For example, if a user logs on to a domain account and tries to access a DB2 database, DB2 will go to a Domain Controller to enumerate groups (including the Administrator's group). You can change this behavior in either of two ways:
- Set the registry variable DB2_GRP_LOOKUP=local and add the domain accounts (or global groups) to the local Administrators group.
- Update the database manager configuration file to specify a new group. If you want that group enumerated on the local machine, the you must also set the DB2_GRP_LOOKUP registry variable.
 | By default, in a Windows NT domain environment , only domain users that
belong to the Administrators group at the Primary Domain Controller (PDC) have
SYSADM authority on an instance. Since DB2 always performs
authorization at the machine where the account is defined, adding a domain
user to the local Administrators group on the server does not grant the domain
user SYSADM authority to this group.
To avoid adding a domain user to the Administrators group at the PDC, we suggest that you create a global group and add the users (both domain and local) that you want to grant SYSADM authority. To do so, enter the following commands: db2stop db2 update dbm cfg using sysadm_group global_group db2start |