Re: Error starting service on Win2k

From: "Conal Tuohy" <Conal(dot)Tuohy(at)vuw(dot)ac(dot)nz>
To: <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: Error starting service on Win2k
Date: 2004-09-19 23:58:33
Message-ID: 802926B6AB8533408C33ADBCA3EE5C2A138C47@coso.staff.vuw.ac.nz
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

Magnus Hagander wrote:

> >Firstly, I couldn't install postgresql as a Windows service
> >using the installer - using the installer, I couldn't add
> >postgresql as a Windows service without being a local
> >administrator. However, if I was logged on as a local admin
> >then the service would install but there was an error reported
> >later on saying that the server wouldn't run because I was
> >administrator (don't have a log of that error, sorry).
>
> You need two accounts. One administrator account that starts the
> installer (this could be "Administrator" or cours e- definitly no need
> to create a special user for this). Another account which is
> used to run
> the eventual installed postgres. This is the account that you
> specify on
> the service account screen in the installer. This account
> MUST NOT be an
> administrator.

OK. It turns out that the problem there was that the installer (postgresql-8.0-beta2-dev3.msi) actually created a user account which WAS a member of "Power Users", because my "Power Users" group included the group "NT AUTHORITY\Authenticated Users" (according to the MS website [1], this is the default configuration for Windows XP and Windows 2k Professional, though NOT for Win2k Server or Win2003 Server). This setting means that ANY new local account is AUTOMATICALLY a power user. When I realised this I removed the "NT AUTHORITY\Authenticated Users" from the "Power Users" local group, and the installer ran perfectly.

It would be better if the installer would detect this situation, though, because users installing PostgreSQL on WinXP or Win2k Professional with the default security setup will otherwise find that the installer will create a user account which then doesn't work, which is not a good start :-) The cause is not immediately apparent because "NT AUTHORITY\Authenticated Users" is not a regular security group, so the user account doesn't show up as being a member. You have to know what "NT AUTHORITY\Authenticated Users" actually means. IMHO, when the PG installer creates a user account, it should test to see if it is automatically a Power User, or it could test the "Power Users" group, and any nested groups directly to see if they contain this "NT AUTHORITY\Authenticated Users" group, and if so, it should pop up a dialog box pointing out the need to remove "NT AUTHORITY\Authenticated Users" from the "Power Users" group, perhaps even making this modification itself.

Thanks for your help, Magnus!

Con

1.
http://www.microsoft.com/windows2000/en/professional/help/windows_security_default_settings.htm
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/windows_security_differences.asp

Browse pgsql-bugs by date

  From Date Subject
Next Message Josh Berkus 2004-09-20 00:07:16 Re: Money type not gone?
Previous Message Magnus Hagander 2004-09-19 20:30:07 Re: Error starting service on Win2k