC, D_ROLE FROM TABLE (
SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID ('DB2ADMIN2', 'U') ) AS T

(3) 'whoami /ALL' command output

(4) 'User Name' of db2sysc.exe on 'Windows Task Manager'
: It should be new account name.



Note that these are steps in DB2 perspective.
Therefore you need to consider other impact with this change if you use the DB2 as a bundle of other solution product or other applications use this account.

[{"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Security \/ Plug-Ins - IBM Suplied\/Default","Platform":[{"code":"PF033","label":"Windows"}],"Version":"9.7;9.5;10.1;10.5","Edition":"Advanced Enterprise Server;Advanced Workgroup Server;Enterprise Server;Workgroup Server","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21683454

Page Feedback