DB2 Admin rights granted to all local administrators?

DB2 10.5 on Windows Server 2012 R2.

Trying to figure out how security works with DB2 and Windows.  My main concern is the Server Admin group.  Here is what is confusing me.

By default, system administrative (SYSADM) authority is granted to any valid DB2® user account that belongs to the Administrators group on the computer where the account is defined. If the account is a local account, then it must belong to the local Administrators group. If the account is a domain account, then it must belong to the Administrators group at the domain controller or the local Administrators group. (https://www.ibm.com/support/knowledgecenter/en/SSEPGG_9.7.0/com.ibm.db2.luw.qb.server.doc/doc/c0008762.html)

What does this mean?  On my server when I look at the Local Users and Groups and look at the Administrators group, I see 4 or 5 domain groups that need to be admin on the server but I don't want them to by admins in DB2.

Is this saying that everyone in the Administrator group on the server is also an admin in DB2?


Jim YoumansSr Database AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kent OlsenDBACommented:
Hi Jim,

That's an accurate assessment.  

You should be able to revoke the privilege, though.


Tomas Helgi JohannssonDatabase Administrator / Software EngineerCommented:

If extended security is enabled you need to put the local users and/or domain users/groups that identifies the DB2 admins into the Windows DB2ADMNS group and users/usergroup in the DB2USERS. Please read the manual carefully before applying the extended security.
Also adding the DB2ADMNS or the desired  domain-group (if extended security is not used) to the database instances SYS* groups ( SYSADM_GROUP,SYSCTRL_GROUP, SYSMAINT_GROUP, SYSMON_GROUP ) will only allow those administrators belonging to that group to maintain the databases on that instance as stated in the manual you linked

 Since the DB2 database server always performs authorization at the machine where the account is defined, adding a domain user to the local Administrators group on the server does not grant the domain user SYSADM authority to this group, unless DB2_GRP_LOOKUP=local is set.
To avoid adding a domain user to the Administrators group at the domain controller, create a global group and add the domain users to which you want to grant SYSADM authority to it. Then update the DB2 configuration parameter SYSADM_GROUP with the name of the global group.

     Tomas Helgi

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tomas Helgi JohannssonDatabase Administrator / Software EngineerCommented:

Do you need any more assistance or clarification on this issue ?

     Tomas Helgi
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.