Niall, can we create ORA_DBA group manually(if not created during installation or removed afterward) and will it allow member of that group to connect as SYSDBA without SYS password? Regards Rafiq On Thu, 3 Feb 2005 13:27:20 +0000, Niall Litchfield <niall.litchfield@xxxxxxxxx> wrote: > On Thu, 3 Feb 2005 08:00:16 -0500, Sherrie.Kubis@xxxxxxxxxxxxxxxxxx > <Sherrie.Kubis@xxxxxxxxxxxxxxxxxx> wrote: > > > > > > I am looking for some best practice guidelines for assigning administrator > > privilege for Oracle on Windows. I'm coming from a UNIX environment, where > > oracle binaries and datafiles and whatnot are all owned by oracle. Root > > things that need to be done are done from another account that is in the > > root wheel, and done through deliberate actions as needed. > > In terms of *installing* the Oracle software, you should use an > account with local administrator privileges for this (doesn't have to > be a domain administrator). That doesn't mean that the dba needs to > have administrative access to the machine (though I do on all the > database machines in our place). Oracle installation creates an OS > group ORA_DBA which is equivalent to the dba group on Unix. DBA > Accounts should be placed in this group. (You can also create a group > ORA_<SID>_DBA just to restrict them to particular databases). > > I'd strongly recommend that you create a domain group (or groups > depending on how many types of dba you have) that you place dba users > domain accounts in. Then you can assign the domain group to the local > dba group on relevant boxes. Then you can audit who does what since > the dbas all should use their own accounts to do their administration. > > -- > Niall Litchfield > Oracle DBA > http://www.niall.litchfield.dial.pipex.com > -- > //www.freelists.org/webpage/oracle-l > -- //www.freelists.org/webpage/oracle-l