Magnus Hagander wrote:
> >Firstly, I couldn't install postgresql as a Windows service=20
> >using the installer - using the installer, I couldn't add=20
> >postgresql as a Windows service without being a local=20
> >administrator. However, if I was logged on as a local admin=20
> >then the service would install but there was an error reported=20
> >later on saying that the server wouldn't run because I was=20
> >administrator (don't have a log of that error, sorry).
>=20
> You need two accounts. One administrator account that starts the
> installer (this could be "Administrator" or cours e- definitly no need
> to create a special user for this). Another account which is=20
> used to run
> the eventual installed postgres. This is the account that you=20
> specify on
> the service account screen in the installer. This account=20
> MUST NOT be an
> administrator.
OK. It turns out that the problem there was that the installer (postgresql-=
8.0-beta2-dev3.msi) actually created a user account which WAS a member of "=
Power Users", because my "Power Users" group included the group "NT AUTHORI=
TY\Authenticated Users" (according to the MS website [1], this is the defau=
lt configuration for Windows XP and Windows 2k Professional, though NOT for=
Win2k Server or Win2003 Server). This setting means that ANY new local acc=
ount is AUTOMATICALLY a power user. When I realised this I removed the "NT =
AUTHORITY\Authenticated Users" from the "Power Users" local group, and the =
installer ran perfectly.
It would be better if the installer would detect this situation, though, be=
cause users installing PostgreSQL on WinXP or Win2k Professional with the d=
efault security setup will otherwise find that the installer will create a =
user account which then doesn't work, which is not a good start :-) The cau=
se is not immediately apparent because "NT AUTHORITY\Authenticated Users" i=
s not a regular security group, so the user account doesn't show up as bein=
g a member. You have to know what "NT AUTHORITY\Authenticated Users" actual=
ly means. IMHO, when the PG installer creates a user account, it should tes=
t to see if it is automatically a Power User, or it could test the "Power U=
sers" group, and any nested groups directly to see if they contain this "NT=
AUTHORITY\Authenticated Users" group, and if so, it should pop up a dialog=
box pointing out the need to remove "NT AUTHORITY\Authenticated Users" fro=
m the "Power Users" group, perhaps even making this modification itself.
Thanks for your help, Magnus!
Con
1.
http://www.microsoft.com/windows2000/en/professional/help/windows_security_=
default_settings.htm
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/=
proddocs/en-us/windows_security_differences.asp
