For details on cookie usage on our site, read our Privacy Policy
User-ID and Windows clients running GPO's with another useraccount !
- LIVEcommunity
- Discussions
- General Topics
- User-ID and Windows clients running GPO's with another useraccount !
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
User-ID and Windows clients running GPO's with another useraccount !
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-27-2013 01:15 AM
Hi ppl !
We have a problem regarding User-Id and the security log from windows AD. Normally when the user logs in on a windows pc and connect to AD, the USer-Id and ip > username maps correct.
The problem occurs when a "GPO" on the client starts up with system privilegies and another user account (administrator rights account). These gpo's runs with the same user privilegies on all clients on a schedule.
The user > ip mapping in windows security log will then contain the "adminstrator" user and the original user will no longer exists until the user himself connects to AD (open the fileshare/connect to exchange).
The result is that the user will loose connection until he reconnect to AD and the user > ip is correct again.
I have configured the firewall to ignore the user that runs the GPO and the result is that i have no "source user" in monitor and the session is dropped in FW.
If i dont ignore the user, a lot of computer will get internet connections with the same user-id. This will compromise our security policy.
Hope some of you have any ideas how to solve this problem.
Regards
- Labels:
-
User-ID
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-27-2013 11:21 PM
If a system account performs an authentication to the AD server then the user mapping will change. You can configure the Agent to ignore specific user accounts on the domain by configuring the ignore list. If the ignore list was configured for the "administrator" account in this case, the Agent would not create a mapping for that account whenever it authenticates.
See document: https://live.paloaltonetworks.com/docs/DOC-2893
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-28-2013 12:55 PM
What about remote support such as RDP or such?
Where the support dude/dudette login to the /console on the client who wish assistence to help out through remote administration or for that matter bounce through a SCCM server (or whatever they are called).
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-28-2013 01:06 PM
I would think that a domain account being used for RDP would need to be excluded as well or the agent would think a new user logged in and would update the mappings as needed.
The agent is simply looking for particular events hitting the security log on the domain controller. If the client machine authenticates a remote support session (or any other non-interactive login) in the same way that a normal login would be processed then the Agent has no way to differentiate between the two. The only capability the Agent has is to exclude specific usernames that are not being used for a normal user login so service accounts don't cause the active user's mapping to be overwritten.
- removal customer pdf summary report in General Topics
- How to check Region of Prisma in Prisma Cloud Discussions
- Upgrade PAN OS Version in General Topics
- Prisma SD-WAN Link Quality Details - Blank in Prisma SD-WAN Discussions
- backing up running-config.xml or set cli config-output-format set in Panorama Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
