https://live.paloaltonetworks.com/t5/general-topics/what-privileges-required-by-service-account-used-by-palo-alto/m-p/477499#M103680 <P>What privileges required by service account used by palo alto firewall in LDAP server profile to fetch group information from LDAP server for group mapping?</P><P>Do we need admin privilege ? or</P><P>is it enough that we need service account only to be a member of the following groups</P><P><SPAN>Event Log Reader </SPAN></P><P><SPAN>Distributed COM Users </SPAN></P><P><SPAN>Server Operators</SPAN></P><P>&nbsp;</P> Fri, 01 Apr 2022 07:43:31 GMT perumalj 2022-04-01T07:43:31Z https://live.paloaltonetworks.com/t5/general-topics/what-privileges-required-by-service-account-used-by-palo-alto/m-p/477499#M103680 <P>What privileges required by service account used by palo alto firewall in LDAP server profile to fetch group information from LDAP server for group mapping?</P><P>Do we need admin privilege ? or</P><P>is it enough that we need service account only to be a member of the following groups</P><P><SPAN>Event Log Reader </SPAN></P><P><SPAN>Distributed COM Users </SPAN></P><P><SPAN>Server Operators</SPAN></P><P>&nbsp;</P> Fri, 01 Apr 2022 07:43:31 GMT https://live.paloaltonetworks.com/t5/general-topics/what-privileges-required-by-service-account-used-by-palo-alto/m-p/477499#M103680 perumalj 2022-04-01T07:43:31Z https://live.paloaltonetworks.com/t5/general-topics/what-privileges-required-by-service-account-used-by-palo-alto/m-p/477514#M103681 <P>Hi Perumal,</P><P>&nbsp;</P><P><SPAN>Event Log Reader</SPAN></P><P><SPAN>Distributed COM Users</SPAN></P><P><SPAN>Server Operators</SPAN></P><P>&nbsp;</P><P><SPAN>These three privilege's&nbsp;enough .</SPAN></P><P>&nbsp;</P><P><SPAN>Please refer the below document for your reference.</SPAN></P><P>&nbsp;</P><P><SPAN><A href="https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClGG" target="_blank">https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClGG</A></SPAN></P> Fri, 01 Apr 2022 08:08:23 GMT https://live.paloaltonetworks.com/t5/general-topics/what-privileges-required-by-service-account-used-by-palo-alto/m-p/477514#M103681 SubaMuthuram 2022-04-01T08:08:23Z https://live.paloaltonetworks.com/t5/general-topics/what-privileges-required-by-service-account-used-by-palo-alto/m-p/564362#M114198 <P>The link provided as the "Solution" is for User-ID Service Account, not ActiveDirectory / LDAP Authentication Profile Service Account, they are not one and the same.<BR />My understanding, is for the Firewall and any PAN Applications (e.g., GlobalProtect) to provide Password Management Services this requires Domain Administrative Privileges' in ActiveDirectory / LDAP. So while the above permissions may be bare minimum to authenticate users, Password Management requires elevated privilege's to perform pass through of Passwords expiry notices, capability to change passwords once expired or set in AD for reset, and ability to report locked accounts.</P> Fri, 03 Nov 2023 19:28:32 GMT https://live.paloaltonetworks.com/t5/general-topics/what-privileges-required-by-service-account-used-by-palo-alto/m-p/564362#M114198 BrianMarks 2023-11-03T19:28:32Z https://live.paloaltonetworks.com/t5/general-topics/what-privileges-required-by-service-account-used-by-palo-alto/m-p/564382#M114205 <P>For LDAP binding and group mapping you need only to be member of "Domain Users" group.</P> <P>Every domain user can read whole LDAP directory so no special permissions needed!</P> <P>&nbsp;</P> <P>For UserID (so Palo can connect to domain controllers, read security logs and map ip addresses to usernames) you need permissions you mentioned.</P> <P>&nbsp;</P> Sat, 04 Nov 2023 01:23:16 GMT https://live.paloaltonetworks.com/t5/general-topics/what-privileges-required-by-service-account-used-by-palo-alto/m-p/564382#M114205 Raido_Rattameister 2023-11-04T01:23:16Z