Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uzBPc-000LsY-MH for pgsql-general@arkaria.postgresql.org; Thu, 18 Sep 2025 09:58:49 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uzBPb-00FJ64-9M for pgsql-general@arkaria.postgresql.org; Thu, 18 Sep 2025 09:58:47 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uzBPa-00FJ5w-Nm for pgsql-general@lists.postgresql.org; Thu, 18 Sep 2025 09:58:46 +0000 Received: from mail.uk.thalesgroup.com ([192.93.165.134]) by makus.postgresql.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1uzBPX-0014Hs-34 for pgsql-general@lists.postgresql.org; Thu, 18 Sep 2025 09:58:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=uk.thalesgroup.com; q=dns/txt; s=B01; t=1758189524; x=1789725524; h=from:to:subject:date:message-id:mime-version; bh=ndt2a2k5KJktqtvXjx6Hg2R+WKKkyuQUAuLtwHkfYMY=; b=BXyTEZ2NGcH4aa8osLy8EpDC0GO4Oc5FQkoKeWPpkijd0fJriR9iANsY B5NqiEcXru6QZ6KGno4RLxXfqyQtg8LjPjwIx3xSq6wtmTCKk+bmOXaXx BOhjsnCXKKQMp6jc0Sx0oj1hohDIdI/OoAs/w2+wpWrsPf1FV0K2B4bYl F5hA/HYCmruMJvXkt0W7oXHyeWVwOnsSSJcnPC7WbYvMYZWT+N84o7ynP 2LM+xANzQvxwXxYnGATHFG3bviiwyJpP97srCqkaaS5k7exsWcriCl9Ns J+64zmIZnKGBAklro62E6wR/b8Uw55cUpch51Urs5YX4sDJSLiBKaQCf5 Q==; X-IronPort-AV: E=Sophos;i="6.18,274,1751238000"; d="scan'208,217";a="44081393" X-Trellix: Whitelist From: HORDER Philip To: "pgsql-general@lists.postgresql.org" Subject: How do I specify the NetworkService user to the postgres installer. Thread-Topic: How do I specify the NetworkService user to the postgres installer. Thread-Index: AdwogNdtn0sq2eaYRvGthEyRdrijFQ== Date: Thu, 18 Sep 2025 09:58:11 +0000 Message-ID: <1a55b2a6d4f54a9a8a67cff9937abc9e@uk.thalesgroup.com> Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_64c9cc36-7289-4c96-81d0-25ee8eefd11d_Enabled=true; MSIP_Label_64c9cc36-7289-4c96-81d0-25ee8eefd11d_SetDate=2025-09-18T09:58:08Z; MSIP_Label_64c9cc36-7289-4c96-81d0-25ee8eefd11d_Method=Privileged; MSIP_Label_64c9cc36-7289-4c96-81d0-25ee8eefd11d_Name=THALES-CORE-01; MSIP_Label_64c9cc36-7289-4c96-81d0-25ee8eefd11d_SiteId=6e603289-5e46-4e26-ac7c-03a85420a9a5; MSIP_Label_64c9cc36-7289-4c96-81d0-25ee8eefd11d_ActionId=908cdf56-70a5-4d12-b7c9-3bae9b5896db; MSIP_Label_64c9cc36-7289-4c96-81d0-25ee8eefd11d_ContentBits=3 thales-sensitivity: {TGOPEN} dlp-product: dlpe-windows dlp-version: 11.12.0.808 dlp-reaction: no-action dlpmanualfileclassification: {64c9cc36-7289-4c96-81d0-25ee8eefd11d} x-endpointsecurity-0xde81-ev: v:7.9.26.567, d:out, a:y, w:t, t:9, sv:1758176750, ts:1758189492 Content-Type: multipart/alternative; boundary="_000_1a55b2a6d4f54a9a8a67cff9937abc9eukthalesgroupcom_" MIME-Version: 1.0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --_000_1a55b2a6d4f54a9a8a67cff9937abc9eukthalesgroupcom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Classified as: {OPEN} Hi all. I'm installing Postgres 17.3.5 Running Windows 11, but on an office machine that I have limited control ov= er the environment. This *was* working, running from a batch script: %POSTGRES_INSTALLER% --mode unattended --unattendedmodeui minimal --superac= count %BIGBOSSMAN% --superpassword %PGPASSWORD% --datadir D:\Postgres\17\da= ta --serverport %PGPORT% --enable-components server,pgAdmin,commandlinetool= s However, the elevated rights environment I have to use has been changed by = the IT overlords. I don't know what's changed, but the installer now fails in the initdb phas= e, and doesn't create the Windows service: running bootstrap script ... Execution of PostgreSQL by a user with adminis= trative permissions is not permitted. The server must be started under an unprivileged user ID to prevent possible system security compromises. See the documentation for more information on how to properly start the server. By default, the service would run as user Network Service. But now the installer is either picking a different Windows user, or thinks= that the NetworkService has admin permissions. I've found separate commands to register the service with -U "NT AUTHORITY\= NetworkService", but want to do this in one step, rather than allowing the = installer to fail, and then manage additional steps to initialise the datab= ase and create a service. Trying to give this to the installer doesn't work: %POSTGRES_INSTALLER% --mode unattended --unattendedmodeui minimal --service= account "NT AUTHORITY\NetworkService" --superaccount %BIGBOSSMAN% --superp= assword %PGPASSWORD% --datadir D:\Postgres\17\data --serverport %PGPORT% --= enable-components server,pgAdmin,commandlinetools What arguments can I pass the installer to get it to use the correct Window= s account to run the service? Thanks, Phil Horder Database Mechanic Thales Land & Air Systems Horizon House, Throop Road, Templecombe, Somerset, BA8 0DH, UK www.thalesgroup.com/uk<../../../../../../t0038633/Application%20Data/Micros= oft/Signatures/www.thalesgroup.com/uk> Telephone: +44 (0)1963 372041 Mobile: +44 (0)771 765 2467 {OPEN} The information contained in this e-mail is confidential. It is intended on= ly for the stated addressee(s) and access to it by any other person is unau= thorised. If you are not an addressee, you must not disclose, copy, circula= te or in any other way use or rely on the information contained in this e-m= ail. Such unauthorised use may be unlawful. If you have received this e-mai= l in error, please inform the originator immediately and delete it and all = copies from your system. Thales UK Limited. A company registered in England and Wales. Registered Of= fice: 350 Longwater Avenue, Green Park, Reading, Berks RG2 6GF. Registered = Number: 868273 Please consider the environment before printing a hard copy of this e-mail. --_000_1a55b2a6d4f54a9a8a67cff9937abc9eukthalesgroupcom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Classified as: {O= PEN}


Hi all.

I’m installing Postgres 17.3.5

Running Windows 11, but on an office machine that I = have limited control over the environment.

 

This *was* working, running from a batch scri= pt:

%POSTGRES_INSTALLER% --mode unattended --unattendedm= odeui minimal --superaccount %BIGBOSSMAN% --superpassword %PGPASSWORD% --da= tadir D:\Postgres\17\data --serverport %PGPORT% --enable-components server,= pgAdmin,commandlinetools

 

However, the elevated rights environment I have to u= se has been changed by the IT overlords.

I don’t know what’s changed, but the ins= taller now fails in the initdb phase, and doesn’t create the Windows = service:

 

running bootstrap script ... Execution of Postgre= SQL by a user with administrative permissions is not

permitted.

The server must be started under an unprivileged = user ID to prevent

possible system security compromises.  See t= he documentation for

more information on how to properly start the ser= ver.

 

By default, the service would run as user Network= Service.

But now the installer is either picking a different = Windows user, or thinks that the NetworkService has admin permissions.=

 

I’ve found separate commands to register the s= ervice with -U "NT AUTHORITY\NetworkService", but want to do this= in one step, rather than allowing the installer to fail, and then manage a= dditional steps to initialise the database and create a service.

 

Trying to give this to the installer doesn’t w= ork:

%POSTGRES_INSTALLER% --mode unattended --unattendedm= odeui minimal --serviceaccount "NT AUTHORITY\NetworkService"  --sup= eraccount %BIGBOSSMAN% --superpassword %PGPASSWORD% --datadir D:\Postgres\1= 7\data --serverport %PGPORT% --enable-components server,pgAdmin,commandline= tools

 

What arguments can I pass the installer to get it to= use the correct Windows account to run the service?

 

Thanks,

Phil Horder

Database Mechanic

 

Thales

Land & Air Systems

Horizon House, Throop Road, Templecombe, Somerset, BA8 0DH, UK

 

www.thalesgroup.c= om/uk

 

Telephone:  +44 (0)1963 372041

Mobile: +44 (0)771 765 2467

 


{OPEN}

The information contained in this e-mail is confidential. It is intended on= ly for the stated addressee(s) and access to it by any other person is unau= thorised. If you are not an addressee, you must not disclose, copy, circula= te or in any other way use or rely on the information contained in this e-mail. Such unauthorised use may be = unlawful. If you have received this e-mail in error, please inform the orig= inator immediately and delete it and all copies from your system.

Thales UK Limited. A company registered in England and Wales. Registered Of= fice: 350 Longwater Avenue, Green Park, Reading, Berks RG2 6GF. Registered = Number: 868273

Please consider the environment before printing a hard copy of this e-mail.=

--_000_1a55b2a6d4f54a9a8a67cff9937abc9eukthalesgroupcom_--