User-ID Logs Shows Username Entries With a Dollar Sign $ Appended, but No IP Mapping Is Created
15199
Created On 01/13/22 21:37 PM - Last Modified 03/25/22 16:12 PM
Symptom
You may see entries in the User-ID logs, where the username is appended with a dollar sign, for example: USNYDV001$.
For this User-ID log entry, you do not see a related IP-user-mapping.
Environment
- All PAN-OS Devices
- Active Directory
- User-ID
Cause
The sAMAccountName attribute for a machine account in Active Directory is the computer name with a trailing '$'.
Machine accounts generate logon events just like user accounts do, because they also authenticate with Active Directory. These logon events will be logged in the Security Event Log on Windows, and if Server Monitoring is being used the events will be picked up by User-ID agent and logged in the Monitor > User-ID log.
Machine Account Logon Event from Windows Event Viewer:
Resolution
Machine accounts do not need an IP mapping, and if they had one it would conflict with the user's IP mapping. Because of this, User-ID will log these events but will not generate an IP mapping for them.