https://live.paloaltonetworks.com/t5/general-topics/userid-agent-required-user-rights/m-p/38622#M28293 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>meanwhile (after mentioning the missing information to support), there is a document for this.</P><P>Unfortunately it's missing some information and (i.e. in regards to the registry) it's wrong. It also doesn't explain how to setup the firewall part of the User ID Setup, so I created my own documents.</P><P></P><P>Attached two PDFs for anyone with a similar Problem in the future.</P></BODY></HTML> Fri, 27 Jul 2012 17:29:39 GMT u13550 2012-07-27T17:29:39Z https://live.paloaltonetworks.com/t5/general-topics/userid-agent-required-user-rights/m-p/38620#M28291 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I'm in the process of implementing the UserID Agent into a Windows 2008 Domain</P><P>My goal is to have a single user in the AD for all features required by PaloAlto.</P><P></P><P>So I created a "panagent" user and added it to the "EventLog Readers" group, so it has access to the event logs</P><P>I the configured the Agent to use this user in it's service settings to start the service, which automatically grants "logon as a service" rights to the panagent User, but the service does not start, or better: it starts and stops immediately.</P><P></P><P>I want to have the user as restricted as possible, so I do not want to add it to domain admins or local administrators group.</P><P>Does the UserID Service need anything special apart form "logon as a service"?</P><P></P><P>Thanks</P><P>Andre</P></BODY></HTML> Tue, 24 Jul 2012 18:17:53 GMT https://live.paloaltonetworks.com/t5/general-topics/userid-agent-required-user-rights/m-p/38620#M28291 u13550 2012-07-24T18:17:53Z https://live.paloaltonetworks.com/t5/general-topics/userid-agent-required-user-rights/m-p/38621#M28292 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P></P><P>unbelievable, but there is nothing to find in documentation, which describe how to setup a user-id-agent with limited access.</P><P>Is everybody out there running it with full access?</P><P>Andre, configure your user as you describe by yourself. The account need the grant "logon as a service" on the machine it runs on and the "EventLog Readers" grant on AD servers as described in official doc.</P><P></P><P><SPAN style="text-decoration: underline;">Additionally</SPAN>, on the machine the agent is running, you have to do the following steps (thanks to Sysinternals Process Monitor):</P><P>1.) Grant read-write access to the program directory of the user-id agent for the ua-user (e.g. on 32Bit OS: "C:\Program Files\Palo Alto Networks", on 64Bit OS: "C:\Program Files (x86)\Palo Alto Networks") .</P><P>2.) Grant read-write access to the "Palo Alto Networks" registry key (e.g. on 32Bit OS: "HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks", on 64Bit OS: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Palo Alto Networks")</P><P></P><P>That's it, hope this helps you.</P></BODY></HTML> Fri, 27 Jul 2012 15:43:39 GMT https://live.paloaltonetworks.com/t5/general-topics/userid-agent-required-user-rights/m-p/38621#M28292 pplaw 2012-07-27T15:43:39Z https://live.paloaltonetworks.com/t5/general-topics/userid-agent-required-user-rights/m-p/38622#M28293 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>meanwhile (after mentioning the missing information to support), there is a document for this.</P><P>Unfortunately it's missing some information and (i.e. in regards to the registry) it's wrong. It also doesn't explain how to setup the firewall part of the User ID Setup, so I created my own documents.</P><P></P><P>Attached two PDFs for anyone with a similar Problem in the future.</P></BODY></HTML> Fri, 27 Jul 2012 17:29:39 GMT https://live.paloaltonetworks.com/t5/general-topics/userid-agent-required-user-rights/m-p/38622#M28293 u13550 2012-07-27T17:29:39Z