I'm in the process of implementing the UserID Agent into a Windows 2008 Domain
My goal is to have a single user in the AD for all features required by PaloAlto.
So I created a "panagent" user and added it to the "EventLog Readers" group, so it has access to the event logs
I the configured the Agent to use this user in it's service settings to start the service, which automatically grants "logon as a service" rights to the panagent User, but the service does not start, or better: it starts and stops immediately.
I want to have the user as restricted as possible, so I do not want to add it to domain admins or local administrators group.
Does the UserID Service need anything special apart form "logon as a service"?
Solved! Go to Solution.
unbelievable, but there is nothing to find in documentation, which describe how to setup a user-id-agent with limited access.
Is everybody out there running it with full access?
Andre, configure your user as you describe by yourself. The account need the grant "logon as a service" on the machine it runs on and the "EventLog Readers" grant on AD servers as described in official doc.
Additionally, on the machine the agent is running, you have to do the following steps (thanks to Sysinternals Process Monitor):
1.) Grant read-write access to the program directory of the user-id agent for the ua-user (e.g. on 32Bit OS: "C:\Program Files\Palo Alto Networks", on 64Bit OS: "C:\Program Files (x86)\Palo Alto Networks") .
2.) Grant read-write access to the "Palo Alto Networks" registry key (e.g. on 32Bit OS: "HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks", on 64Bit OS: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Palo Alto Networks")
That's it, hope this helps you.
meanwhile (after mentioning the missing information to support), there is a document for this.
Unfortunately it's missing some information and (i.e. in regards to the registry) it's wrong. It also doesn't explain how to setup the firewall part of the User ID Setup, so I created my own documents.
Attached two PDFs for anyone with a similar Problem in the future.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!