Posts Tagged ‘HOW-TO’

Add OS X Network Settings Remotely (Without Breaking Stuff)

Monday, September 23rd, 2013

So you’re going to send a computer off to a colocation facility, and it’ll use a static IP and DNS when it gets there, the info for which it’ll need before it arrives. Just like colo, you access this computer remotely to prepare it for its trip, but don’t want to knock it off the network while prepping this info, so you can verify it’s good to go and shut it down.

It’s the type of thing, like setting up email accounts programmatically, that somebody should have figured out and shared with the community as some point. But even if my google-fu is weak, I guess I can deal with having tomatoes thrown at me, so here’s a rough mock-up:


# purpose: add a network location with manual IP info without switching 
#   This script lets you fill in settings and apply them on en0(assuming that's active)
#   but only interrupts current connectivity long enough to apply the settings,
#   it then immediately switches back. (It also assumes a 'Static' location doesn't already exist...)
#   Use at your own risk! No warranty granted or implied! Tell us we're doing it rong on twitter!
# author: Allister Banks, 318 Inc.

# set -x

declare -xr networksetup="/usr/sbin/networksetup"

declare -xr MYIP=""
declare -xr MYMASK=""
declare -xr MYROUTER=""
declare -xr DNSSERVERS=""

declare -x PORTANDSERVICE=`$networksetup -listallhardwareports | awk '/en0/{print x};{x=$0}' | cut -d ' ' -f 3`

$networksetup -createlocation "Static" populate
$networksetup -switchtolocation "Static"
$networksetup -setmanual $PORTANDSERVICE $MYIP $MYMASK $MYROUTER
$networksetup -setdnsservers $PORTANDSERVICE $DNSSERVERS
$networksetup -switchtolocation Automatic

exit 0

Caveats: The script assumes the interface you want to be active in the future is en0, just for ease of testing before deployment. Also, that there isn’t already a network location called ‘Static’, and that you do want all interface populated upon creation(because I couldn’t think of particularly good reasons why not.)

If you find the need, give it a try and tweet at us with your questions/comments!

Configure network printers via command line on Macs

Wednesday, December 26th, 2012

In a recent Twitter conversation with other folks supporting Macs we discussed ways to programmatically deploy printers. Larger environments that have a management solution like JAMF Software’s Casper can take advantage of its ability to capture printer information and push to machines. Smaller environments, though, may only have Apple Remote Desktop or even nothing at all.

Because Mac OS X incorporates CUPS printing, administrators can utilize the lpadmin and lpoptions command line tools to programmatically configure new printers for users.


A basic command for configuring a new printer using lpadmin looks something like this:

lpadmin -p "salesbw" -v "lpd://" -D "Sales B&W" -L "2nd floor print center" -P "/Library/Printers/PPDs/Contents/Resources/HP LaserJet 8150 Series.gz" -E

Several options follow the lpadmin command:

  • -p = Printer name (queue name if sharing the printer)
  • -v = IP address or DNS name of the printer
  • -D = Description of the printer (appears in the Printers list)
  • -L = Location of the printer
  • -P = Path the the printer PPD file
  • -E = Enable this printer

The result of running this command in the Terminal application as an administrator looks like this:

New printer


Advanced printer models may have duplex options, multiple trays, additional memory or special features such as stapling or binding. Consult the printer’s guide or its built-in web page for a list of these installed printer features.

After installing a test printer, use the lpoptions command with the -l option in the Terminal to “list” the feature names from the printer:

lpoptions -p "salesbw" -l

The result is usually a long list of features that may look something like:

HPOption_Tray4/Tray 4: True *False
HPOption_Tray5/Tray 5: True *False
HPOption_Duplexer/Duplex Unit: True *False
HPOption_Disk/Printer Disk: *None RAMDisk HardDisk
HPOption_Envelope_Feeder/Envelope Feeder: True *False

Each line is an option. The first line above displays the option for Tray 4 and shows the default setting is False. If the printer has the optional Tray 4 drawer installed then enable this option when running the lpadmin command by following it with:

-o HPOption_Tray4=True

Be sure to use the option name to the left of the slash not the friendly name with spaces after the slash.

To add the duplex option listed on the third line add:

-o HPOption_Duplexer=True

And to add the envelope feeder option listed on the fifth line add:

-o HPOption_Envelope_Feeder=True

Add as many options as necessary by stringing them together at the end of the lpadmin command:

lpadmin -p "salesbw" -v "lpd://" -D "Sales B&W" -L "2nd floor print center" -P "/Library/Printers/PPDs/Contents/Resources/HP LaserJet 8150 Series.gz" -E -o HPOption_Tray4=True -o HPOption_Duplexer=True -o HPOption_Envelope_Feeder=True

The result of running the lpadmin command with the -o options enables these available features when viewing the Print & Scan preferences:

Printer options

With these features enabled for the printer in Print & Scan, they also appear as selectable items in all print dialogs:

Printer dialog


How to Configure basic High Availability (Hardware Failover) on a SonicWALL

Friday, November 30th, 2012

Configuring High Availability (Hardware Failover) SonicWALL requires the following:

1. Two SonicWALLs of the same model (TZ 200 and up).

2. Both SonicWALLs need to be registered at (regular registration, and then one as HF Primary, one as HF Secondary).

3. The same firmware versions need to be on both SonicWALLs.

4. Static IP addresses are required for the WAN Virtual IP interface (you can’t use DHCP).

5. Three LAN IP addresses (one for Virtual IP, one for the management IP, and one for the Backup management IP).

6. Cross over cable (to connect SonicWALLs to each other) on the last ethernet interfaces.

7. 1 hub or switch for the WAN port on each SonicWALL to connect to.

8. 1 hub or switch for the LAN port on each SonicWALL to connect to.


1. High Availability cannot be configured if “built-in wireless is enabled”.

2. On NSA 2400MX units, High Availability cannot be configured if PortShield is enabled.

3. Stateful HA is not supported for connections on which DPI-SSL is applied.

4. On TZ210 units the HA port/Interface must be UNASSIGNED before setting up HA (last available copper ethernet interfaces).



1. Register both SonicWALLs at MySonicWALL as High Availability Pairs BEFORE connecting them to each other:

• “Associating an Appliance at First Registration”:

• “Associating Pre-Registered Appliances”:

• “Associating a New Unit to a Pre-Registered Appliance”:

2. Login to Primary HF and configure the SonicWALL (firewall rules, VPN, etc).

3. Connect the SonicWALLs to each other on their last ethernet ports using a cross over cable.

4. Connect the WAN port on both SonicWALLs to a switch or hub using straight through (standard) ethernet cables, and then connect the switch to your upstream device (modem, router, ADTRAN, etc.)

5. Ensure the Primary HF can still communicate to the Internet.

6. Connect the LAN port on both SonicWALLs to a switch or hub using straight through (standard) ethernet cables, and then connect them to your main LAN switch (if you don’t have one, you should purchase one. This will be the switch that all your LAN nodes connect to.).

7. Go to High Availability > Settings.

8. Select the Enable High Availability checkbox.

9. Under SonicWALL Address Settings, type in the serial number for the Secondary HF (Backup SonicWALL). You can find the serial number on the back of the SonicWALL security appliance, or in the System > Status screen of the backup unit. The serial number for the Primary SonicWALL is automatically populated.

10. Click Accept to save these settings.


Configuring Advanced High Availability Settings

1. Click High Availability > Advanced.

2. Put a check mark for Enable Preempt Mode.

3. Put a check mark for Generate / Overwrite Backup Firmware and Settings when Upgrading Firmware.

4. Put a check mark for Enable Virtual MAC.

5. Leave the Heartbeat Interval at default (5000ms).

6. Leave the Probe Interval at default (no less than 5 seconds).

7. Leave Probe Count and Election Delay Time at default.

8. Ensure there’s a checkmark for Include Certificates/Keys.

9. Press Synchronize settings.


Configuring High Availability > Monitoring Setting

(Only do the following on the primary unit, they will be sync’d with the secondary unit).

1. Login as the administrator on the Primary SonicWALL.

2. Click High Availability > Monitoring.

3. Click the Configure icon for an interface on the LAN (ex. X0).

4. To enable link detection between the designated HA interface on the Primary and Backup units, leave the Enable Physical Interface monitoring checkbox selected.

5. In the Primary IP Address field, enter the unique LAN management IP address.

6. In the Backup IP Address field, enter the unique LAN management IP address of the backup unit.

7. Select the Allow Management on Primary/Backup IP Address checkbox.

8. In the Logical Probe IP Address field, enter the IP address of a downstream device on the LAN network that should be monitored for connectivity (something that has an address that’s always turned on like a server or managed switch).

9. Click OK.

10. To configure monitoring on any of the other interfaces, repeat the above steps.

11. When finished with all High Availability configuration, click Accept. All changes will be synchronized to the idle HA device automatically.


Testing the Configuration

1. Allow some time for the configuration to sync (at least a few minutes). Power off the Primary SonicWALL. The Backup SonicWALL should quickly take over.

2. Test to ensure Internet access is OK.

3. Test to ensure LAN access is OK.

4. Log into the Backup SonicWALL using the unique LAN address you configured.

5. The management interface should now display “Logged Into: Backup SonicWALL Status: (green ball)”. If all licenses are not already synchronized with the Primary SonicWALL, go to System > Licenses and register this SonicWALL on This allows the SonicWALL licensing server to synchronize the licenses.

6. Power the Primary SonicWALL back on, wait a few minutes, then log back into the management interface. The management interface should again display “Logged Into: Primary SonicWALL Status: (green ball)”.

NOTE: Successful High Availability synchronization is not logged, only failures are logged.

Creating a binding script to join Windows 7 clients to Active Directory

Tuesday, July 3rd, 2012

There are some different ways to join Windows 7 to a domain.  You can do it manually, use djoin.exe to do it offline, use powershell, or use netdom.exe.

  • Doing so manually can get cumbersome when you have a lot of different computers to do it on.
  • With Djoin.exe you will have to run it on a member computer already joined to the domain for EACH computer you want to join since it will create a computer object in AD for each computer before hand.
  • Powershell is OK to use, but you have to set the script to unrestricted before hand on EACH computer.
  • Netdom is the way to go since you prep once for the domain, then run the script with Administrator privledges on whatever computers you want to join on the domain.  Netdom doesn’t come on most versions of Windows 7 by default.  There are two versions of netdom.exe, one for x86 and one for x64.  You can obtain netdom.exe by installing Remote Server Administration Tools (RSAT) for Windows 7, and then copying netdom.exe to a share.

A quick way to deal with both x86 and x64 architectures in the same domain would be to make two scripts.  One for x86 and one for x64 and have the appropriate netdom.exe in two different spots \\server\share\x86\ and \\server\share\x64\.

You’ll need to either grab netdom.exe from a version of windows 7 that already has it, or you’ll need to install RSAT for either x64 or x86 Windows 7 from here:, which ever you will be working with.  Install that on a staging computer.   The following steps are how to get netdom.exe from the RSAT installation.

  1. Download and install RSAT for either x64 or x86.
  2. Follow the help file that opens after install for enabling features.
  3. Enable the following feature: Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > AD DS Tools > AD DS Snap-ins and Command-Line Tools

netdom.exe will now be under C:\windows\system32

Create a share readable by everybody on the domain, and drop netdom.exe there.

Create a script with the following (From:

@echo off
SET netdomPath=c:\windows\system32
CALL BATCH.BAT %adminUser%
SET sourcePath=\\fileshare\folder\

::If necessary, copy netdom to the local machine
IF EXIST c:\windows\system32\netdom.exe goto join
COPY %sourcePath%netdom.exe %netdomPath%
COPY %sourcePath%dsquery.exe %netdomPath%
COPY %sourcePath%dsrm.exe %netdomPath%

::Join PC to the domain
NETDOM JOIN %computerName% /d:%domain% /UD:%adminUser% /PD:%passwd%

SHUTDOWN -r -t 0

Change domain and sourcepath to their real places.  Remove dsquery.exe and dsrm.exe if not needed.  If you’re just joining a domain, and not running anything after, then you don’t need them.

Create another script called “BATCH.BAT” that will hold your credentials that have access to joining computers to the domain.  Put BATCH.BAT in both places that house your Join-To-Domain script (…/x86 and …/x64)

@echo off
SET passwd=thisismypassword
SET adminuser=thisismyadminusername

  1. Ensure you have the scripts in the same directory.
  2. Open up a command prompt with Administrator privledges and change directory to the location of your scripts.

Runnning the first script will:

  1. Run a check to see if netdom, dsquery, and dsrm are installed under system32, if they are, it will then join the domain, if not it will attempt to download them from your share.
  2. Once it ensures it has the files it needs, it will join the computer to the domain under the “Computers” OU with its current computer name using the credentials set by BATCH.BAT.
  3. It will reboot when done.

This will work on both Server 2003 and Server 2008.

Open Directory Deployment Checklist

Thursday, April 12th, 2012

Open Directory on Lion Server, if deployed properly, is simple to set up, and is a stable and reliable directory service. If not deployed properly, it’s still simple to set up, but can be maddeningly difficult to troubleshoot and manage. It’s important to deploy it properly.

Some things to consider prior to deployment:

  • You should always discuss the purpose of a Directory service with the client, and make sure that you’ve evaluated their needs correctly. Some of Lion Server’s services absolutely require the system to be an Open Directory Master, but some function just fine on a Standalone system. Device Manager, in particular, will take you through OD Master configuration as a part of its own setup.
  • If legacy user records or other data need to be migrated, this will need to be taken into account, and time should be budgeted for managing this data. If you’re replacing a Leopard or Snow Leopard Open Directory server, you can import an OD Archive, but it may not always be the best idea.
  • Open Directory deployments should always include both an Open Directory Master and an Open Directory Replica. Plan accordingly.
  • Proper DNS resolution is absolutely essential to a successful Open Directory deployment. All servers must have correct forward and reverse lookups. Open Directory will not work properly if DNS is incorrect. If your OD deployment is going to be self-contained, you can set up the DNS service on the OD Master and Replica, so that they can resolve each other, and then the clients can refer to the OD Master for name resolution. If you’re deploying OD into a larger infrastructure, though, it’s adviseable to have consistent DNS across the whole organization.
  • It is not recommended that .local be used as TLD on the network where you’re deploying Open Directory. Though it is possible to successfully deploy Open Directory into a .local namespace, the odds are against you. Don’t do it unless there’s really no other options.

You can, if you like, use Server Admin to set up Open Directory, but performs some steps that Server Admin doesn’t. I don’t recommend using it to do the initial setup. However, Server Admin can be helpful in managing Open Directory after deployment. The Server Admin tools are not installed by default on Mac OS X 10.7, so you’ll need to download them from Apple.

When deploying Open Directory, the first thing you need to do is verify that DNS is resolving correctly:

$ sudo changeip -checkhostname

Primary address =

Current HostName =
DNS HostName =

The names match. There is nothing to change.
dirserv:success = “success”

If changeip outputs this error, or one that sounds like it, please repair DNS or set the hostname properly before proceeding.

The DNS hostname is not available, please repair DNS and re-run this tool.

In, there is a utility that helps you change your system’s hostname. Click on the computer name, under Hardware, then click the Network tab, and then click “Edit”.

If your hostname is good, open From the Manage menu, choose “Manage Network Accounts”. (If this option isn’t available, then this server is already managing network accounts, either as an OD Master or Replica.) This will start the setup assistant. You’ll need to provide an administrative account for Open Directory. Please note that this is not the same as the local administrative account that you create on initial server setup, and they should not have the same name. The default, Directory Administrator, is a good choice. Enter your Organization name and an administrator’s email address.

When you’re done, click the “Set Up” button, and you should be shortly returned to, with an Open Directory Master to manage.

At this point, it’s always a good idea to open up Console and check the logs, to make sure that there’s no glaring errors. The really informative one is /Library/Logs/slapconfig.log, but slapd.log and opendirectoryd.log, which are in /var/log, can also be very helpful.

Secure Site-to-Site VPN tunnel using the ASA

Sunday, April 8th, 2012

Site to Site VPN enables an encrypted connection between private networks over a public network (i.e. the Internet).

Basic steps to configure a site-to-site VPN with a Cisco ASA begin with defining the ISAKMP Policy. An ISAKMP/IKE policy defines how a connection is to be created, authenticated, and protected. You can have multiple policies on your Cisco ASA. You might need to do this if your ASA needs to connect to multiple devices with different policy configurations.

  • Authentication: specifies the method to use for device authentication
  • Hash: specifies the HMAC function to use
  • Encryption: specifies which algorithm to use
  • Group: specifies the DH key group to use

Next, you will need to establish IPsec transform set. Different Firmware versions and different Cisco devices have different options for the following…

  • Esp-md5-hmac: ESP with the MD5 (HMAC variant) authentication algorithm
  • Esp-aes: ESP with the 128-bit Advanced Encryption Standard (AES) encryption algorithim.
  • Esp-des: ESP with the 56-bit Data Encryption Standard (DES) encryption algorithm.
  • Esp-3des: ESP with the 168-bit DES encryption algorithm (3DES or Triple DES)
  • Ah-md5-hmac: AH with the MD5 (HMAC variant) authentication algorithm
  • Ah-sha-hmac: AH with the SHA (HMAC variant) authentication algorithm

3. Configure crypto access list-

Crypto ACL’s are used to identify which traffic is to be encrypted and which traffic is not. After the ACL is defined, the crypto maps use the ACL to identify the type of traffic that IPSec protects.

It’s not recommended to use the permit ip any any command. It causes all outbound traffic to be encrypted, and sends all traffic to the specified peer.

4. Configure crypto map

Used to verify the previously defined parameters

5. Now apply crypto map to the outside interface.


Configuration of ASA-1

You might have to enable ISAKMP on your device

ASA-1(config)#crypto isakmp enable

First defined the IKE polices on ASA-1

ASA-1(config)#crypto isakmp policy 10

The lower the policy number, the higher the priority it will set the ISAKMP policy to, affecting which policies will be used between sites.

General rule of thumb is to give the most secure policy the lowest number (like 1) and the least secure policy the highest number (like 10000)

ASA-1(config-isakmp)#encryption des

(enable encryption des)

ASA-1(config-isakmp)#hash md5

(enable algorithm md5 for hashing)

ASA-1(config-isakmp)#authentication pre-share

(enable Pre-shared method)

ASA-1(config-isakmp)#group 2

(enable group 2)


(Exit from crypto isakmp mode)

  • The next step is to create a pre-shared key (password) on ASA-1.

ASA-1(config)#crypto isakmp key office address

(Here the Key is “office” and is ASA-2 Address)

  • Now create an access list to define only interesting traffic.

ASA-1(config)#access-list 100 permit ip host host

(100 is access list number and is source address and is destination address.)

  • Now create the transform-set for encryption and hashing.

ASA-1(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac

(Here encryption type is des and hashing method is md5-hmac)

ASA-1(config)#crypto map testcryp 10 ipsec-isakmp

(crypto map name testcryp)

ASA-1(config)# crypto map testcryp 10 match address 100

(apply the access list)

ASA-1(config)# crypto map testcryp 10 set transform-set ts2

(apply the transform set)

ASA-1(config)# crypto map testcryp 10 set peer

(Set remote peer address)

  • Now apply the crypto map to the ASA – A interface

ASA-1(config)# crypto map testcryp interface outside

(Apply crypto map on outside interface)

ASA-1(config)# crypto isakmp enable outside

(To enable crypto isakmp on ASA)

Configuration of ASA-2

First defined the IKE polices on ASA-2

ASA-2(config)#crypto isakmp policy 10

(10 is isakmp policy number)

ASA-2(config-isakmp)#encryption des

(enable encryption des)

ASA-2(config-isakmp)#hash md5

(enable algorithm md5 for hashing)

ASA-2(config-isakmp)#authentication pre-share

(enable Pre-shared method)

ASA-2(config-isakmp)#group 2

(enable diffie-Helman group 2)


(Exit from crypto isakmp mode)

  • The next step is to create a pre-shared key (password) on ASA – B.

ASA-2(config)#crypto isakmp key office address

(Here Key is “office” and is ASA – A Address)

  • Now create an access list to define only interesting traffic.

ASA-2(config)#access-list 100 permit ip host host

(100 is access list number and is source address and is destination address.)

  • Now create the transform-set for encryption and hashing.

ASA-2(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac

(Here encryption type is des and hashing technique is md5-hmac)

ASA-2(config)#crypto map testcryp 10 ipsec-isakmp

(crypto map name testcryp)

ASA-2(config)# crypto map testcryp 10 match address 100

(apply the access list)

ASA-2(config)# crypto map testcryp 10 set transform-set ts2

(apply the transform set)

ASA-2(config)# crypto map testcryp 10 set peer

(Set remote peer address)

  • Now apply the crypto map to the ASA – B outside interface

ASA-2(config)# crypto map testcryp interface outside

(Apply crypto map on outside interface)

ASA-2(config)# crypto isakmp enable outside

(To enable crypto isakmp on ASA)

Now to verify the secure tunnel, ping to other remote location.

ASA-2(config)# ping

Setting up Netboot helpers on a Cisco device

Tuesday, April 3rd, 2012

Configure a Cisco device for forwarding bootp requests is a pretty straightforward process. First off, this will only apply to Cisco Routers and some switches. You will need to verify if you device supports the IP Helper command. For example, the Cisco ASA will not support bootp requests.

By default the IP Helper command will forward different types of UDP traffic. The two important ones 67 and 68 for DHCP and BOOTP requests. Other ports can be customized to forward with some other commands as well. But it is quite simple pretty much if you have a Netboot server you can configure the IP Helper command to point that servers IP address.

Here is an example, lets say your NetBoot server has an IP Address of You would simply go into the global configuration mode switch to the interface you want to utilize and type “ip helper-address″ to simply relay those requests to that address. Depending on your situation you also might want to setup the device to ignore BOOTP requests (in cases that you have DHCP and BOOTP on the same network). That command is “ip dhcp bootp ignore”. Using the IP helper and Bootp ignore command together will ensure that those bootp requests are forwarded out the interface to the specified address.

Last if you have multiple subnets you can setup multiple IP Helper address statements on your device to do multiple forwarding.

Installing a SonicWALL ViewPoint Virtual Machine

Monday, April 2nd, 2012

When installing a Viewpoint VM machine you will need to download three items.

First is the SonicWALL_ViewPoint_Virtual_Appliance_GSG.pdf available from
This will be you step by step instruction manual for installing the Viewpoint VM.
Next you will need to identify which version VXI host and then download the same version client as your VXI host.
Lastly you will need log into and download the sw_gmsvp_vm_eng_6.0.6022.1243.950GB.ova from

When you have all three of these downloaded open the SonicWALL_ViewPoint_Virtual_Appliance_GSG and start going through the step by step instructions.
You will first install the VM client and may run into the first gotcha. Depending on machine setup the .exe may be blocked from running.
The download will look like this:, get properties on this file and unblock if blocked.
After the install of the VM client follow the instructions in the PDF till you get to page 18 step 2.

2. When the console window opens, click inside the window, type snwlcli at the login:
prompt and then press Enter. Your mouse pointer disappears when you click in the
console window. To release it, press Ctrl+Alt

Here is where you will run into the biggest gotcha.

You will be ask to log into with name and password, on first login use name of: snwlcli no password,
Then use the default name and password and continue.

Auditing Email in Google Apps

Thursday, March 22nd, 2012

In order to address situations where a Google Apps admin needs access to a user’s mail data, Google provides an Email Audit API. It allows administrators to audit a user’s email and chats, and also download a user’s complete mailbox. While Google provides this API, third-party tools are required in order to make use of the functionality. While there are some add-ons in the Google Apps Marketplace that make email auditing available, the most direct method of gaining access to this is with a command-line tool called Google Apps Manager. GAM is a very powerful management tool for Google Apps, but here we will focus on just what’s required to use the Email Audit API.

Using GAM requires granting access, with a Google Apps admin account, to a specific system. An OAuth token for the domain is stored in the GAM folder. Also, if you’re going to download email exports, it’s necessary to generate a GPG key and upload that to Google Apps. In light of both of these factors, it’s best to designate a specific system as the GAM management system. GAM is a collection of Python modules, so whatever system you designate should be something that has a recent version of Python. We’ll assume that we’re using a fairly recent Mac.

What we’ll do is download GPG and generate a GPG key, and then download GAM and get it connected to Google Apps.

Generating a GPG key

The GPGTools installer is here:

After installation, open up Terminal, in the account that you’ll be using to manage Google Apps.

Run the command:

$ gpg –gen-key –expert

For type of key, choose “RSA and RSA (default)”. For key size, you can probably safely choose a smaller key. Bear in mind that all your mailbox exports will be encrypted with this key and then will need to be decrypted after download. This can take a non-trivial amount of time, especially for larger mailboxes, and a larger key will mean much longer encryption and decryption times. A 1024-bit key should be fine in most cases.

When asked for how long the key should be valid, choose 0 so that the key does not expire.

Next you’ll be prompted for your name, email address and a comment. This information is not, at the moment, used by Google for anything. However, in the interests of long-term usability, I would recommend using the email address and name of an actual admin for the Google Apps domain.

Finally, you’ll be asked for a passphrase. This passphrase will be required in order to decrypt the downloaded mailboxes. Do not forget it. You will be unable to decrypt the downloads without it.

When key creation is complete, you’ll see something like this:

pub 1024R/0660D980 2012-03-22
Key fingerprint = A642 0721 2D4A 9150 6ED1 DBD7 AFFF 992F 0660 D980
uid Apps Admin
sub 1024R/6D1C197B 2012-03-22

Make a note of the ID of the public key, which in this case is 0660D980. You’ll need the ID to upload the key to Google.

Installing GAM

Prior to installing GAM, you’ll want to open up your default browser and log into to your Google Apps domain as an administrator. It’s not technically necessary – you can log in as an admin when the GAM install needs access, but you’ll find it authenticates more reliably if log in in advance.

GAM can be found here:

Download the python-src package, and put it somewhere in the home directory of the same user that generated the GPG key. The most reliable way to invoke GAM is using the python command to call the script:

$ python ~/Desktop/gam-2/

This assumes it was unzipped to the Desktop of the user account. Change the path where appropriate. In order to make this a bit easier, you can create an alias that will allow you to call it with just “gam”

$ alias gam=”python ~/Desktop/gam-2/”

From here on, we’ll assume you did this. Bear in mind that aliases created this way only last until the session ends (i.e. the Terminal window gets closed).

The first command you’ll need to run is:

$ gam info domain

You’ll be asked to enter your Google Apps Domain, and then you’ll be asked for a Client ID and secret. These are only necessary if you’ll be using Group Settings commands, which we won’t. Press enter to continue. You’ll now be presented with a list of scopes that this GAM install will be authorized for. You can just enter “16″ to continue with all selected, or you can just select Audit Monitors, Activity and Mailbox Exports for Email Audit functions. When you continue, you’ll see this:

You should now see a web page asking you to grant Google Apps Manager access. If you’re not logged in as an administrator, you can do that now, though you may experience some odd behavior. Once you grant access, return to the terminal Window and press Enter. At this point, GAM will retrieve information about your domain from Google Apps, and you’ll be returned to a shell prompt. GAM is installed and almost ready to use.

Uploading the GPG Key

There’s one final step to take before mailbox export requests are possible. The GPG key you generated earlier must be uploaded to Google. What you can do is have gpg export the key and pipe that directly to GAM. You’ll need the ID of the key so that you export the correct one to GAM. If you didn’t make a note of the ID earlier, you can see all the available keys with:

$ gpg –list-keys

pub 1024R/0660D980 2012-03-22
uid Apps Admin
sub 1024R/6D1C197B 2012-03-22

The ID you want is that of the public key. In this case, 0660D980. Now export an ASCII armored key and pipe it to GAM.

$ gpg –export –armor 0660D980 | gam audit uploadkey

Now you’re ready to request mailbox exports.

Dealing with mailbox exports

To request a mailbox export, use:

$ gam audit export includedeleted

This will submit a request for a mailbox export, including all drafts, chants, and trash. You can leave off “includedeleted” if you don’t want their trash. GAM will show you a request ID, which you can use to check the status of a request.

To check the status of one request, use:

$ gam audit export status

If you leave off either username or request ID, you’ll be shown the status of all requests, pending and completed. To download a request you can use:

$ gam audit export download

You must specify both the username and the request ID. Please note that GAM will download the files to the current working directory. The files will be named “export---.mbox.gpg. The numbers will start at 0. In order to decrypt the downloaded files, you’ll need to use GPG.

$ gpg –output –decrypt

This will decrypt one of the files. The predicatbility of the names makes it easy to programatically decrypt all the files. For instance if the username were bob, the ID were 53521381, and there were 8 files, you could use this command:

$ for i in {0..7}; do gpg –output export-bob-53521381-$i.mbox –decrypt export-bob-53521381-$i.mbox.gpg; done

When decryption is completed, you can take the resulting mbox files and import them into any mail client that supports mbox – Thunderbird is a good choice, though should work as well – or you can just look at them in a text editor.

Further Reading

For more details about using GAM or the Email Audit API, please consult the official documentation.

Google Apps Manager Wiki:

Google’s Email Audit API reference:

Adding incoming and outgoing access rules on a Cisco ASA

Saturday, March 17th, 2012

To understand incoming and outgoing rules there are a couple of things to know before you can define your rules. Let’s start with an understanding of traffic flow on an ASA. All incoming rules are meant to define traffic that come inbound to the ASA’s interface. Outgoing is for all traffic that is going outbound of an ASA’s interface. It does not matter which interface it is since this is a matter data flow and each active interface on an ASA will have it’s own unique address.

To try an explain this further let’s say we have and internal interface with an IP address of that is for your local area network to connect to. You can add a permit or deny rule to this interface specifying whether incoming or outgoing  traffic will be permitted or not. This allows you to control what computers can communicate past that interface or not. Essentially you would define most of your rules for the local area network on the internal interface, governing which systems/devices could access the internet, certain protocols, or not.

Now if you know about the basic configuration of an ASA you know that you have to set the security level of the Internal and External ports. So by default these devices allow traffic from a higher security interface to a lower security interface. NAT/PAT will need to be configured depending on if you want to define port traffic for specified protocols.

For this article I will just mention that their are several types of Access Control Lists (ACL) that you can create on an ASA. These types are Standard, Extended, Ethertype, webtype, and IPV6. For this example we will use Extended because most likely that is what most everyone will use the most. With extended ACL not only can you specify IP addresses in the access control list, but you can specify port traffic to match the protocol that might be required.

Lets look at the the examples below:

You will see we are in the configuration terminal mode

ASA(config)# access-list acl extended permit tcp any host eq 80

-So the first part “access-list acl” means the access list will be named “acl”.
-Next you have a choice between type of access list. We are using Extended for this example.
-The next portion is the permit or deny option and we have permit selected for this statement.
-On the next selection that say’s “any” this refers to inside traffic (simply meaning that any internal traffic is allowed). If you dont use any you can specify specific devices by using “host and the IP address like that last part of this ACL statement.
-The next part of this refers to specifying a specific host address of equals port 80.

So this example tells us that our access control list named ACL will allow any inside traffic out the host address of that is internet traffic.

Later you will notice that your statement will look like this on the ASA

ASA(config)access-list acl extended permit tcp any host www
Notice how “eq 80″ default http traffic changed automatically to www) This is common on Cisco ASA devices).

Searching for the hidden Library folder?

Tuesday, March 6th, 2012

Just a quick note, came across this tip today for another way to get to the (hidden in Lion) Library folder: from the Finder’s Go menu, hold down Option.

Configuring a Cisco ASA 5505 with the basics

Thursday, March 1st, 2012

The Cisco ASA 5505 is great for small to medium businesses. Below are the steps you will have to complete to configure your ASA to communicate with the internet. There are many more steps, options, and features to these devices (which later there will be more articles in regards to some of these features).

Bring your device into configuration mode
Brings the device into enable mode

318ASA#config t
Change to configuration terminal mode

The ASA is now ready to be configured when you see (config)#

Configure the internal interface VLAN (ASA’s use VLAN’s for added security by default)
318ASA(config)# interface Vlan 1

Configure interface VLAN 1
318ASA(config-if)# nameif inside
Name the interface inside

318ASA(config-if)#security-level 100

Set’s the security level to 100

318ASA(config-if)#ip address
Assign your IP address

318ASA(config-if)#no shut
Make sure the interface is enabled and active

Configure the external interface VLAN (This is your WAN\internet connection)
318ASA(config)#interface Vlan 2
Creates the VLAN2 interface

318ASA(config-if)# nameif outside
Name’s the interface outside

318ASA(config-if)#security-level 0
Assigns the most strict security level to the outside interface (lower the number the higher the security).

318ASA(config-if)#ip address
Assign your Public Address to the outside interface

318ASA(config-if)#no shut
Enable the outside interface to be active.

Enable and assign the external WAN to Ethernet 0/0 using VLAN2
318ASA(config)#interface Ethernet0/0
Go to the Ethernet 0/0 interface settings

318ASA(config-if)#switchport access vlan 2
Assign the interface to use VLAN2

318ASA(config-if)#no shut
Enable the interface to be active.

Enable and assign the internal LAN interface Ethernet 0/1 (note ports 0/1-0/7 act as a switch but all interfaces are disabled by default).
318ASA(config)#interface Ethernet0/1
Go to the Ethernet 0/1 interface settings

318ASA(config-if)#no shut
Enable the interface to be active.
If you need multiple LAN ports you can do the same for Ethernet0/2 to 0/7.

To have traffic route from LAN to WAN you must configure Network Address Translation on the outside interface
318ASA(config)#global (outside) 1 interface
318ASA(config)#nat (inside) 1

***NOTE for ASA Version 8.3 and later***
Cisco announced the new Cisco ASA software version 8.3. This version introduces several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:

318ASA(config)#nat (inside,outside) dynamic interface

For more info you can reference this article from Cisco with regards to the changes –

Configure the default route (for this example default gateway is
318ASA(config)#route outside 2 1

Last but not least verify and save your configurations. If you do not save your configurations you will have to.

Verify your settings are working. Once you have verified your configurations write to memory to save the configuration. If you do not write to memory your configurations will be lost upon the next reboot.

318ASA(config)#wr mem

Monitoring Xsan with Nagios and SNMP

Monday, December 12th, 2011

Monitoring a system or device using SNMP (a SonicWALL, for instance) is simple enough, provided you have the right MIB. XSNMP is an Open Source project that provides a simple Preference Pane to manage SNMP on OS X, and it also includes an MIB developed by LithiumCorp. This MIB provides OS X’s SNMP agent to gather and categorize information relating specifically to Mac OS X, Mac OS X Server, and Xsan.

XSNMP-MIB can be downloaded from GitHub, or directly from Lithium.

Download the XSNMP-MIB.txt file and put it in /usr/share/snmp/mibs. You can verify that the MIB is loaded by running snmpwalk on the system, specifying the XSNMP Version OID. If snmpwalk returns the version, the MIB is installed correctly. If it returns an error about an “Unknown Object Identifier”, then the MIB isn’t installed in the right spot.

bash$ snmpwalk -c public -v 1 my.server.address XSNMP-MIB::xsnmpVersion
XSNMP-MIB::xsnmpVersion.0 = Gauge32: 1

The fact that the MIB was developed by Lithium doesn’t stop us from using it with Nagios, though. You can define a Nagios service to gather the free space available on your Xsan volume by adding the following to a file called xsan_usage.cfg. Put the file in your Nagios config directory.

define service{
host_name xsan_controller
service_description Xsan Volume Free Space
check_command check_snmp!-C public -o xsanVolumeFreeMBytes.1 -m XSNMP-MIB

The host_name should match the Nagios host definition for your Xsan Controller. The service_description can be any arbitrary string that makes sense and describes the service.

The check_command definition is the actual command that’s run. The -C flag defines the SNMP community string, the -m flag defines which MIB should be loaded (you can use “-m all” to just load them all), and the -o flag defines which OID we should return. “xsanVolumeFreeMBytes.1″ should return the free space, in MB, of the first Xsan volume.

Upgrading VMware ESX 3i to ESXi 4.1i

Friday, November 18th, 2011


a. Workstation – Windows or linux based, either real or VM.

b. The VMhost – Should be backed up, and running ESX 3i (3.5.0)

c. new serial number for ESXi 4

1. go to and find the vSphere Hypervisor download area. download and the most current vsphere cli tools

2. download the appropriate upgrade package for the server. the file should be named something similar to “

3. stop all VMs on the hypervisor and place it in maintenance mode.

4. from your workstation, run the vSphere CLI.

5. in the CLI, run “cd bin”

6. in the CLI, run “ –server -i -b

Office 2004 Not Responding or Starting Up

Wednesday, November 2nd, 2011

Office 2004 hangs during the Project Gallery pop up window portion of the application starting, or during the Entourage splash page. Here are items to try to do when you run into this:

1. Check for Updates
2. Re-run last large update (this got me from Office 2004 not starting at all, just beach balling, to getting to splash screens)
3. Check disk health and repair disk permissions.
4. Delete Office Prefs Plists (move them to desktop so if it doesn’t work you can put them back)
a. ~/LIbrary/Preferences/Microsoft/
b. If that doesn’t work, try removing these plists
5. Delete, Move, or Rename “Microsoft User Data”
~/Documents/Microsoft User Data
This will allow Microsoft to recreate Microsoft User Data. In my case, it was OK since:
a. I don’t use templates
b. I have no problem recreating my signature
c. I don’t use POP access to my e-mail

Basic SonicWALL Router Setups

Tuesday, October 11th, 2011

A work in progress…

1. Register the Sonicwall appliance at A new account may be created for this purpose

2. Download the latest firmware from

3. Disable popup blocking on your browser

4. The default IP of a factory Sonicwall device is Connect to the Sonicwall (you need to adjust your Ethernet NIC’s config to match the Sonicwall’s network settings)

5. Follow the setup wizard and define a WAN IP, LAN IP, and DHCP range of IPs

6. Upload the newer firmware downloaded above and boot from it

7. In the https://[Sonicwall IP Address]/diag.html screen, uncheck the box ““Enforce Host Tag Search with for CFS”

8. Use the Public Server Wizard to create additional systems on the LAN that need to be publicly accessible. Note that the default WAN IP address provided in the wizard is the SonicWALL’s, but you can enter a different WAN IP; this creates a NAT policy using a new Address Object in the WAN zone

9. If more than one service needs to be visible for a system (ie, a mail sever needing 993, 587, 465, etc.), just select a single service during the wizard setup and then modify the “Service Group” that the wizard creates to include additional services that you want visible

10. For site-to-site VPN, follow the documentation in the SonicOS Administrators guide. Typically we have found that setting the VPN policy up in Aggressive Mode works more reliably than Main Mode

Setting Up Additional Google Apps Calendars on an iOS Device

Monday, April 18th, 2011

Syncing and Managing Additional Google Apps Calendars on your iOS Device

Google Apps allows users to easily setup multiple calendars in their account and access other uses calendars via a web browser or calendar client such as iCal or Outlook. Duplicating this functionality on iOS devices requires some additional configuration steps:

1. Configure your device(s) with Exchange Active Sync for your Google Apps account. See for instructions.
2. On your iOS device (iPad, iPhone or iPod Touch) use the Safari web browser to navigate to
3. Scroll to the bottom of the page and tap the Google Apps user? button.
4. A popup will appear prompting you to Enter your Google Apps domain. Enter your domain (everything after the @ in your email address) and tap Go.
5. Sign into your Google Apps account if prompted.
6. A Google Mobile page will load, with buttons for various services. Tap the Sync button.
7. A Manage Devices page will load. Tap to select the device you would like to add/delete calendars from (i.e. your iPhone).
8. Tap to check the box next to each calendar you want to sync. Tap to uncheck any calendar you wish to stop syncing.
9. Click Save.

The calendars for which you enabled sync should now be displayed in the iOS Calendar app. You may have to tap Calendars to return to the calendar selection and turn on the additional calendars if they are not displayed immediately.

Note: these instructions differ slightly from the published Google instructions pertaining to generic Gmail accounts (primarily skipping steps 3 and 4). If you would like to setup additional calendars for your personal Gmail account please follow the steps here:

Enable AirPrint On Mac OS X Server

Monday, March 7th, 2011

Since the introduction of AirPrint in iOS version 4.2.1, a handful of shareware and freeware solutions have been introduced that allow iOS devices to use AirPrint to print documents on “unsupported” printers (namely, those printers that do not have the necessary AirPrint features built-in). This typically requires enabling printer sharing on a Mac system, as well as making a slight modification to the CUPS configuration file at /etc/cups/cupsd.conf, which the software typically does for you.

However, one of the more prominent solutions available, AirPrint Activator from, does not work properly on a Mac OS X Server system when following the provided instructions, which appear to be aimed at users running the non-Server version of Mac OS X. Here are the steps you can follow to get Mac OS X Server v10.6 to share printer queues to AirPrint-enabled iOS devices:

Prerequisites: Mac OS X Server v10.6.5 or later (I have only tested on 10.6.6), one or more networked or local printers, and one or more iOS devices running iOS 4.2.1

1. In the System Preferences > Print & Fax preference pane, delete all existing printer queues from the server.

2. Download AirPrint Activator from to the Mac OS X Server system from which you wish to host print queues.

3. Launch the AirPrint Activator program and slide the Activator switch to On (you will be prompted to authenticate).

4. With your favorite text editor, open the file /etc/cups/cupsd.conf

5. Locate the line that reads Browsing Off and change it to read Browsing On. Save the changes.

6. Open Server Admin and enable and Start the Print service.

7. Open the System Preferences > Print & Fax preference pane and add the printers that you wish to share, being sure to give the shared print queue a unique Sharing Name a Location. If you are only using the Print service to connect iOS devices, you may want to include “AirPrint” in the queue or location name (ie, “AirPrint to Accounting Printer”).

8. In the Print service window, select the Queues tab and select the print queue you wish to share.

9. Enable the IPP protocol. You can enable the other protocols if you want to enable printer sharing to platforms beyond just your iOS devices.

10. Follow steps 7 through 9 with the other printers that you wish to use for AirPrint.

11. From an iOS device, open a supported document such as a PDF, JPG, or other printable file.

12. Click the box with a curved arrow pointing to the upper right to invoke the Print command.

13. Select the Printer from the menu and print your documents!

Defragmenting an Xsan Volume to Reallocate Storage

Friday, January 14th, 2011

In the life of an Xsan shop, you will at one point or another be presented with the need to defragment your volume. Defragmenting a volume is a good way to recover lost performance, but can also be beneficial in other scenarios: defragging is an absolute must after performing a bandwidth-style expansion of your volume, and is often recommended (though not absolutely necessary) when performing a capacity-style expansion. In case you’re confused, a bandwidth expansion is the type of expansion performed when you add LUNs to a specific storage pool. Conversely, a capacity expansion involves simply adding new storage pools to an existing volume.

Because the make-up of a storage pool is drastically altered when a bandwidth expansion is performed, the data is not properly distributed across any of the new LUNs that were added to the pool, this results in a shadow-effect where all capacity of the storage pool is not available for use by the system. Because of this, it is an absolute requirement that a defrag routine is ran. To perform this defrag, we use the standard snfsdefrag command, but we use the special ‘-d’ flag, which ensures that this shadowed storage space is reclaimed and that data is properly distributed across the storage pool:

snfsdefrag -dr /Volumes/MyXsanVolume

There are several scenarios where it may be desirable to rebalance the data on an existing volume. A capacity expansion of a volume will result in one or more new storage pools being added to the volume, but the new storage will not have any data written to it. Alternatively, an allocation strategy of round-robin or fill can, over time, result in a poor distribution of data across your storage. By spreading data across the storage evenly, you ensure that all disks are running at similar capacities, therefore netting more consistent performance across the volume, as disk performance tends to degrade as capacity increases.

When an snfsdefrag is ran, it will defragment files as specified by your parameters, and these files will be distributed onto the volume as per your allocation strategy. If you defragment a volume that has a ‘Fill’ allocation strategy, you will not gain any benefits of having evenly distributed data, though your individual files will no longer be fragmented.

Thus, if your main goal is balance all data across the volume, it will be necessary to change the volume’s allocation strategy to Balance and then defragment the volume. This will result in fragmented files to be relocated the lowest-capacity pool, an extremely effective method for balancing data. In Xsan 2.x, you can change a volume’s allocation strategy at the GUI level, which can be changed while the volume is live. In our experience, the change can be performed live and will not result in Xsan client service interruption to the volume, and active transfers proceed with no disruption. Even so, it’s best to perform the switch at a time when there’s minimal activity (preferably none) on the volume and no active transfers in progress.

Once you’ve converted the volume to the new strategy, you can proceed with the optimization, which is a fairly straightforward defrag performed with the command

snfsdefrag -r /Volumes/VolumeName

This will defragment any files with more than one extent, re-provisioning the optimized files to the next LUN in the allocation strategy. And because we’re now using the Balance strategy, the next LUN will always be the one with the lowest capacity—-our new LUNs, in this case. If, however, you had a healthy Xsan volume, this command may not properly balance data, because fragmented files will be rare. In such an event, run the command

snfsdefrag -r -m 0 /Volumes/VolumeName

This will defragment files with more than 0 extents, which is every file on the system, letting you rest assured that the volume will be nicely balanced at the end of the operation. The main trade off here is that doing so re-provisions all files on the volume, which can be a very time consuming task. If the volume has standard levels of fragmentation, running the command without the flag should do a decent job of balancing without having to operate against non-fragmented files as well.

Migrating the Apple Remote Desktop Database

Thursday, January 13th, 2011

Whenever dealing with data migrations, is always important to get a good handle on what data you need to transfer, and the purpose that it serves toward the operation of the program: some elements may be more important to you than others. In the case of Remote Desktop, there are a number of different data stores that you’ll want to be aware of:

  • /Library/Preferences/ – This file contains system-wide preferences, primarily serialization information, which is system-specific (so you’ll need to serialize on the new system using the original serial number).
  • /var/db/RemoteManagement – This database and set of caches contains the Remote Desktop Client database used by client reporting.
  • ~/Library/Application Support/Remote Desktop  – This folder is used to store your command presets (including Unix Send Command templates), your task history, and task manager settings and actions.
  • ~/Library/Preferences/ – This file contains the bulk of the Remote Desktop application experience, including the entire computer database, computer lists, scanners, and last but not least, access credentials for all computers in the database.

Once we have an understanding of the data stores utilized by ARD, it’s fairly trivial to transfer the admin database. Assume in the following example that we want to migrate our ARD database from our local computer instance, to a new computer connected via Firewire disk mode and mounted at /Volumes/NewMac. For most cases, all we really have copy over is the main user preference file ~/Library/Preferences/

cd /Volumes/NewMac/Users/username
cp -p ~/Library/Preferences/ Library/Preferences/

If you have any stored command templates, or want to preserve your task history, copy over the Application Support folder:

cp -pR ~/Library/Application\ Support/Remote\ Desktop/  Library/Application\ Support/Remote\ Desktop/

If your ARD install is collecting reports, you’ll likely want to copy those over as well. Because this database is root-owned, we’ll need to use sudo to copy it:

sudo cp -pR /var/db/RemoteManagement/ /Volumes/NewMac/var/db/RemoteManagement/

That’s it! It’s probably a good idea to restart for good measure, but for the basic ARD admin application, a relaunch should get you up and running with the new database.

Provisioning TelePacific iNOC On A SonicWALL

Friday, January 7th, 2011

1. Login to SonicWALL

2. Check to see if SNMP is already in use on WAN IPs by checking under Network > Firewall.

ALERT: Enabling SNMP Management on the SonicWALL will cause issues with the SNMP firewall rules. You can ONLY have SNMP SonicWALL Management OR SNMP firewall port forwarding. Not both. This was confirmed with SonicWALL Tech Support.

3. Go to System > Administration

4. Scroll down and put a check mark for “Enable SNMP”

5. Click on Configure

6. Put in whatever you want for System Name, System Contact, System Location. You can leave Asset Number blank. Ask TPAC for their monitoring WAN IP and put that in the “Host 1″ field.

7. Go to Network > Interfaces

8. Click on the Configure icon for the Interface that you want monitored.

9. Put a check mark next to SNMP

10. Click OK

11. You can confirm SNMP is listening by using snmpwalk. On a Mac, the command can be:

snmpwalk -c private -v 2c “wanipaddress of SonicWALL”


snmpwalk -c private -v 1 “wanipaddress of SonicWALL”

The SonicWALL utilizes version 1 and 2c for SNMP.

Create a User in Active Directory

Friday, January 7th, 2011

Yesterday, we looked at copying Active Directory accounts, but we hadn’t yet looked at creating new users. To create a new user, it is usually best to first log into a machine that has the Remote Server Administration Tools to run the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in… or the domain controller itself.  You will need to use the administrator login or an account that has administrative privileges.  On the domain controller, after you have logged in, go to the Start menu. Then click on Programs, Administrative Tasks, and choose Active Directory Users and Groups.

At the top click on action, choose new and then user.  It will then ask you for information about the user.  First Name, Last Name and the user name that you want to have the user use. Click next when complete.  The next window will ask you to type in a password for the user and then confirm it.  Standard policy is that you have at least one small character, one large character, and one special character and be at least 8 characters long.

Copy a User in Active Directory

Tuesday, January 4th, 2011

Creating new users in Active Directory is a fairly straight forward process. But often times it is easier to copy a user than create a new one. If you have a user that belongs to all the groups as you want a new user to be apart of, you can make life easy by making a copy of that user. To do that, you will need to remote into the domain controller with the domain administrator account or an account with administrator privileges.

Once you log on, go to start and then click on programs and choose Administrative Tools. Choose Active Directory Users and Groups. The best thing to do is to search for the user that you want to model the new user after. Before you do the search, go to view and chose Advanced Options. Then do a search. To do a search click on the search button at the top. It is the second to last button

In the next box, type in the name of the user that you want to use as the model. Make sure that Entire directory is selected.

Right click on the user and go to properties. Then click on the object tab. It will list what Organizational Unit that the user is in. Navigate to that user by using the folders on the left side of the screen, then right-click on the user and choose copy. A window will come up and you will need to type in the new users information.

After you complete this process, you will be asked to provide a password. By default, there are some password policies that you will want to maintain. Make sure that the password has at least one lower case, upper case and special case character. It has to be at least 8 characters long.

Once that completes, the new user has been completed and is ready to use, unless you would like to change group memberships, policies, etc.

Restricting Outgoing Email To a 3rd Party SMTP Relay Host on SonicWALLs

Friday, November 12th, 2010

Often times, it is necessary to lockdown outbound traffic to MX Logic. MX Logic can provide outbound filtering capabilities which assists against getting blacklisted, while also scanning your outgoing e-mail for malware. Also, limiting only the server to communicate with MX Logic ensures that no rogue mail servers can send out e-mail (often done by infected devices).

This guide assumes you have already used the Wizard to setup port forwarding, firewall rules, and NAT policies for allowing the mail server to be accessed via the SonicWALL.

To Lockdown a SonicWALL to Outbound Email to MX Logic
1. Determine what port you will be sending out on. If you are using a non standard port, you will first need to make a custom service object on the SonicWALL for the port.
2. Create an Address Group containing the Address Objects for MX Logic
1. Go to Network
2. Go to Address Objects
3. Add Address Object
1. Name: MX Logic 1
2. Zone Assignment: WAN
3. TYPE: Network
4. Network: IP From MX Logic
5. Netmask: Subnet From MX Logic
NOTE: You will need to do this for each subnet that MX Logic Offers. Name them sequentially. The Address info can be found on MX Logic’s Portal.
4. Go to Address Objects
5. Create Address Object Group
6. Add all of your MX Logic Address Objects to the Address Object Group, and call it “MX Logic”
7. Save all your changes.
3. Go to Firewall
4. Go to LAN to WAN
5. Click Add
6. Create a Rule that allows the mail server on the LAN to send out to anywhere on the WAN.
1. Action: Allow
2. From Zone: LAN
3. To Zone: WAN
4. Service: SMTP (or whatever you named your custom one)
5. Source: Your Address Object Representing Your Mail Server
6. Destination: MX Logic (The Address Object Group you created Previously).
7. Save your changes.
7. Create Another Rule to block all other outbound e-mail.
1. Go to Firewall
2. Go to LAN to WAN
3. Click Add
4. Action: Deny
5. From Zone: LAN
6. To Zone: WAN
7. Service: SMTP (or whatever you named your custom one)
8. Source: Any
9. Destination: Any
10. Save Your changes
8. Adjust Rule Order.
1. Ensure that the MX Logic Outbound rule is above the rule that blocks all other devices from sending SMTP traffic out to the Internet.
2. Apply the changes.
NOTE: By doing this, any laptop users, or other portable device users, that may try to send email over port 25 through other servers (Gmail, Yahoo, AOL, etc.) will be DENIED by the SonicWALL.

Adding Entourage Delegated Folders in Entourage for Hosted Exchange

Tuesday, October 19th, 2010

Setting up a mail account

Adding a hosted Exchange 2007 account to Entourage must be done manually as the auto discover feature doesn’t work with the hosts servers. Enter the user’s general information (name and email address) as you normally would. The user name will be the user’s email address, the domain is supplied by the host, and the mail server address is /exchange/usersemailaddress@domain.tld. The server does require SSL. The public folder server is supplied by the ISP (same as the OWA path in the server address) and it uses SSL.

Adding a delegated user’s folder

When adding another user’s folder, you have to use the advanced option to add the user’s folder because Entourage is currently accessing the server at which means that Entourage will attempt to access another user’s folder at /exchange/currentloggedinuser@domain.tld/userfolderthatyouwanttoadd which, of course won’t work. To get around this issue, click “open another user’s folder”, click advanced, enter the user’s full name, email address and enter the mail server address in the following format: /exchange/usersemailaddress@domain.tld. Click ok and select the other user’s folder that you want to add.

Hiding a Restore Partition With jamf

Monday, August 9th, 2010

The jamf command that is placed inside the /usr/sbin directory has a number of things it does really well. Many of the tasks exposed in Casper Admin can be tapped into using shell scripts.

One nice option that the Casper Suite has for the mobile users in many an enterprise is the ability to restore a given machine to a known good working state. Casper addresses this using a concept known as a restore partition. The restore partition can be used to deploy a base set of packages to a client, or maybe just a functional operating system that hooks back into the JSS, or JAMF Software Server. Because you want the restore partition to be somewhat undefiled, you can hide it. Then, if a user needs to boot to the restore partition, they would simply boot the computer holding down the option key and select Restore (or whatever you have named it).

The /usr/sbin/jamf command can then be used to hide that restore partition using the hideRestore option. For example, assuming that the restore partition is named Restore, the following command will hide it:

/usr/sbin/jamf hideRestore

But, you might find that you want to deploy multiple hidden partitions. So let’s say that you had another for running disk tools. In our environment we could call it 318Tools. So to hide it as well, we would use the same command, but with the -name option followed by the name of the other partition we would like to hide, like so:

/usr/sbin/jamf hideRestore -name 318Tools

Overall, there are a number of uses other than simple patch management with the Casper Suite, and this is just one of the small things you can do with the jamf command, an integral part of the Suite.

Adding Windows Services Monitoring in Zenoss

Thursday, July 22nd, 2010

1. Under devices find the server
2. Go to Configuration Properties
3. Scroll down until you find zWinUser and zWinPassword, and enter in admin username and password.
4. Click on the first item under Components on the left hand side
5. Click on the “+” Sign
6. Click Add Win Service
7. Choose the service from the drop down menu.
8. Click on Service if status says “Unknown”
9. Find server under Display
10. Change Set Local value to Yes
11. Click SAVE (from light testing, this seems to only have to be done once per service).

MySQL Backup Options

Thursday, July 8th, 2010

MySQL bills itself as the world’s most popular open source database. It turns up all over, including most installations of WordPress. Packages for multiple platforms make installation easy and online resources are plentiful. Web-based admin tools like phpMyAdmin are very popular and there are many stand-alone options for managing MySQL databases as well.

When it comes to back-up, though, are you prepared? Backup plug-ins for WordPress databases are fairly common, but what other techniques can be used? Scripting to the rescue!

On Unix-type systems, it’s easy to find one of the many example scripts online, customize them to your needs, then add the script to a nightly cron job (or launchd on Mac OS X systems). Most of these scripts use the mysqldump command to create a text file that contains the structure and data from your database. More advanced scripts can loop through multiple databases on the same server, compress the output and email you copies.

Here is an example we found online a long time ago and modified (thanks to the unknown author):


# List all of the MySQL databases that you want to backup in here,
# each separated by a space
databases="database1 database2 database3"

# Directory where you want the backup files to be placed

# MySQL dump command, use the full path name here

# MySQL Username and password
userpassword=" --user=myusername --password=mypassword"

# MySQL dump options
dumpoptions=" --quick --add-drop-table --add-locks --extended-insert --lock-tables"

# Unix Commands

# Create our backup directory if not already there
mkdir -p ${backupdir}
if [ ! -d ${backupdir} ]
echo "Not a directory: ${backupdir}"
exit 1

# Dump all of our databases
echo "Dumping MySQL Databases"
for database in $databases
$mysqldumpcmd $userpassword $dumpoptions $database > ${backupdir}/${database}.sql

# Compress all of our backup files
echo "Compressing Dump Files"
for database in $databases
rm -f ${backupdir}/${database}.sql.gz
$gzip ${backupdir}/${database}.sql

# And we're done
ls -l ${backupdir}
echo "Dump Complete!"

Once you verify that your backup script is giving you valid backup files, these should be added to your other backup routines, such as CrashPlan, Mozy, Retrospect, Time Machine, Backup Exec, PresSTORE, etc. It never hurts to have too many copies of your critical data files.

To make sure your organization is prepared, contact your 318 account manager today, or email for assistance.

Changing The Password Policy on Windows Server 2008 Domain Controllers

Wednesday, June 2nd, 2010

There seems to be a bug (maybe feature?) in Windows Server 2008 where you cannot change the default password policies on at least the first Domain Controller in a new Domain via Group Policy Management and editing the Default Domain Controller security policy.

You must make the changes in the Local Policies section of Active Directory on the Windows Server 2008 Domain Controller.
1. Start > All Programs > Administrative Tools > Local Security Policy
2. Security Settings > Password Policy

NOTE: You will see that the Password Policy for the domain controller is populated, unlike in GPMC.MSC where everything is “Not Configured” but has a confusing note about default settings being other than “Not Configured”.

To further confuse the issue, it seems that in Windows Server 2008 R2, using the Local Security Policy to change the Password policy on the DC will NOT work. It will be grayed out. The Domain Controller policy then seems to default to the Default Domain Security Policy (not Default Domain CONTROLLER Security Policy). After changing the password policies under GMPC.MSC for the Default Domain Policy I was able to successfully get the needed password configuration settings for the Domain Controller. It seems that the Default Domain Controller Security Policy password settings are either no longer separate from the Default Domain Security Policy, or now the Default Domain Security Policy overrides the Default Domain Controller Policy. This happened on a fully patched Windows Server 2008 R2 x64 OS.

Uninstalling Retrospect 6.3 Clients and Changing Passwords

Wednesday, May 12th, 2010

Open the retrospect client and turn it off. Then close it and delete the \Libraries\Preferences\retroclient.state file. Now you have two options. To completely uninstall, just trash the app from the Application folder. Or if you just needed to reset the password, you can rerun the installer and it will prompt you for a password.