Re: How do I specify the NetworkService user to the postgres installer. - Mailing list pgsql-general

On 9/18/25 02:58, HORDER Philip wrote:
> Classified as: {OPEN}
> 
> 
> Hi all.
> 
> I’m installing Postgres 17.3.5
> 
> Running Windows 11, but on an office machine that I have limited control 
> over the environment.
> 
> This **was** working, running from a batch script:
> 
> %POSTGRES_INSTALLER% --mode unattended --unattendedmodeui minimal -- 
> superaccount %BIGBOSSMAN% --superpassword %PGPASSWORD% --datadir D: 
> \Postgres\17\data --serverport %PGPORT% --enable-components 
> server,pgAdmin,commandlinetools
> 
> However, the elevated rights environment I have to use has been changed 
> by the IT overlords.
> 
> I don’t know what’s changed, but the installer now fails in the initdb 
> phase, and doesn’t create the Windows service:
> 
> /running bootstrap script ... Execution of PostgreSQL by a user with 
> administrative permissions is not/

What I know about Windows permission these days could fit in the navel 
of flea, so this is just an observation.

--superpassword %PGPASSWORD% to me implies an administrator user and 
hence not '...started under an unprivileged user ID ...'.

Seems to me the answer is going to start with getting information from 
the overlords on what changed below:

"
However, the elevated rights environment I have to use has been changed 
by the IT overlords.

I don’t know what’s changed, but the installer ...
"

> 
> /permitted./
> 
> /The server must be started under an unprivileged user ID to prevent/
> 
> /possible system security compromises.  See the documentation for/
> 
> /more information on how to properly start the server./
> 
> By default, the service would run as user /Network Service./
> 
> But now the installer is either picking a different Windows user, or 
> thinks that the NetworkService has admin permissions.
> 
> I’ve found separate commands to register the service with -U "NT 
> AUTHORITY\NetworkService", but want to do this in one step, rather than 
> allowing the installer to fail, and then manage additional steps to 
> initialise the database and create a service.
> 
> Trying to give this to the installer doesn’t work:
> 
> %POSTGRES_INSTALLER% --mode unattended --unattendedmodeui minimal *-- 
> serviceaccount "NT AUTHORITY\NetworkService" * --superaccount 
> %BIGBOSSMAN% --superpassword %PGPASSWORD% --datadir D:\Postgres\17\data 
> --serverport %PGPORT% --enable-components server,pgAdmin,commandlinetools
> 
> What arguments can I pass the installer to get it to use the correct 
> Windows account to run the service?
> 
> Thanks,
> 
> *Phil Horder*
> 
> *Database Mechanic*
> 
> Thales
> 
> Land & Air Systems
> 
> *Horizon House, Throop Road, Templecombe, Somerset, BA8 0DH, UK*
> 
> www.thalesgroup.com/uk <../../../../../../t0038633/Application%20Data/ 
> Microsoft/Signatures/www.thalesgroup.com/uk>
> 
> Telephone:  +44 (0)1963 372041
> 
> Mobile: +44 (0)771 765 2467
> 
> 
> {OPEN}
> 
> The information contained in this e-mail is confidential. It is intended 
> only for the stated addressee(s) and access to it by any other person is 
> unauthorised. If you are not an addressee, you must not disclose, copy, 
> circulate or in any other way use or rely on the information contained 
> in this e-mail. Such unauthorised use may be unlawful. If you have 
> received this e-mail in error, please inform the originator immediately 
> and delete it and all copies from your system.
> 
> Thales UK Limited. A company registered in England and Wales. Registered 
> Office: 350 Longwater Avenue, Green Park, Reading, Berks RG2 6GF. 
> Registered Number: 868273
> 
> Please consider the environment before printing a hard copy of this e-mail.
> 


-- 
Adrian Klaver
adrian.klaver@aklaver.com