Minor Right now a user gets a request to provide the password when installation wizard starts up. If you install the service with a custom user account, it is not exactly trivial to access the file ("Run as Administrator"). It would be great to allow getting a temporary password from the installer.
Such feature likely requires Jenkins core patches to allow overriding the temporary password somehow. It might be also useful for other use-cases, so IMHO it is something to consider
[JENKINS-61802] New Windows installer: Add option to show the temporary password in the installer UI
I've been looking into this and almost had a solution, except there arose another problem: the path to the .jenkins directory uses an environment variable to get to the users profile directory. This environment variable would need to be expanded AS the user the service will run as which is not necessarily the user that the installer is running as. I've been searching for a way to get this, but have not come up with anything. If anyone else has any ideas on this, I am open to them.
I've researched this some more and I just don't think this is feasible, unless we can set the temp admin password from the installer itself.
Kalle Niemitalo
added a comment - This environment variable would need to be expanded AS the user the service will run as which is not necessarily the user that the installer is running as.
Might be doable by calling LogonUserW, CreateEnvironmentBlock, and ExpandEnvironmentStringsW. But if you run the service as a special identity like "NT AUTHORITY\LocalService" or a virtual account like "NT SERVICE\Jenkins", I think LogonUserW will fail, even though the Service Control Manager is able to start the service.
we can set the temp admin password from the installer itself
In that case, see Preventing Confidential Information from Being Written into the Log File.
Kalle Niemitalo
added a comment - This environment variable would need to be expanded AS the user the service will run as which is not necessarily the user that the installer is running as.
Might be doable by calling LogonUserW , CreateEnvironmentBlock , and ExpandEnvironmentStringsW . But if you run the service as a special identity like "NT AUTHORITY\LocalService" or a virtual account like "NT SERVICE\Jenkins", I think LogonUserW will fail, even though the Service Control Manager is able to start the service.
we can set the temp admin password from the installer itself
In that case, see Preventing Confidential Information from Being Written into the Log File .
I am not sure that Jenkins up to a point where the initial password is available. Generally, the service is started and then the installer exits. I can look into how it might be possible to wait for the file to be available.