Wednesday, January 20, 2010

So you want to assign DEFAULT permissions to active directory objects…

Maybe you want your delegated admin or help desk team to have the ability to manage user account objects throughout active directory, but you don’t want to make them members of the domain admins group. You could delegate authority to this group at a domain or ou level. Likewise you may want certain groups to be able to manage all group policies without having to give them special permissions, or, again, without making them domain administrators. Again, you could use the delegation of control wizard or security tab to set permissions that will be inherited by all objects of this type at the domain or OU level. Or…

You could do what Microsoft has already done, and assign default permissions to objects based upon their schema class type. These default permissions can be easily removed without breaking inheritance, which can be a better model for some administrators. One word of warning: these changes are made forest-wide – so all the domains will be creating objects with these permissions in place. In a multi-domain environment this could be just what you wanted (central management) or absolutely the wrong thing (cross-domain security breach). If it’s just too widespread, you’ll need to use active directory delegation tools instead of default permissions.

Active Directory Cookbook, 2nd EditionTo do this, you will need to be logged in as a member of the schema administrators group, which by default is only the default administrator account. Note that being a member of the Enterprise administrators group is not the same thing. That group has permissions over the configuration and domain directory partitions, but not the schema partition of active directory that determines what objects you can build, what attributes those objects will have, and of course, what default permissions the will begin with.

You will also need to install the administrative tools on your machine (adminpak.msi from the server’s c:\windows\system32 directory or download from Microsoft here:

After installing the administrative tools, you will have all the default active directory tools on your desktop, but no tool for schema. You will need to create a new MMC console (go to the run line, type mmc, and press enter) and then add the Schema snap-in (file to add/remove snap-in, click add, choose Active Directory Schema).

Then you will need to open the classes object and find the object class you are looking for. Users are easy (it’s called users) and Group Policy Objects are too (They are called groupPolicyContainers). In the properties for the object, there is a default security tab which you can use to set the default permissions for new objects based upon this schema class. However, you won’t see the change until (a) you restart the Netlogon service and (b) this has replicated to all the domain controllers in your forest. You can make these permissions apply to existing objects by going to the security tab of an AD object, going to advanced, and clicking default, which will set the local permissions to the schema default values. Good Luck!!!

Tuesday, January 19, 2010

Printers are NOT your friend

I wanted to repost an uber-hilarious entry (with pictures) regarding the way that printers don't seem to be making our lives any easier:

Friday, January 8, 2010

I wish I could use Cisco's SDM...

Cisco's Security Device Manager (SDM) is a web based front end for a cisco router. Most things you want to do from the CLI can be done from the SDM, which, being a GUI, is very intuitive. The SDM functions on routers running IOS 12.4 and above.

Cisco Routers for the Desperate: Router and Switch Management, the Easy WaySome of you are thinking... I have a Cisco Simulator but it only emulates the CLI - I want to see this SDM interface I've heard about, but I can't! Good news! You can download a free version of the SDM and even a demo "router" to see what the interface is like. is the link to download the SDM (requires JAVA, will automatically download when needed) If you aren't lucky enough to have a router running 12.4, you can use this demo to play with the SDM.

A couple of things to remember:
1. Disable pop-up blockers
2. Allow active content to run in files on my computer. (advanced settings in IE)

Thursday, January 7, 2010

Four (4) Key Cisco Shortcuts

I wanted to share four things that speed up my use of the Cisco CLI.
One of the things that slows down your ability to use the CLI is having to navigate up a context by typing EXIT, viewing information, and then returning. The first two CLI tricks help with this issue.
Get Global
If you are in a sub-interface level command, you can enter a different sub-interface without returning to the parent interface.
For example:
(config)# interface fa 0/0
(config-if)# ip address
(config-if)# interface fa 0/1
(config-if)# ip address

 - notice that there was no exit command between the second and third steps.
Another way to avoid the exit in a sub-interface mode is to type a global configuration command without exiting first - really that's what you did a moment ago - you called for a global config command to enter a sub-interface without leaving the interface first. But you can enter any global config command you want!
For example:
CCNA Practice Questions (Exam 640-802) (3rd Edition)(config)# interface fa 0/0
(config-if)# ip address
(config-if)# hostname Router1

 - Notice that the router rip command, a global configuration was issued without leaving the sub-interface context, and then I was left at the global level. Be aware that tab-completion and ? help will not work across contexts.
Do the "Do"
If you are in any configuration mode and wish to issue a command from the enable mode, such as all the show and debug commands, you can do so with the "Do" command. You remain in your config mode, but get the results from the enable mode.

(config)# interface fa 0/0
(config-if)# ip address
(config-if)# no shutdown
(config-if)# do show ip int brief
Interface            IP-Address        OK?  Method    Status                   Protocol
Serial0              unassigned        YES  unset     administratively down    down
FastEthernet0/0       YES  unset     up                       up

-notice that with the do command I was able to verify what I had done at the interface level, saving myself from typing the exit command, the configure terminal command, and the interface fa 0/0 command!
Where do I "begin"?
When you show a long list, such as a mac-address-table or configuration file, it is often inconvenient to try and  find the particular place where an item is located that you want to verify. Fortunately, you can pipe your show command into a begin statement that will actually find what you are looking for and start your results there!
For example:
Router1# show running-config | begin line
Building configuration...
line con 0
  transport input none
line aux 0
line vty 0 15
no scheduler allocate

So - I hope these tools will help you use Cisco's CLI with greater speed and agility, so you can spend less time scanning and more time doing!