User-ID for Exchange Permission Issue

Showing results for 
Search instead for 
Did you mean: 

User-ID for Exchange Permission Issue

L2 Linker

Hi All,

I'm running an agent-based User-ID setup against three AD DCs and two Exchange CAS servers.  Unfortunately, despite having the Event Log Reader permission, I cannot seem to get data from the Exchange servers.  I am successfully getting data from the DCs, but the Exchange servers always show either Connecting or Connecting (A required privilege is not held by the agent.).  Any ideas on whether or not Exchange requires additional permissions?




Totally concur.  That's not a valid answer for me.

Definitely followed the document.  My service-account is part of "event log readers" and "server operators." As said before, the User-ID agent works fine with domain controllers.  Something is odd with the connection to Exchange servers.

L0 Member


I sat down and worked with my Exchange admin.  He added my service account to the Exchange server's local "event log readers" group.  Bam, user-ID agent is now connected.  I haven't dug through the data yet but at least it resolves the error I was receiving.  Hope this helps.


Thanks Charlie,

I'll talk to my AD/Exchange guy next week and see if that does the trick.


L3 Networker

The documentation for the built-in PAN-OS user-ID agent appears to be incomplete.  Here is what I had to do in order to get it to work for our Exchange 2010 CAS servers:

  1. Grant the user-ID agent service account "Enable Account" and "Remote Access" permission to the CIMV2 WMI namespace on the Exchange CAS servers.
  2. Add the service account to the local "Event Log Readers" and "Distributed COM Users" groups on the Exchange CAS servers.

I did not have to add the service account to the domain "Server Operators" or "Domain Admins" groups or local "Power Users" or "Administrators" groups as I have seen suggested in some places.

The second step appears to be the sticky part as the documentation just says to add the user to the built-in groups.  Many probably (and I did) assume that means the groups that are built into the Active Directory domain.  While membership in those Active Directory groups is in fact required in order to have the built-in user-ID agent successfully monitor Active Directory domain controllers, membership in those groups does not grant that same membership in the local group equivalents on other domain member servers, including Exchange servers.

So, if you want the built-in user-ID agent to monitor both domain controllers and Exchange CAS servers, it has to be a member of both the domain "Event Log Readers" and "Distributed COM Users" groups and the same local group equivalents on the Exchange CAS servers themselves.

I hope this helps others.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!