https://live.paloaltonetworks.com/t5/general-topics/find-disabled-administrator-accounts/m-p/413377#M92959 <P>Across a large environment, what would be the best way to audit Palo administrator accounts?&nbsp; That is accounts found at Device &gt; Administrators.</P><P>&nbsp;</P><P>For various reasons we all end up with lots of AD accounts, service accounts and so on there, what I'd like to do is find a way to periodically check those accounts against AD to see if they are still valid.</P><P>&nbsp;</P><P>So far the only way that I have found is to export the csv and run a powershell script against the names which pipes out to a simple "true or false".&nbsp; Problem with that is that I have to run it across a ton of Palo's one by one.</P><P>&nbsp;</P><P>There has to be a better way.&nbsp; Even if it's a script that will run against all my palos to get the names first.</P> Tue, 15 Jun 2021 19:51:04 GMT RobertShawver 2021-06-15T19:51:04Z https://live.paloaltonetworks.com/t5/general-topics/find-disabled-administrator-accounts/m-p/413377#M92959 <P>Across a large environment, what would be the best way to audit Palo administrator accounts?&nbsp; That is accounts found at Device &gt; Administrators.</P><P>&nbsp;</P><P>For various reasons we all end up with lots of AD accounts, service accounts and so on there, what I'd like to do is find a way to periodically check those accounts against AD to see if they are still valid.</P><P>&nbsp;</P><P>So far the only way that I have found is to export the csv and run a powershell script against the names which pipes out to a simple "true or false".&nbsp; Problem with that is that I have to run it across a ton of Palo's one by one.</P><P>&nbsp;</P><P>There has to be a better way.&nbsp; Even if it's a script that will run against all my palos to get the names first.</P> Tue, 15 Jun 2021 19:51:04 GMT https://live.paloaltonetworks.com/t5/general-topics/find-disabled-administrator-accounts/m-p/413377#M92959 RobertShawver 2021-06-15T19:51:04Z https://live.paloaltonetworks.com/t5/general-topics/find-disabled-administrator-accounts/m-p/413422#M92960 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/155683">@RobertShawver</a>,</P> <P>So with your existing script I would just tie in calls to the firewall's API to grab any administrator on the system, instead of doing a CSV export.&nbsp; The API URL would be /api/?type=config&amp;action=get&amp;xpath=/config/mgmt-config/users</P> Tue, 15 Jun 2021 21:19:14 GMT https://live.paloaltonetworks.com/t5/general-topics/find-disabled-administrator-accounts/m-p/413422#M92960 BPry 2021-06-15T21:19:14Z https://live.paloaltonetworks.com/t5/general-topics/find-disabled-administrator-accounts/m-p/413919#M93024 <P>Is there a way to show the Administrators on a template via command line?</P> Thu, 17 Jun 2021 16:28:47 GMT https://live.paloaltonetworks.com/t5/general-topics/find-disabled-administrator-accounts/m-p/413919#M93024 RobertShawver 2021-06-17T16:28:47Z