topic Service Account used for UserID Agent in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/service-account-used-for-userid-agent/m-p/1230766#M5951 <P><SPAN>Hi Support Team, We need to ensure the service accounts used for the UserID agents installed on the domain controllers have the right active directory permissions and limit the permissions to what is required for them to function. I have the following question: 1. What are the required permissions and privileges for it to be functional? 2. What are the risks of misconfiguration or disabling this account?</SPAN></P> Tue, 03 Jun 2025 00:23:37 GMT MasoodBrv 2025-06-03T00:23:37Z Service Account used for UserID Agent https://live.paloaltonetworks.com/t5/next-generation-firewall/service-account-used-for-userid-agent/m-p/1230766#M5951 <P><SPAN>Hi Support Team, We need to ensure the service accounts used for the UserID agents installed on the domain controllers have the right active directory permissions and limit the permissions to what is required for them to function. I have the following question: 1. What are the required permissions and privileges for it to be functional? 2. What are the risks of misconfiguration or disabling this account?</SPAN></P> Tue, 03 Jun 2025 00:23:37 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/service-account-used-for-userid-agent/m-p/1230766#M5951 MasoodBrv 2025-06-03T00:23:37Z Re: Service Account used for UserID Agent https://live.paloaltonetworks.com/t5/next-generation-firewall/service-account-used-for-userid-agent/m-p/1230903#M5956 <P>Hello,</P> <P>I would first direct you to read the best practices:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVPCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVPCA0</A></P> <P>&nbsp;</P> <P>To answer your questions:</P> <P>1.&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/create-a-dedicated-service-account-for-the-user-id-agent" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/create-a-dedicated-service-account-for-the-user-id-agent</A></P> <P>2. if you disable the account and have policies that utilize User-ID as a requirement, then this will cause traffic to those policies to not be matched and the traffic would not be allowed.</P> <P>&nbsp;</P> <P>Hope that helps.</P> Tue, 03 Jun 2025 19:51:21 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/service-account-used-for-userid-agent/m-p/1230903#M5956 OtakarKlier 2025-06-03T19:51:21Z