On Tue, Nov 15, 2005 at 01:51:04PM +0100, Magnus Hagander wrote:
> Huh. The stated problem is that the low privilege account does *not*
> have the required privilege (to log in).
> Note that PostgreSQL doesn't really require "log on locally" for
> anything other than initdb. So if you can initdb on a different box and
> copy it there, or somehow get the permissions temporarily, the server
> will workf ine. The server only requires "Log in as a service".
Sorry, my understanding of Windows permissions is hazy at times. You
have permission to create users, but not permission to run programs as
the user you created (because you need to "login"). And there is a
distinction between running as a service and running as a program(?!).
So I think my statement is correct that the above user cannot run
programs as anything other than administrator privelidges. Like you
said, if he could, this discussion would be moot.
> If the security is set up so that you can use a local *admin* acconut
> but not a local *nonadmin* accuont, then your domain people really need
> to look over their security policies, because they are very very broken
> indeed.
That was the way I read it and I agree, that's a very broken way to set
things up.
Have a nice day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.
