Beginning with Oracle Database 12c Release 1, Oracle introduces the new Oracle Home User account under Windows. But why? Unitl now, everything runs really fine without any special accounts. Those who work with Oracle databases on UNIX-like operating systems knows the clear seperation of root user and Oracle DBA (oracle). Everyone has their tasks, the DBA takes care of the database or the software installation (usually oinstall group) and only the root can make changes tot he server. On Windows this is different so far. It is difficult to design a granular assignment of rights sometimes and in doubt the administrator account has to serve. With 12c Oracle is now trying to bring the similar rights concept on UNIX to Windows database servers.
Home User Account
The Oracle Home User Account is a low privileged account without administrator rights. It is used to manage the database (not the database software) and the associated services. When you install the database software Oracle provides us with three choises.
For selection is firstly „Use Exisiting Windows User“, either a local user, a domain user or a so-called managed service account (MSA). The second option is to „Create New Windows User“, where a local user account is created on the computer. However, the account has no resgistration or login permission. The third option „Use Windows Built-in Account“ means the built-in acocunt that Windows uses internally to manage ist services and privileges. In general Oracle uses SYSTEM or local system for this. This last selection would then correspond to the configuration as it was made up to Oracle 11g. This practically defines to set up Home User account. No matter what choice you make, after installation, there is no way back. You can not change the Oracle Home User anymore!
I can not give an clear answer in which case you should choose which account. It really makes sense, if you’re in a domain to define a domain user account or a msa. The benefits of centrelized managagement through Active Directory to the local variant need no discussion here. However you should consider, distinguishing features between msa and „normal“ domain account. But what impact will now have the different options? In concrete terms, the new home user has full access to the entire Oracle Base directory. This permission will be inherited to all sub-directories and files. The patching of the software remains the task of the administrator. As already said the home user must not have administrative privileges and is excluded here. This distinction gets clearly when you look at the owner of the Oracle Home. It is the one administrator who installed the software. Owner of the data file directory and the data files is the Oracle Home User.
Another major change is that the Home User has the authority over services led by the database instance itself and the listener.
The Home User can therefore start and stop the appropriate services. As a consequence, the Home User is also required when creating a new listener
or when a new database is to be created.
At the end I like to refer to the Oracle Home User Control Tool. If the password of the Home User Account changes Oracle would like to be aware of this circumstance. Therefore you can find a shortcut to a Batch in the Oracle program folder „Update password of the Oracle Home User“.
Alternatively, you have to enter „orahomeuserctl“ on the command line and with „list“ you can initially display the Home User:
C:\Users\Administrator> orahomeuserctl list
And announce the new password with the following syntax:
orahomeuserctl updpwd [-user username] [-host hostname1, hostname2, …] [-log logfilename]
Very important additional information you will find here:
Caution, 12c Oracle Home User cannot be changed!