Wednesday, February 3, 2010

Generalist or Specialist?

This is just me musing for a moment. Nothing technical here. Move on if you were looking for the register code in a cisco router to tell it that on next boot you want it to go to normal mode but allow for Ctrl+Break to be pressed to jump to RomMon Mode at any time, even in User Mode (0x2002). As opposed to normal (0x2102), as opposed to setup mode (0x2142), or setup mode that allows for Ctrl+Break (0x2042).

The question is this. How much can I afford to gereralize? Technologies grow more and more complex, even as their ease of use gets simpler and simpler. For the end user, they log on once and have access to their defined "world" with ease. But for the technology specialist, there is so much work to create that "world". Is it better to have just a few specialties, preferably related, or to understand the holistic view? It seems that only managers can afford to have the broad view anymore.   Let me know what you think via this poll: and your comments!

Wednesday, January 20, 2010

So you want to assign DEFAULT permissions to active directory objects…

Maybe you want your delegated admin or help desk team to have the ability to manage user account objects throughout active directory, but you don’t want to make them members of the domain admins group. You could delegate authority to this group at a domain or ou level. Likewise you may want certain groups to be able to manage all group policies without having to give them special permissions, or, again, without making them domain administrators. Again, you could use the delegation of control wizard or security tab to set permissions that will be inherited by all objects of this type at the domain or OU level. Or…

You could do what Microsoft has already done, and assign default permissions to objects based upon their schema class type. These default permissions can be easily removed without breaking inheritance, which can be a better model for some administrators. One word of warning: these changes are made forest-wide – so all the domains will be creating objects with these permissions in place. In a multi-domain environment this could be just what you wanted (central management) or absolutely the wrong thing (cross-domain security breach). If it’s just too widespread, you’ll need to use active directory delegation tools instead of default permissions.

Active Directory Cookbook, 2nd EditionTo do this, you will need to be logged in as a member of the schema administrators group, which by default is only the default administrator account. Note that being a member of the Enterprise administrators group is not the same thing. That group has permissions over the configuration and domain directory partitions, but not the schema partition of active directory that determines what objects you can build, what attributes those objects will have, and of course, what default permissions the will begin with.

You will also need to install the administrative tools on your machine (adminpak.msi from the server’s c:\windows\system32 directory or download from Microsoft here:

After installing the administrative tools, you will have all the default active directory tools on your desktop, but no tool for schema. You will need to create a new MMC console (go to the run line, type mmc, and press enter) and then add the Schema snap-in (file to add/remove snap-in, click add, choose Active Directory Schema).

Then you will need to open the classes object and find the object class you are looking for. Users are easy (it’s called users) and Group Policy Objects are too (They are called groupPolicyContainers). In the properties for the object, there is a default security tab which you can use to set the default permissions for new objects based upon this schema class. However, you won’t see the change until (a) you restart the Netlogon service and (b) this has replicated to all the domain controllers in your forest. You can make these permissions apply to existing objects by going to the security tab of an AD object, going to advanced, and clicking default, which will set the local permissions to the schema default values. Good Luck!!!

Tuesday, January 19, 2010

Printers are NOT your friend

I wanted to repost an uber-hilarious entry (with pictures) regarding the way that printers don't seem to be making our lives any easier:

Friday, January 8, 2010

I wish I could use Cisco's SDM...

Cisco's Security Device Manager (SDM) is a web based front end for a cisco router. Most things you want to do from the CLI can be done from the SDM, which, being a GUI, is very intuitive. The SDM functions on routers running IOS 12.4 and above.

Cisco Routers for the Desperate: Router and Switch Management, the Easy WaySome of you are thinking... I have a Cisco Simulator but it only emulates the CLI - I want to see this SDM interface I've heard about, but I can't! Good news! You can download a free version of the SDM and even a demo "router" to see what the interface is like. is the link to download the SDM (requires JAVA, will automatically download when needed) If you aren't lucky enough to have a router running 12.4, you can use this demo to play with the SDM.

A couple of things to remember:
1. Disable pop-up blockers
2. Allow active content to run in files on my computer. (advanced settings in IE)

Thursday, January 7, 2010

Four (4) Key Cisco Shortcuts

I wanted to share four things that speed up my use of the Cisco CLI.
One of the things that slows down your ability to use the CLI is having to navigate up a context by typing EXIT, viewing information, and then returning. The first two CLI tricks help with this issue.
Get Global
If you are in a sub-interface level command, you can enter a different sub-interface without returning to the parent interface.
For example:
(config)# interface fa 0/0
(config-if)# ip address
(config-if)# interface fa 0/1
(config-if)# ip address

 - notice that there was no exit command between the second and third steps.
Another way to avoid the exit in a sub-interface mode is to type a global configuration command without exiting first - really that's what you did a moment ago - you called for a global config command to enter a sub-interface without leaving the interface first. But you can enter any global config command you want!
For example:
CCNA Practice Questions (Exam 640-802) (3rd Edition)(config)# interface fa 0/0
(config-if)# ip address
(config-if)# hostname Router1

 - Notice that the router rip command, a global configuration was issued without leaving the sub-interface context, and then I was left at the global level. Be aware that tab-completion and ? help will not work across contexts.
Do the "Do"
If you are in any configuration mode and wish to issue a command from the enable mode, such as all the show and debug commands, you can do so with the "Do" command. You remain in your config mode, but get the results from the enable mode.

(config)# interface fa 0/0
(config-if)# ip address
(config-if)# no shutdown
(config-if)# do show ip int brief
Interface            IP-Address        OK?  Method    Status                   Protocol
Serial0              unassigned        YES  unset     administratively down    down
FastEthernet0/0       YES  unset     up                       up

-notice that with the do command I was able to verify what I had done at the interface level, saving myself from typing the exit command, the configure terminal command, and the interface fa 0/0 command!
Where do I "begin"?
When you show a long list, such as a mac-address-table or configuration file, it is often inconvenient to try and  find the particular place where an item is located that you want to verify. Fortunately, you can pipe your show command into a begin statement that will actually find what you are looking for and start your results there!
For example:
Router1# show running-config | begin line
Building configuration...
line con 0
  transport input none
line aux 0
line vty 0 15
no scheduler allocate

So - I hope these tools will help you use Cisco's CLI with greater speed and agility, so you can spend less time scanning and more time doing!

Monday, October 5, 2009

Using LDAP Saved Queries for Active Directory

In Active Directory, if you have more than one account in the same container, you can mass select them by CTRL+Clicking or SHIFT+Clicking them.  Once selected as a collection (I will refrain from using the term "group" in order to avoid "confusion"), you can enable or disable them, move them into a group, or modify many of their properties at the same time. 

The challenge in using this ability comes when the users that you want to manage live in different OUs, which prevents them from being selected simultaneously.   But fear not!  You can flatten the OU structure of an Active Directory domain in order to find and manage related accounts quickly by using Saved Queries!  Saved Queries will also allow you to find accounts based upon properties in a way that would otherwise be vastly time consuming.

Active Directory Cookbook, 3rd EditionSaved Queries are found in the Active Directory Users and Computers console.  Right click on saved queries, and create a new query.  Give your query a useful name, and then click "define query".  Now you can see that anything you can find with Active Directory Find can be found and saved here. Choose "custom search" from the drop down of options at the top.  Then go to the advanced tab, you will be presented with a blank LDAP query field.  This is where you will enter your queries.  I will now present several queries for your benefit, and explain what they do.

All Users Query: (objectCategory=person)(objectClass=user)
This query is a simple tool that allows you to have a logical search container that finds every user, no matter what OU they are hiding in.  Now you can seek, search, and sort to your hearts content within this structure.

Where's Bob Query: (objectCategory=person)(objectClass=user)(name=Bob)
This query finds any user named Bob, no matter where he is hiding.  I would just use the common query tool rather than the custom query to find him, but I want you to see the syntax in order to make sense of the next query...

Standard Users Query: (objectCategory=person)(objectClass=user)(!name=SUPPORT_388945a0)(name=*)(!name=Guest)(!name=Administrator)(!name=Krbtgt)
So, sometimes what is important is what you DON'T want to see!  Where (name=Bob) found the account we wanted, (!name=Administrator) indicates what we want to be filtered out.  The exclamation point acts as the boolean operator "NOT" in this query. 

Disabled Users - (objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)
This query finds all disabled users by their userAccountControl value.  Again, this one would be easy enough to do with a common query, where it is just a checkbox to find these accounts.  In fact, that is exactly what I did to create this query.  But on the main query page (before the editor), you can see the LDAP query that the common query created.  Again, I can use this to look for something that is NOT a common query...

NOT Disabled Users - (objectCategory=person)(objectClass=user)(!UserAccountControl:1.2.840.113556.1.4.803:=2)
Once again, the exclamation point before the setting makes it invert the selection, now finding all accounts that have not been disabled.  Remember that first query that flattened all the users?  Many organizations disable accounts instead of deleting them when people leave the company.  That means that with the first query you would find tons of old user accounts.  This query eliminates them from the display.

Locked Out Accounts - (ObjectCategory=Person)(ObjectClass=User)(LockoutTime>=1)
Finding accounts that are locked out so that they can be unlocked and have their password reset is a common issue.  Now, instead of trying to find the locked out account (which has no distinguishing icon, unlike disabled accounts), you can have Active Directory Users and Computers find it for you!

Only Temporary Accounts that will Expire - (objectCategory=person)(objectClass=user)(!accountexpires=9223372036854775807)(!accountexpires=0)
When an user account is created for a contract worker or temp worker, they are often given user expiration dates.  Default accounts will either have 0 or that huge number you see above as their value.  Again, this query dives in, finds the temp accounts in any region or department they may be located in, and brings them to the surface, perhaps so that you can reset their expiration date to something later, or delete or disable their account early.

All Computers - (objectCategory=computer)
You guessed it.  This finds all computers, no matter where they might be hiding in your AD structure.

Used Computer Accounts - (&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=*))
When a computer joins the domain, it populates it's own operating system field. This query uses the "*" as a wildcard character, which will find ALL operating systems, meaning that the field can be anything... except blank.

Prestaged Computer Accounts - (&(sAMAccountType=805306369)(objectCategory=computer)(!operatingSystem=*))
When a computer joins the domain, it populates it's own operating system field.  Therefore, by searching for all users accounts where the operating system is NOT filled with anything, you can find prestaged computer accounts that are set up ahead of time by administrators to support future clients.

Well, that's it for now.  If there is a query you would like to know how to do, please feel free to ask!  You can learn a lot by using the basic queries and backsolving.  You can also find out a great deal by configuring accounts differently and then viewing their properties in adsiedit.msc or in the 2008 ADUC properties tab.
One last note about saved queries.  Once you create them, they are saved with the console, NOT in Active Directory.  That means other users will not be able to see them.  Even you won't be able to see them if you open a different MMC console!  Fortunately, you can right click and export them as XML files, and import them into any other MMC where needed.  You may wish to export them and have them available on a network drive... just in case.

Wednesday, August 26, 2009

Finding Microsoft Server info using the knowledge base and your search engine

Like most of you, I have grown indebted the wealth of information that is available on the World Wide Web. I'll research the inner workings of some new and exciting products, or I'll try to wrestle the last dying gasps out of a service that is on its last legs. I am often surprised that many IT pros don't know how to isolate their searches using a few simple parameters to their search engine queries. Whether you Bing or Google these days, these two simple tricks can help you find what you are looking for faster.

How to Do Everything with GoogleTip #1: Get what you want, where you want it! When researching a problem by typing in an error code or symptom into a search engine, I often get a flood of links to forums. Don't get me wrong - forums are one of the most powerful collaboration techniques on the internet, and the natural evolution of the older newsgroups. It's just that sometimes, what I really want is a search result that comes straight from the Microsoft knowledge base, the MSDN site, the Cisco web site, or Amazon. Or... sometimes I specifically want to exclude a site that sends a lot of results I don't want. Let's say the search was for exchange 2007 OWA errors and I did a normal search:

You'll notice the results are all over the map on various web sites.

Now we'll try it again with a small addition to the query:

Did you see the difference? I added to the original query the phrase By doing this, the search engine will exclude any results that are not in from the Microsoft knowledge base. If I was researching standard documentation for OWA, I would have added If I was looking for technical books on exchange and OWA, you guessed it, I would have added It's just that easy. And of course, if I just want to exclude the msexchange forum traffic through my results, then I would add The minus sign before the site will add the Boolean NOT to my search, keeping me forum free for this lookup.

Tip #2: Look for what you want in the format you want it. These days, some of the clearest insights on technology are presented in a non-web format, such as PDF or PowerPoint. So, if I'm looking for a walkthrough on a technology, I'll often include the filetype: phrase in my search, as listed below:

So I'm curious about the new features in Windows Server 2008, and I'm willing to bet that more than one someone has created a concise (unlike the corporate web pages) presentation on the subject. Of course, if I want to ensure that I'm not just getting the "yes man" verbiage on the subject, I could combine our two search tips, making it new features "Windows Server 2008" filetype:ppt
If you do certain advanced searches often, you could also "save" the advanced settings as custom searches in Internet Explorer's search provider. I hope this helps you to speed up all your searches on Microsoft Windows Server, SQL, or the latest version of Ubuntu!