Installation and Configuration Supplement

Working with the System Administrative Group

By default, System Administrative (SYSADM) authority is granted to the following:

OS/2

Any valid DB2 user ID which belongs to the Administrator or Local Administrator group.

UNIX

Any valid DB2 user name that belongs to the primary group of the instance owner's user ID.

Windows 9x

Any Windows 9x user.

Windows NT and Windows 2000

Any valid DB2 user account which belongs to the local Administrators group on the machine where the account is defined.

For example, if a user logs on to a domain account and tries to access a DB2 database, DB2 will go to a Domain Controller to enumerate groups (including the Administrator's group). You can change this behavior in either of two ways:

1. Set the registry variable DB2_GRP_LOOKUP=local and add the domain accounts (or global groups) to the local Administrators group.
2. Update the database manager configuration parameter SYSADM_GROUP to specify a new group. If you want that group enumerated on the local machine, you must also set the DB2_GRP_LOOKUP registry variable.

For a domain user to have SYSADM authority, it must belong to the Administrators group on the Domain Controller. Since DB2 always performs authorization at the machine where the account is defined, adding a domain user to the local Administrators group on the server does not grant the domain user SYSADM authority to this group.

To avoid adding a domain user to the Administrators group at the Domain Controller, we suggest that you create a global group and add the domain users that you want to grant SYSADM authority, and then update the DB2 configuration parameter SYSADM_GROUP with the name of the global group. To do so, enter the following commands:

   db2stop
   db2 update dbm cfg using sysadm_group global_group
   db2start

For information on how to change the default SYSADM settings and how to assign this authority to a different user or set of users, refer to the Administration Guide.