RE: Oracle Installation on Windows

From: William Wagman <>
Date: Wed, 11 Feb 2009 14:31:26 -0800
Message-ID: <>


That is an interesting comment about the local vs. domain accounts. On the server in question there is both a local and a domain oracle account and both are members of the administrators group. I'm not clear I am looking at it correctly but I will ask the administrator the question re the configuration. I will let you know what I learn.

Thank you.

Bill Wagman
Univ. of California at Davis
IET Campus Data Center
(530) 754-6208
From: Niall Litchfield [] Sent: Tuesday, February 10, 2009 10:39 PM To: William Wagman
Subject: Re: Oracle Installation on Windows

There are a few rights that are given to LocalSystem that are not given to the Administrators group, for example the 'ACT AS PART OF THE OPERATING SYSTEM' right - you can see these in the local security policy control panel applet (though you can't see their assignment to LocalSystem.

However this should not affect the *install* so long as your domain account is directly a member of the *local* Administrators group - as opposed to Domain Admins (I can't now recall why that made a difference in the past and indeed it shouldn', but it did back in the 806/815 days). The only occasion that I'm aware of it making a difference is in the account that is used for executing OS jobs using EM where you need 4 rights

Log on as a batch job -- self explanatory Replace a process level token -- enables one service to start another act as part of the operating system -- enables impersonate any user Increase memory quota for a process -- self explanatory

I suspect that item 3, particularly given the ability to create em jobs via pl/sql and the ability to inject pl/sql into the db is a difficult to exploit but potentially extremely dangerous security loophole, and to be honest is a requirement that I don't understand. Arguably right 2 is inappropriate as well.

Anyway if you also run the Oracle database under a different account, as opposed to installing it under a different account then there may be similar uses of non-default rights, I've never come across them except in the EM case though. On Tue, Feb 10, 2009 at 5:06 PM, William Wagman <<>> wrote: Greetings,

I'm having a conversation with one of my co-workers re privileges, oracle and windows. I am working with Windows Server 2003, 64-bit and Oracle 10gR2. Our standard practice is to create an Oracle account which is a member of the local administrators group, essentially full administrative rights on the box. The Oracle installation is done while logged in as the Oracle user. In one situation I encountered problems and Oracle had me uninstall and then reinstall while connected as the local admin account. I just installed the January 2009 CPU on a windows box and something broke. I opened an SR with Oracle, we solved the problem but again the question arose as to whether the installation had been done as Oracle or the local admin account with the suggestion that it might be necessary to uninstall and reinstall while connected as the local admin account. I have done quite a number of installations as Oracle rather than the local admin account as well as upgrades and patching but t  wice the question of who did the installation has arisen.

My question, can someone explain why, if oracle is a member of the administrators group with full administrative rights on the box it would matter whether the installation is done as Oracle or the local admin account? Is there documentation available which might give me some more insight into this question?


Bill Wagman
Univ. of California at Davis
IET Campus Data Center<> (530) 754-6208



Niall Litchfield
Oracle DBA

-- Received on Wed Feb 11 2009 - 16:31:26 CST

Original text of this message