Infrastructure at your Service

Franck Pachot

Oracle 12cR2 on Windows: Virtual Accounts

By Franck Pachot

Oracle Database is released for Windows, just 2 weeks after the Linux release, and this is a very good news. Let’s see something new you will encounter in the first screens of Oracle 12.2 installer. Don’t worry, the default choice is the right one. But better understand it.


On Linux, you don’t install Oracle Database as root. You create a user, usually called oracle, which will be the owner of the database files and the instance processes and shared memory. This looks obvious be before 12c the Oracle Instance is running as the root equivalent, the built-in SYSTEM user. This was very bad from a security point of view: running a software with the most powerful user on the system.

12.1 Oracle Home User

This has changed in 12.1 with the possibility to define another user, which already exists, or which you create at installation providing user name and password.

This user is called the Oracle Home user. Just to get it clear, it is the user which will run the instance. You still install the software as Administrator.
So, in 12.1 the choice is existing user, new user or SYSTEM and the recommandation is to create a user. But it is quite annoying to have to provide a user and password for a user you will never use to log in.

12.2 Virtual Accounts

Windows 2008 R2 has introduced two new local service users: Managed Service Accounts (MSA) and Virtual Accounts.

Managed Service Accounts are created by the administrator in the Active Directory (using New-ADServiceAccount). And you can use them in 12c by mentioning the name in ‘Use Existing Windows User’.

Virtual Accounts are enabled by default in Windows. In 12.2 you can use this feature for Oracle Home account. It is the first option, the default one, and the one recommended if you have no reason to use another user:



If you don’t know what has been defined, look at the registry. Find the ORACLE_HOME you run from, read the registry key from %ORACLE_HOME%\bin\oracle.key and look at the keys:


Here ORACLE_SVCUSER_TYPE is new with value ‘V’ which means that the ORACLE_SVCUSER is a Virtual Account. ORACLE_SVCUSER_PWDREQ mentions that no password has to be provided for the instances services.

Note that the old method, the ‘built-in account’ had the following, mentioning the internal SYSTEM, and without a TYPE:


The 12.1 method of non-privileged user had ORACLE_SVCUSER_PWDREQ=1 and requires the password for the services.

Back to virtual account, I said that they are used for instance services and database files. Let’s have a look at services and file security properties:


The database file owner is the user we have seen above as defined by ORACLE_SVCUSER but the service ‘Log On As’ has the special ‘NT SERVICE\ServiceName‘ which is the Virtual Account. It is not a real account like built-in, local or domain ones. It is more a service that is displayed as an account here.

So what?

Don’t panic in front of this additional choice. Virtual Account is the right choice to run with a minimal privilege user and no additional complexity.


  • Ashquar says:

    Thanks for the post. Looks like Oracle documentation still not updated with the virtual user option.

    Does the new virtual account need to be granted OS privileges or should be in OS groups for certain privileges (like the new SYSDG , SYSBACKUP …etc.)

  • Ric says:

    I seem to be having issue with this virtual user. Ever since I created my 12.2 database I’m seeing a heck of a lot of “OSD-04011: GetFileInformationByHandle() failure, unable to obtain file info”. At the core this is the type of error being logged in a trace file, it happens on all files this example is the temp tablespace:

    Error in computing freespace for file 000000001498BFE0 C:\APP\RVANDYKE\VIRTUAL\ORADATA\HOTSOS12\TEMP01.DBF
    ORA-27037: unable to obtain file status
    OSD-04011: GetFileInformationByHandle() failure, unable to obtain file info
    O/S-Error: (OS 5) Access is denied.

    It certainly appears that everyone has full access to the files including the group “ORA_OraDB12Home1_SVCACCTS” I’m really at a loss as to what is going on. Over all the database appears to be working, but the volume of these errors is rather large. If you have any ideas on how to solve this I’d very much appreciate hearing from you. Thanks!

  • Yes man says:

    Tried to install 12.2 with the default option (Virtual Account), and the installation ended with the listener not being able to start up, and the database files not created (although I took that option). Manually running DBCA results in the same error .. there is some kind of permission issue. I also saw reference to directory C:\OraNT not being present :

    installActions2017-12-28_05-07-16PM.log:WARNING: Skipping line: Error: Environmental error detected: Oracle Home is set to “C:\ORANT” in the environment is different from Oracle Net Configuration Assistant installed Oracle Home.

    I have nowhere used that, it isn’t present on my machine, and I’m not aware of any Oracle Home in such a directory ..

  • henry says:

    I installed 12.2 using virtual account, it installed and have been working fine. Now I am trying to install Oracle gateway12201, but the installer does not have the virtual account option to install it. Any help will be appreciated.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Franck Pachot
Franck Pachot

Principal Consultant / Database Evangelist
Oracle ACE Director, Oracle Database OCM 12c
AWS Database Specialty certified, AWS Data Hero
Oak Table member

RSS for this blog: feed
Twitter: @FranckPachot
LinkedIn :
Podcast en français: DBPod