https://live.paloaltonetworks.com/t5/general-topics/required-permissions-for-active-directory-integration/m-p/234610#M67256 <P>Awesome thank you.&nbsp; Looks like it actually doesn't need the Event Log Reader but did need Distributed Com Users.&nbsp;&nbsp;</P> Tue, 09 Oct 2018 18:03:01 GMT Dylanroehrig 2018-10-09T18:03:01Z https://live.paloaltonetworks.com/t5/general-topics/required-permissions-for-active-directory-integration/m-p/234575#M67248 <P>Hello,</P><P>&nbsp;</P><P>I am trying to get AD authentication to work for GlobalProtect.&nbsp; I have been following this document <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmAdCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmAdCAK</A> for configuring the AD integration part, and it says:</P><P>&nbsp;</P><P><EM>Before you integrate a Palo Alto Networks device with AD, you must create a user ID in AD that you'll use to access LDAP. At a minimum, this account must be a member of the built-in Server Operators group in AD. For security reasons and to be compliant with the best practices, you should adhere&nbsp;to the minimum access rights for this account.</EM></P><P>&nbsp;</P><P>I put the account that I created in the Server Operators group, however when it tries to connect to a domain controller, I get <FONT color="#FF0000">Access Denied</FONT> (Device &gt; User Identification &gt; User Mapping &gt; Server Monitoring box).&nbsp; If I stick that account in the Domain Admins group, I get <FONT color="#339966">Connected</FONT>.&nbsp; So, is the document wrong about the minimum required access rights, or am I missing a permission someplace else?</P><P>&nbsp;</P><P>Thanks</P><P>Dylan</P> Tue, 09 Oct 2018 15:02:03 GMT https://live.paloaltonetworks.com/t5/general-topics/required-permissions-for-active-directory-integration/m-p/234575#M67248 Dylanroehrig 2018-10-09T15:02:03Z https://live.paloaltonetworks.com/t5/general-topics/required-permissions-for-active-directory-integration/m-p/234587#M67253 <P>I'm sure you need the following...</P><P>&nbsp;</P><P>Event Log Reader</P><P>Distributed COM Users</P><P>Server Operators</P><P>&nbsp;</P><P>&nbsp;</P><P>Server operators is the very minimum, just about allows you to bind but not dig deep and read logs...</P> Tue, 09 Oct 2018 16:19:42 GMT https://live.paloaltonetworks.com/t5/general-topics/required-permissions-for-active-directory-integration/m-p/234587#M67253 Mick_Ball 2018-10-09T16:19:42Z https://live.paloaltonetworks.com/t5/general-topics/required-permissions-for-active-directory-integration/m-p/234610#M67256 <P>Awesome thank you.&nbsp; Looks like it actually doesn't need the Event Log Reader but did need Distributed Com Users.&nbsp;&nbsp;</P> Tue, 09 Oct 2018 18:03:01 GMT https://live.paloaltonetworks.com/t5/general-topics/required-permissions-for-active-directory-integration/m-p/234610#M67256 Dylanroehrig 2018-10-09T18:03:01Z https://live.paloaltonetworks.com/t5/general-topics/required-permissions-for-active-directory-integration/m-p/420742#M93896 <P>Hello,</P><P>I have tried this solution and it failed. Would I have to reboot the firewall after I do changes? (remove the account from the domain admin group)</P> Tue, 20 Jul 2021 15:12:44 GMT https://live.paloaltonetworks.com/t5/general-topics/required-permissions-for-active-directory-integration/m-p/420742#M93896 DavidGuzman 2021-07-20T15:12:44Z