Re: Oracle Installation on Windows

From: Niall Litchfield <>
Date: Wed, 11 Feb 2009 06:39:26 +0000
Message-ID: <>

There are a few rights that are given to LocalSystem that are not given to the Administrators group, for example the 'ACT AS PART OF THE OPERATING SYSTEM' right - you can see these in the local security policy control panel applet (though you can't see their assignment to LocalSystem.

However this should not affect the *install* so long as your domain account is directly a member of the *local* Administrators group - as opposed to Domain Admins (I can't now recall why that made a difference in the past and indeed it shouldn', but it did back in the 806/815 days). The only occasion that I'm aware of it making a difference is in the account that is used for executing OS jobs using EM where you need 4 rights

Log on as a batch job -- self explanatory Replace a process level token -- enables one service to start another act as part of the operating system -- enables impersonate any user Increase memory quota for a process -- self explanatory

I suspect that item 3, particularly given the ability to create em jobs via pl/sql and the ability to inject pl/sql into the db is a difficult to exploit but potentially extremely dangerous security loophole, and to be honest is a requirement that I don't understand. Arguably right 2 is inappropriate as well.

Anyway if you also *run* the Oracle database under a different account, as opposed to installing it under a different account then there *may* be similar uses of non-default rights, I've never come across them except in the EM case though.

On Tue, Feb 10, 2009 at 5:06 PM, William Wagman <>wrote:

> Greetings,
> I'm having a conversation with one of my co-workers re privileges, oracle
> and windows. I am working with Windows Server 2003, 64-bit and Oracle 10gR2.
> Our standard practice is to create an Oracle account which is a member of
> the local administrators group, essentially full administrative rights on
> the box. The Oracle installation is done while logged in as the Oracle user.
> In one situation I encountered problems and Oracle had me uninstall and then
> reinstall while connected as the local admin account. I just installed the
> January 2009 CPU on a windows box and something broke. I opened an SR with
> Oracle, we solved the problem but again the question arose as to whether the
> installation had been done as Oracle or the local admin account with the
> suggestion that it might be necessary to uninstall and reinstall while
> connected as the local admin account. I have done quite a number of
> installations as Oracle rather than the local admin account as well as
> upgrades and patching but t
> wice the question of who did the installation has arisen.
> My question, can someone explain why, if oracle is a member of the
> administrators group with full administrative rights on the box it would
> matter whether the installation is done as Oracle or the local admin
> account? Is there documentation available which might give me some more
> insight into this question?
> Thanks.
> Bill Wagman
> Univ. of California at Davis
> IET Campus Data Center
> (530) 754-6208
> --

Niall Litchfield
Oracle DBA

Received on Wed Feb 11 2009 - 00:39:26 CST

Original text of this message