User loses privileges...UserID

Showing results for 
Show  only  | Search instead for 
Did you mean: 

User loses privileges...UserID

L4 Transporter

In our company we have two internet browsing profiles.
Users who belong to the AD Domain users have limited access to internet and users AD group belongs to UsuariosInternet can access anywhere.

My AD user is canopr and I have internet access from my PC (, when I log on to a server by remote desktop (mstsc) and I identify with the user oalgt\ explotacio, stopped internet access. The userID the user agent learns that identified on the IP is explotacio. This performance understand that is wrong. Is there any way around it?



The problem you're having (user explotacion getting mapped to your local ip address) is perfectly clear. And like I said before: This is excpected behaviour because a logon event is logged. And no, we are not talking about the fact that user explotacio is logging on to the server, we are talking about "a" Windows logon event.

Check the security log in event viewer: you'll find thousands of logon events, that have nothing to do with a user logging on (entering username/password) to a computer.

The security log on a DC is the source PaloAlto uses to collect these events, since they contain the user and an ip....

After having logged on to the server, almost any action you do locally (like browsing in Windows Explorer, opening an application) will trigger a logon event that should eventually be picked up by UserID. On the conditions that you are in fact in a domein environment (the logon event is checked by the DC) and UserID interval is short enough.

I dont know why it should affect me in my local machine that I connect to other pc with other user by RDP and when i close this session i dont recuperate my privileges. In the moment that i connect to another machine via RDP with any user i get the privileges of this user in my local machine....... this is a weird behaviour....

Please understand that this actually has nothing to do with the RDP session.

This is standard Windows behaviour in a Windows domain: Your DC is the only "authority" that determines whether or not you have access to a resource. This is the logon even I'm talking about.

Nothing you do in PaloAlto config wil change that behaviour. All PA does is read that info.

L4 Transporter


This behavior is expected, UserID does ip-user-mapping based off of the Windows Security logs and when a user RDP's to a machine, Windows logs the security event based on the IP of the PC that initiated the RDP.

The only workaround for this to add the username: oalgt\ explotacio in the ignore users list. This is not an issue with the firewall or the agent.


Hope that helps,


L4 Transporter

And what would happen with the users whos has 2 inbox in their exchange??? it happens the same for them??

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!