How to Configure Agentless User-ID

by nato on ‎01-04-2013 03:34 PM - edited on ‎05-12-2017 08:54 AM by (225,820 Views)


To configure Agentless User-ID, first create the service account, then modify and verify security settings.


Configure the following on the Active Directory (AD) Server and the Palo Alto Networks device:

  1. Create the service account in AD, which is utilized on the device. Be sure the user is part of the following groups:
    - Distributed COM Users
    - Event Log Readers
    - Server Operators
    Note: Domain Admin privileges are not required for the User-ID service account to function properly, see Best Practices for Securing User-ID Deployments for more information.

    In Windows 2003, the service account must be given the “Audit and manage security log” user right through a group policy. Making the account a member of the Domain Administrators group provides rights for all operations. The built-in group named “Event Log Readers” is not available in Windows 2003.

  2. The device uses WMI Authentication and the user must modify the CIMV2 security properties on the AD server that connects to the device.

  3. Run 'wmimgmt.msc' on the command prompt to open the console and select these properties:


  4. From the Security tab on WMI Control Properties:
    1.) Select the CIMV2 folder.
    2.) Click Security,
    3.) Click Add and then select the service account from Step 1.
    4.) In this case, it is userid@pantac.lab
    5.) For this account, check both Allow for Enable Account and Remote Enable:
    6.) Click Apply,
    7.) Then click OK.

  5. Back in the Palo Alto WebGUI, Select Device > User Identification > User Mapping, then click the edit sproket in the upper right corner to complete the Palo Alto Networks User-ID Agent Setup.2016-08-09_userid2.png

  6. Be sure to configure with the domain\username format for username under WMI Authentication tab along with valid credentials for that user.

  7. Enable the Server Monitor options and enable the security log/enable session accordingly.
    Client probing is enabled by default, so disable if desired.

  8. If the domain is configured during Setup in the General Settings/Domain field, the user can elect to discover servers with which to connect. If not, manually add a server to the device:2016-07-13_10-02-16.jpg

  9. Confirm connectivity through the WebGUI or the CLI:

    > show user server-monitor statistics 
    Directory Servers:  
    Name                           TYPE     Host            Vsys    Status           
    pantacad2003.pantac.lab        AD       pantacad2003.pantac.lab vsys1   Connected      


  10. Confirm that ip-user-mapping is working.
    > show user ip-user-mapping all

    IP              Vsys  From    User                            IdleTimeout(s) MaxTimeout(s)
    --------------- ------ ------- -------------------------------- -------------- ----------    vsys1  AD      pantac\tom                      2576          2541   vsys1  AD      pantac\userid                   2660          2624   vsys1  AD      pantac\userid                   2675          2638
    Total: 3 users
  11. Ensure Enable User Identification is enabled on the zones where identifiable traffic will be initiated. Select the zone in Network > Zone.


See also

User-ID Agent Setup Tips


owner: rkalugdan

by cindyb
on ‎02-26-2013 09:37 AM

I'd love to see this document broken into two docs - one that can be sent out to customers to prepare for POC - the AD user account setup portion without the PAN firewall config portion . . . is this possible?

by panagent
on ‎02-26-2013 10:02 AM

This document is accessible by customers who have a valid support account.  Customers can register for a support account at  Click on the Register button.

by SDorsey
on ‎07-22-2013 04:13 PM

I think what CindyB is trying to saying is that in many environments, the person staging the A.D. side is different from the person implementing the PAN firewall. So one document for each team would be beneficial to her.

by stcrye
on ‎06-30-2014 12:54 PM

Please make this available as a PDF with the screen shots large enough to read when printed!


by ksabry
on ‎10-15-2014 01:57 PM

In case you will be using the "Agentless User-ID", then It is absolutely necessary to include the ranges desired to be probed by the Firewall User-ID agent in the Include/Exclude Networks and to exclude the range from being probed as per below, otherwise you will see that the Firewall will be trying to probe all network ranges in

To make sure that your User-ID probing is not trying to probe unwanted IP ranges, open your Monitor and select your User-ID source IP address of your Firewall and select the services ms-wmi or destination port 135 or destination port 389 in your Monitor filter.


by wkey
on ‎10-16-2014 06:02 AM

Has this been tested on Server 2012 ? I'm getting an access denied error on my PA after going through these steps.


by panos
on ‎10-16-2014 06:08 AM

have you tried with an account from domain admin group (just to test)

by wkey
on ‎10-16-2014 06:18 AM

I have. Previously the account was a Domain Admin and it worked wonderfully. I applied the above changes yesterday, restricting the runner account.

Thanks again!

by wkey
on ‎10-17-2014 07:35 AM

Have you had any luck determining if it works under Server 2012?

by satec.helpsec
on ‎10-20-2014 07:10 AM


Works with windows server 2012?

by jhartman
on ‎11-20-2014 04:16 AM

Why do we need the server operator group for this? The Microsoft admins that I'm working with are reluctant to hand out those rights and I cannot really explain why we would need them.

by nato
on ‎11-20-2014 07:02 AM

Users connected to resources on the Domain controller, such as shared folders and printers, have their IP addresses and user names stored in the server session table. The agent is able to read this table and use it to make user to IP mappings. The Agent will require Server Operator privileges to read the session table. In an environment where user drives are hosted on the Domain Controller this can be a very efficient way to match users to their IP addresses.

by nato
on ‎11-20-2014 07:56 AM

Just tested with 2012 and it appears that it is only capable of connecting if the service account is part of the domain admins group. Will need to revisit with Engineering/PM and provide an update accordingly.

2014-11-20 07:54:19.011 -0800 Error:  pan_user_id_win_log_query(pan_user_id_win.c:1326): log query for 2K12 failed: [wmi/wmic.c:200:main()] ERROR: Login to remote object.

2014-11-20 07:54:26.016 -0800 Error:  pan_user_id_win_sess_query(pan_user_id_win.c:1474): session query for 2K12 failed: [wmi/wmic.c:200:main()] ERROR: Login to remote object.

2014-11-20 07:54:31.086 -0800 Error:  pan_user_id_win_log_query(pan_user_id_win.c:1326): log query for 2K12 failed: [wmi/wmic.c:200:main()] ERROR: Login to remote object.

by dodo22mx
on ‎11-24-2014 10:52 AM


I have a problem filtering by group policy does not apply to groups, only applies to users, but do not take my groups from AD , my AD is a server 2012 the PA is in the 6.1 , any recommendations


by jburugupalli
on ‎11-24-2014 11:16 AM

Hello Ed,

Did you configure group mappings settings so that firewall can retrieve user-to-group information from LDAP server

Please refer below link to configure group mappings settings :

How to Configure Group Mapping settings?



by DaleSmith
on ‎11-30-2014 04:49 PM

One gotcha if you intend on querying other domains in your forest - you need to add the service account into the Builtin\Users group in each additional domain.

by RyanF
on ‎01-10-2015 07:03 PM

Hey nato, did you ever get resolution on this?

In this guide Best Practices for Securing User-ID Deployments it says "User-ID deployments can be hardened by only including the minimum set of permissions necessary for the service to function properly. This includes DCOM Users, Event Log Readers, and Server Operators." and specifically "Domain Admin and Enterprise Admin rights are not required to read security event logs and consequently should not be granted."

I'm interested to know if you're seeing something to the contrary.

Edit: I also found this in the PAN-OS-6.1-Admin-Guide: 

"Windows 2008 or later domain servers—Add the account to the

Event Log Readers group. If you are using the on-device User-ID

agent, the account must also be a member of the Distributed COM

Users Group"

Looks like the Server Operators group comes into play when not using the on-device User-ID agent.

by cchan_gsa
on ‎03-30-2015 03:14 PM

I ran into the same issue with 2012.  I also couldn't get it working with the same "Login to remote object" error and had make the account a domain admin member.  Was anyone able to get it working on a non domain admin account with 2012?

by Charles.Yang
on ‎06-24-2015 10:50 PM

Is there a configuration example for PAN-OS 7 and Window server 2012 environment?

by bparker
on ‎08-15-2015 09:32 PM

Adding some links to other useful Documents related to this.

This defines the minimum security requirements needed as of 2008 r2 and Server Operator is not required. I still need to test 2012.

Agentless User-ID 'access denied' Error in Server Monitor

This is the powershell script for setting WMI permissions across and infrastructure without hitting a bunch of individual servers.

PowerShell Script for setting WMI Permissions for User-ID

by hvaldes
on ‎09-03-2015 01:11 PM

For Server 2012 R2 you need to do the following for agentless user-id monitoring to work.


On the specific Windows Servers that need to monitored, open the WMI management console (“wmimgmt.msc”). Select the local WMI Controls properties, and edit the “Security” settings. Navigate to the “CIMV2” section and click “Security”. Add the user group created for the firewall users to the list of authorized users and groups, and enable the “Enable Account” and “Remote Enable” permissions.


It's in the link below.  It doesn't mention anything regarding Server 2012 but I tried it and worked for me.  This was NOT needed for Server 2008.


by herrmoss
‎11-18-2016 10:39 AM - edited ‎11-18-2016 10:39 AM

After configuring Agentless User ID, because the device is being managed by Panorama, I also had to go add a Master Device for this device, using Panorama/Device Groups, in order to make things to work as expected.

by Mass
‎08-06-2017 10:06 PM - edited ‎08-06-2017 10:07 PM

Is step 4 above "From the Security tab on WMI Control Properties" necessary even if we do NOT use WMI Probing?


I understand that "WMI Authentication" tab has to be filled so that Palo Alto firewall can access all the Active Directory Servers listed under "Server Monitoring". Should I assume the "WMI Control Properties" changes needed just for sake of the authentication. We are using Server 2008 R2.

on ‎08-07-2017 01:53 AM

@Mass : yes, these properties need to be set to allow the firewall access to the ActiveDirectory


the WMI probes are launched from the firewall and use the credentials configured on the firewall

by Mass
on ‎08-07-2017 02:03 AM

We are not using WMI Prob at all.


We only have Active Directory servers to be monitored by intergrated User-ID Agent on the firewall.


Do we still need the CIMV2/Security access rights to be set?

on ‎08-07-2017 02:05 AM

@Mass yes you need this, else the agentless deployment will not be able to connect to the ActiveDirectory

by s.williams1
on ‎09-25-2017 10:32 AM

So would you need to do the WMI task on all domain controllers in your network?

on ‎09-26-2017 02:37 AM

@s.williams1 setting the appropriate access for the account should replicate across your servers, the local wmi access will need to be allowed per server

by s.williams1
on ‎09-26-2017 05:03 AM

So if I have 25 domain controllers than I need to configure it on all servers. I guess this makes sense since users will authenticate to different DCs within the network. Thanks. 

on ‎09-26-2017 06:45 AM

@s.williams1 if you have 25 DCs I would actually recommend using UserID agents as this will put less load on the firewall management plane

by AdamGajewski
on ‎09-28-2017 08:14 AM

So the following article is incorrect then?


We do not use client probing and in this guide that is what the WMI settings are referring to. I'm hesitant to make this change on 25+ DCs to find out that it's not the case. Since we currently have this running with an account that has too many privs I would need to swap it out with the new restricted prv service account and hope for the best, because if I don't have all the DCs configred the same they will break mappings when i do this. I have a ticket open with PA support and they said WMI security changes are needed but are referring to a doc from 2013 so my confidence is very low at this point.


With all the questions i'm seeing on this I wish PA would put out a definitive accurate guide broken out into each server OS.

by ThongLam
on ‎11-29-2017 07:45 AM

Hi add,


If customer have 2 Active Directory Domain ( because they bought another company), both using 1 PA , how to configure User Mapping WMI Authentication for both 2 Active Directory? 

Please help advise to me!



by DanielMiller
on ‎02-01-2018 04:10 PM

I found that you need to grant the svc-pafirewall account the authentication right in AD.  Once that was done it no longer needed it to be a member of domain adminstrators to connect properly and do user monitoring!  YMMV.

by Fahadvu
on ‎03-01-2018 02:19 AM

Nice information shared by team.

Ignite 2018
Ask Questions Get Answers Join the Live Community