Win NT/2K and Oracle 9i - explain Local System and domain user ...
Can any Windows gurus here explain about the different Windows accounts/users that the Oracle services run under?
I want to be able to archive my redo logs to a mapped network drive. But it fails and Support say that the DB service has to started as a domain user with access to the remote machine. The service in question starts as the 'System Account'. Is this not sufficient? What does 'System Account' mean?
I'd create a domain user, make it a member of the local Administrators group - that has a good chance of being enough, but it depends on your NT security setup. I'm pretty sure that on the server the User Rights Policies "Log on as a Service" will have to include this user or a group that it is a member of.
Then log on as that user and check the access to the remote machine - watch out that if this is done by adding the new user to a global group, it takes time for the changes to propogate.
Once all that looks OK use the Services applet in Control Panel to change the user & password in the Startup option for the Oracle services OracleServiceSID and possibly the Listener? . . . not sure about that.
Yes we did, but I didn't understand what we were talking about. I was getting confused with Oracle SYSTEM account and Windows system accounts. The fog's beginning to clear now and I'm going to attempt it again.
Good Luck. I ended up changing the owner of the Oracle Service and TNS Listner service on the machine. Changed it to a domain level user that had administrative rights and service rights.
Then, I set the log_archive_dest params and status params the way I wanted. Did a log switch...viola, archive log showed up where I wanted it.
However, I now think I want to keep the Windows SYSTEM user as the service owner. So, I am now looking at setting up the archive repository. It looks fairly simpile. Create and oracle service on another machine. No instance, etc...just the service. Then, use the SERVICE flag of the log_archive_Dest to transfer the files to that spot as my storage location.
Have not got a chance yet to try that out, but it seems fairly straight forward.....famous last words....
My worry was that a "hack" attempt might cause an account to be locked out, which would prevent the services starting - a problem if you do unattended restarts. This can't happen with SYSTEM (or with Administrator AFAIK).
The account I was thinking of using is shared with several in IT Support. Its got more of a chance of being misappropriated ...
Maybe I should get a "top-secret" user account that only I and the network admin guy know.