Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uzHBh-001elO-9r for pgsql-general@arkaria.postgresql.org; Thu, 18 Sep 2025 16:08:49 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uzHBf-000HyQ-UY for pgsql-general@arkaria.postgresql.org; Thu, 18 Sep 2025 16:08:47 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uzHBf-000Hxx-EU for pgsql-general@lists.postgresql.org; Thu, 18 Sep 2025 16:08:47 +0000 Received: from fout-a1-smtp.messagingengine.com ([103.168.172.144]) by makus.postgresql.org with smtp (Exim 4.96) (envelope-from ) id 1uzHBd-0017GF-0H for pgsql-general@lists.postgresql.org; Thu, 18 Sep 2025 16:08:46 +0000 Received: from phl-compute-10.internal (phl-compute-10.internal [10.202.2.50]) by mailfout.phl.internal (Postfix) with ESMTP id F3690EC027D; Thu, 18 Sep 2025 12:08:44 -0400 (EDT) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-10.internal (MEProxy); Thu, 18 Sep 2025 12:08:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1758211724; x=1758298124; bh=Z8rHHrjnkIn4S2NNPE39FTS6ceRcTukjma3U8HdGSLM=; b= S2fYv/sffjG6sZjbu/ecSN5+CFltY/9yBB5+oST9KkXpsgs9RfywI/2mmevYM4DH HP0qLoQCskVLMpTFOcN03DvQKG2fLPzSI3mI0qLyKDHP6mqBao5cBn451P0zJ8i3 2suG3I0AyzkWCdlT+/OhBV/rnyEwCj36+577RbmrP6tZyn/ci3pXqkGbYRWxMwHE gE3C015FoBolFzHkgf29XyEzf4WowMdy/CZ4NYC1J2EGSmbnpv9Q6HZKjHkWLHbg k8IelUMneniEoK8ZrFiyiJQbPbyb3OUYA9SBZcCUWkAHc9ONDbHD77ZqAP+wVLsE QklvTekCmKv4JzZzWk6uIg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; t=1758211724; x=1758298124; bh=Z 8rHHrjnkIn4S2NNPE39FTS6ceRcTukjma3U8HdGSLM=; b=N9IyTg4X6BEykZx60 KWW9FlFe+VrOSSF6tNhDYnfxDIVxkfRT9ThqQxcfILW9X3xd9TvCabJEVBzkNIL0 lwmjbXEpH+/bMTiRk3gLn+elNKRmspj7j1WWle2gzmbdhbVM5OZ7GnhXGyTXgh7X OZiGvW9p1SX+cep8dCSdZTuQJLr6UijL+gv5IOabtaFoSVVutT5aqN50Sop4drih Oyzxlz6A5DMiTngnd6WGNge7ZnddLeQsgErfiaad3eSGz2+E7MoWg1c+t2VJ9+JV 0Ph+lK9BMqqQ/j3iygfT4uCml6wJV2mGkIwQQZOKLPL8uSABQWnQmrcFiH/xSkcE HGRTg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggdegieejjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefkffggfgfuvfhfhfgjtgfgsehtkeertddtvdejnecuhfhrohhmpeetughrihgrnhcu mfhlrghvvghruceorggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomheqne cuggftrfgrthhtvghrnhepffevieeghfffgeehhefhieetieejgedvgeeilefgueehfeev udehkedukefgfedtnecuffhomhgrihhnpehthhgrlhgvshhgrhhouhhprdgtohhmnecuve hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheprggurhhirghn rdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomhdpnhgspghrtghpthhtohepvddpmhhoug gvpehsmhhtphhouhhtpdhrtghpthhtohepphhhihhlrdhhohhruggvrhesuhhkrdhthhgr lhgvshhgrhhouhhprdgtohhmpdhrtghpthhtohepphhgshhqlhdqghgvnhgvrhgrlheslh hishhtshdrphhoshhtghhrvghsqhhlrdhorhhg X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 18 Sep 2025 12:08:43 -0400 (EDT) Message-ID: Date: Thu, 18 Sep 2025 09:08:43 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: How do I specify the NetworkService user to the postgres installer. To: HORDER Philip , "pgsql-general@lists.postgresql.org" References: <1a55b2a6d4f54a9a8a67cff9937abc9e@uk.thalesgroup.com> Content-Language: en-US From: Adrian Klaver In-Reply-To: <1a55b2a6d4f54a9a8a67cff9937abc9e@uk.thalesgroup.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 9/18/25 02:58, HORDER Philip wrote: > Classified as: {OPEN} > > > Hi all. > > I’m installing Postgres 17.3.5 > > Running Windows 11, but on an office machine that I have limited control > over the environment. > > This **was** working, running from a batch script: > > %POSTGRES_INSTALLER% --mode unattended --unattendedmodeui minimal -- > superaccount %BIGBOSSMAN% --superpassword %PGPASSWORD% --datadir D: > \Postgres\17\data --serverport %PGPORT% --enable-components > server,pgAdmin,commandlinetools > > However, the elevated rights environment I have to use has been changed > by the IT overlords. > > I don’t know what’s changed, but the installer now fails in the initdb > phase, and doesn’t create the Windows service: > > /running bootstrap script ... Execution of PostgreSQL by a user with > administrative permissions is not/ What I know about Windows permission these days could fit in the navel of flea, so this is just an observation. --superpassword %PGPASSWORD% to me implies an administrator user and hence not '...started under an unprivileged user ID ...'. Seems to me the answer is going to start with getting information from the overlords on what changed below: " However, the elevated rights environment I have to use has been changed by the IT overlords. I don’t know what’s changed, but the installer ... " > > /permitted./ > > /The server must be started under an unprivileged user ID to prevent/ > > /possible system security compromises.  See the documentation for/ > > /more information on how to properly start the server./ > > By default, the service would run as user /Network Service./ > > But now the installer is either picking a different Windows user, or > thinks that the NetworkService has admin permissions. > > I’ve found separate commands to register the service with -U "NT > AUTHORITY\NetworkService", but want to do this in one step, rather than > allowing the installer to fail, and then manage additional steps to > initialise the database and create a service. > > Trying to give this to the installer doesn’t work: > > %POSTGRES_INSTALLER% --mode unattended --unattendedmodeui minimal *-- > serviceaccount "NT AUTHORITY\NetworkService" * --superaccount > %BIGBOSSMAN% --superpassword %PGPASSWORD% --datadir D:\Postgres\17\data > --serverport %PGPORT% --enable-components server,pgAdmin,commandlinetools > > What arguments can I pass the installer to get it to use the correct > Windows account to run the service? > > Thanks, > > *Phil Horder* > > *Database Mechanic* > > Thales > > Land & Air Systems > > *Horizon House, Throop Road, Templecombe, Somerset, BA8 0DH, UK* > > www.thalesgroup.com/uk <../../../../../../t0038633/Application%20Data/ > Microsoft/Signatures/www.thalesgroup.com/uk> > > Telephone:  +44 (0)1963 372041 > > Mobile: +44 (0)771 765 2467 > > > {OPEN} > > The information contained in this e-mail is confidential. It is intended > only for the stated addressee(s) and access to it by any other person is > unauthorised. If you are not an addressee, you must not disclose, copy, > circulate or in any other way use or rely on the information contained > in this e-mail. Such unauthorised use may be unlawful. If you have > received this e-mail in error, please inform the originator immediately > and delete it and all copies from your system. > > Thales UK Limited. A company registered in England and Wales. Registered > Office: 350 Longwater Avenue, Green Park, Reading, Berks RG2 6GF. > Registered Number: 868273 > > Please consider the environment before printing a hard copy of this e-mail. > -- Adrian Klaver adrian.klaver@aklaver.com