Starting with Oracle Database 12c Release 1 (12.1), Oracle Database supports the use of Oracle Home User, specified at the time of Oracle Database installation. Oracle Home User is used to run the Windows services for the Oracle home. Oracle Home User can be Windows built-in account or a standard Windows User Account (not an Administrator account). Oracle Home User cannot be changed post installation.
If a Windows built-in account is used, then no user name or password is required during installation and administration. However, if a Windows User Account is used as Oracle Home User, then you must provide the user name and password during installation and some of the administration tasks.
Oracle Home User is different from Oracle Installation User. Oracle Installation User is the user who requires administrative privileges to install Oracle products. Oracle Home User is used to run the Windows services. You must not log into the Oracle Home User to perform administrative tasks.
Note that the Windows administrator privilege is still required to perform Oracle administrative functions such as installation, upgrade, patching, and other functions.
Note:
A Windows User Account used as Oracle Home User cannot have administrator privileges as it causes the Oracle Universal Installer to display an error message.Note:
See the Microsoft documentation for more information on different types of Windows user accounts.See Also:
The "Specify Oracle Home User" screen in "Table 5-1 Oracle Universal Installer Windows" in Oracle Database Installation Guide for Microsoft WindowsSee the following sections for more information:
Using Oracle Home User for Oracle Single-Instance Database and Oracle Database Client
Converting from Single-Instance Oracle Database to Oracle Real Application Clusters
If you use a Windows User Account as the Oracle Home User, then you must ensure that this user account is present in the Windows system and its password is managed securely to ensure the proper operation and security of the database.
You must secure the password of this Windows User Account and ensure that only database administrators have access to this password as one can log on to the database as the database administrator from this Windows User Account. You must also change the password for this Windows User Account at regular intervals as a part of security. You can change the password using Windows tools. However, when you change the password for this Windows User Account, you must also update the password for all Oracle services running under the Windows User Account.
This release has introduced a new Windows utility called the Oracle Home User Control. This is a command-line tool that displays the Oracle Home User name associated with the current Oracle home and updates the password for all Oracle services running under a specific Windows User Account (used as Oracle Home User). See section "Using the Oracle Home User Control Tool" for more information.
For single-instance Oracle Database and Oracle Database Client installations, you can use Windows built-in account or a standard Windows User Account as Oracle Home User.
The Windows User Account can be an existing Windows Local User, Windows Domain User or Managed Services Account (MSA) with no administration privileges. For a Windows Local User Account or a Windows Domain User Account, you must provide both the user name and password during installation. For a Managed Services Account, you must provide the user name only.
For a Windows Local User, you also have the option of creating a new Windows user during installation. You must provide the user name and password for the user account and Oracle Universal Installer creates the Windows user during installation. The newly created Windows account is denied interactive logon privileges to the Windows computer. However, a Windows administrator can still manage this account like any other Windows account.
Note that if a Windows Local User Account is chosen as the Oracle Home User during single-instance Oracle Database installation, Windows NT Native Authentication (NTS) cannot be used for authenticating Windows domain users or users from remote computers.
For single-instance Oracle Database installations, Oracle recommends that you use a standard Windows User Account (instead of Windows built-in account) as Oracle Home User for enhanced security. For Oracle Database Client installations, it is not necessary to use a Windows User Account as Oracle Home User for reasons of security. Even when the Windows built-in account is chosen as the Oracle Home User, Oracle services for a client home are run using the built-in low-privileged LocalService account.
See Oracle Grid Infrastructure Installation Guide for Microsoft Windows x64 (64-Bit) for information about using Oracle Home User for Oracle RAC Installation.
See Also:
Oracle Real Application Clusters Administration and Deployment Guide for more informationSee Oracle Grid Infrastructure Installation Guide for Microsoft Windows x64 (64-Bit) for information about using Oracle Home User for the Oracle Grid Infrastructure installation for a cluster.
Different Oracle homes on a system can use the same Oracle Home User or use different Oracle Home User names. Note that earlier releases (11.2 and earlier) of Oracle Database are treated equivalent to using Windows built-in account as Oracle Home User.
As Oracle Home User has complete control over the Oracle base directory for an Oracle home, multiple Oracle homes are allowed to share the same Oracle base only when they use the same Oracle Home User. This is done for security reasons.
However, as an exception, Oracle supports the sharing of an Oracle base directory between a Windows built-in account and a specific Windows User Account. This enables easier upgrade of Oracle home from the older releases of Oracle Database to Oracle Database 12c Release 1 as the same Oracle base can be shared, and all the files under the Oracle base can be accessed by the Oracle Home User.
Note:
Note of caution while sharing Oracle base:When you share an Oracle base between 11g Release 2 (or earlier) and 12c Release 1, Windows User Account (used as Oracle Home User) is granted full control of the Oracle base and its subdirectories. This means that the Windows User Account (for 12.1 Oracle home) can access or update any database files for the earlier release.
After installing Oracle Database 12c Release 1 (or later) with a Windows User Account as Oracle Home User, do not install older versions of Oracle Database and share the same Oracle base directory. During the installation of older releases, ACLs are reset corresponding to older releases and Oracle Database 12c Release 1 (or later) services may not be able to access the Oracle base directory and files.
On the contrary, if you decide to use a different Oracle base for 12c Release 1, there may be some issues in terms of Oracle services accessing the files from the older Oracle base. See section "Setting File Permissions" for more information.
See Also:
"Multiple Oracle Homes Support" in Oracle Database Installation Guide for Microsoft WindowsYou can use Oracle Database Upgrade Assistant to upgrade or move databases across Oracle homes if both the Oracle homes use the same Windows User Account as Oracle Home User, or at least one of the Oracle homes is configured to use Windows built-in account as the Oracle Home User.
You can convert from Oracle Database 12c Release 1 (12.1) single-instance databases to Oracle RAC using Oracle Database Configuration Assistant, rconfig, or Oracle Enterprise Manager.
For in-place conversion, Oracle Home User cannot be changed. For out-of-place conversion, Oracle Home User can be changed only if the Oracle home for the single-instance database is not already configured with a Windows Domain User Account.