PostgreSQL service account on Windows 7: Use a virtual account

Hi all

(This is really about the EDB installer, but we don't have anywhere
better to discuss it than -general, so):

The PostgreSQL installer now uses the NETWORKSERVICE account on Windows
by default (as of 9.2), instead of creating a "postgres" account with
username and password. Which is a big improvement to usability.

I recently found out that on Windows 7 / win2k8 R2 and newer there's now
a better alternative available: virtual accounts and managed service
accounts. They combine the benefit of avoiding all that password
management cruft with the ability to run services in less-privileged,
better isolated accounts.

See "New Account Types Available with Windows 7 and Windows Server 2008
R2" in
http://msdn.microsoft.com/en-au/library/ms143504.aspx

particularly "virtual accounts".

If that looks a lot like a UNIX "system account", you're not mistaken.

It looks like Microsoft have finally figured out that it'd be nice not
to need a password for a background system service and to have to then
store that password somewhere on the same system.

It may be worth adopting this when the installer detects a Windows 7 /
Win2k8 R2 or newer system - just create an account like:

NT Service\PostgreSQL$EDB-9.4-x86

(or whatever name will get rid of conflicts) and use that instead of
NETWORK SERVICE.

--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services