https://live.paloaltonetworks.com/t5/general-topics/windows-user-id-agent-access-is-denied/m-p/546126#M111634 <P>Thank you.&nbsp; I guess I did miss that important detail.<BR />As a test, can you try installation and implementation as a Domain Admin account (just for confirmation)</P> <P>If this works fine, then you know that this is a permission issue on the AD side and not from the PANW UserID agent side.<BR /><BR />Usually, this becomes the root cause of errors.<BR /><BR />Please advise.</P> Thu, 15 Jun 2023 12:55:33 GMT S.Cantwell 2023-06-15T12:55:33Z https://live.paloaltonetworks.com/t5/general-topics/windows-user-id-agent-access-is-denied/m-p/544064#M111364 <P>I'm setting up User-ID.</P> <P>&nbsp;</P> <OL> <LI>i have a windows server 2012r2 domain controller, and a windows server 2019 domain member for the agent software.</LI> <LI>I have configured a service account with user rights assignment to allow logon as a service on the agent host.&nbsp; i have configured permissions to the install directory and to the registry key for the software.</LI> <LI>I have added the account to the Event Log Readers and Distributed COM Users groups.</LI> <LI>I have created a firewall rule on the DC to allow all connections from the agent host server.</LI> </OL> <P>The debug logs indicate that OpenEventLog failed.</P> Tue, 30 May 2023 23:16:28 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-user-id-agent-access-is-denied/m-p/544064#M111364 jonathanb 2023-05-30T23:16:28Z https://live.paloaltonetworks.com/t5/general-topics/windows-user-id-agent-access-is-denied/m-p/545650#M111572 <P>Hello there</P> <P>&nbsp;</P> <P>This has been well documented since Aug 2019 (or 2020) when MS decided to release a patch that no longer allows the agentless UserID agent to function, and MS servers respond back with Access Denied.<BR /><BR /><STRONG><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkkfCAA&amp;lang=en_US%E2%80%A9" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkkfCAA&amp;lang=en_US%E2%80%A9</A></STRONG></P> <P>&nbsp;</P> <P><STRONG>Please de provision the agentless version, and instead, utilize either than StandAlone UserID agent (can be downloaded from their support site) or consider toward cloud based authentication, using PANW CIE (Cloud Identity Engine)</STRONG></P> <P>&nbsp;</P> <P><STRONG><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/identity-features/cloud-identity-engine" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/identity-features/cloud-identity-engine</A></STRONG></P> Mon, 12 Jun 2023 19:31:39 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-user-id-agent-access-is-denied/m-p/545650#M111572 S.Cantwell 2023-06-12T19:31:39Z https://live.paloaltonetworks.com/t5/general-topics/windows-user-id-agent-access-is-denied/m-p/545651#M111573 <P>Thanks.&nbsp; If it wasn't clear, the windows agent host is in use because i'm using the windows agent.</P> Mon, 12 Jun 2023 20:15:33 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-user-id-agent-access-is-denied/m-p/545651#M111573 jonathanb 2023-06-12T20:15:33Z https://live.paloaltonetworks.com/t5/general-topics/windows-user-id-agent-access-is-denied/m-p/546126#M111634 <P>Thank you.&nbsp; I guess I did miss that important detail.<BR />As a test, can you try installation and implementation as a Domain Admin account (just for confirmation)</P> <P>If this works fine, then you know that this is a permission issue on the AD side and not from the PANW UserID agent side.<BR /><BR />Usually, this becomes the root cause of errors.<BR /><BR />Please advise.</P> Thu, 15 Jun 2023 12:55:33 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-user-id-agent-access-is-denied/m-p/546126#M111634 S.Cantwell 2023-06-15T12:55:33Z