Administrative Groups- for MPLS TE
Do the Cisco 7600's have an equivalent to Juniper (and Riverstone's) Administrative-Groups feature? I would like to do MPLS-Traffic Engineering based on the Administrative groups? I have tried searching this feature, but haven't found anything. There might be a different name for this feature which I might not be aware of. I would appreciate if somebody could help me with this.
Thanks Jon.
I am not sure if Affinity bits is the same feature as administrative groups(color)
Below is the description of Administrative groups that Juniper implements:
Administrative groups, also known as link coloring or resource class, are manually assigned attributes that describe the "color" of links, such that links with the same color conceptually belong to the same class. You can use administrative groups to implement a variety of policy-based LSP setups.
Administrative groups are meaningful only when constrained-path LSP computation
is enabled.
Administrative groups require three levels of configuration. First, configure a table of group names at the [edit protocols mpls] hierarchy level:
[edit protocols mpls]
admin-groups {
group-name group-value ;
You can assign up to 32 names and values (in the range 0 through 31), which define a series of names and their corresponding values. The administrative names and values must be identical across all routers within a single domain.
To configure administrative groups, follow these steps:
Define multiple levels of service quality:
[edit]
protocols {
mpls {
admin-groups {
best-effort 1;
copper 2;
silver 3;
gold 4;
violet 5;
Define administrative groups for an interface. These groups identify the administrative groups to which an interface belongs. You can assign multiple groups to an interface.
[edit]
protocols {
mpls {
interface interface name {
admin-group [ group-name group-name...];
If you do not include the admin-group statement, an interface does not belong to any group.
IGPs use the group information to build link-state packets, which are then flooded throughout the network, providing information to all nodes in the network. At any router, the IGP topology, as well as administrative groups of all the links, are available.
Changing the interface's administrative group affects only new LSPs. Existing LSPs on the interface are not preempted or recomputed to keep the network stable. If LSPs need to be removed because of a group change, issue the clear rsvp session command.
Configure an administrative group constraint for each LSP or for each primary or secondary LSP path, at the [edit protocols mpls label-switched-path lsp-path-name ] or [edit protocols mpls label-switched-path lsp-path-name (primary | secondary)] hierarchy level:
Similar Messages
-
Grant access to modify membership of local administrator group
hello
I am active directory administrator and i like to grant a certain user access to modify membership of the local administrator group for computers in a specific OU only. i tried to do that via delegation of control to modify membership of the group,
however when he tries to modify administrators group of one computer on that ou, he gets a message with access denied. Is there a way to do that other than delegation of control.Hi,
According to your description, you want to grant the right to modify local administrator group membership on computers which belong to one specific OU through ADUC, right?
I don’t think it is possible via delegate control, since local administrator group membership can only be modified by local administrator on the local machine, what you did only grant the right to modify the group membership of
the specific OU, which means adding/deleting members within this OU.
In other words, you need to add this user into the local administrator group on local machines to achieve your goal.
Best Regards,
Amy -
OIM Attestation Process Default Administrative Groups
It seems that, by default, when a user creates an attestation process that it inherits all the groups that the user is a member of as members of the Administrative Groups for that process. Furthermore, these groups have write and delete privileges.
This is troublesome to me. Every OIM user is a member of the Employees group, therefore every attestation task could be deleted, modified, run, etc, by any user on the system. Surely this is not the intended behavior.
It would make sense if the Process owner group were added to the Administrative Groups, but not every single group that they are a member of!
Does anyone have an idea on how to correct this?Martin, Thank you for the reply. The OIM product docs have content indicating that OIM supports attestation at entitlement level. So was wondering if there is any straightforward way to achieve and I was missing something. I guess there will be a lot of overhead in maintaining the AD Groups as resource objects in OIM. In certain cases there will be thousands of AD Groups. If you know could you please advise on the impact / care to be taken with this approach.
Thank you. -
Report EM12C for targets not associated with (Administration) Group
Is there a report/view in EM12C for showing which targets are not associated with a Administration Group or a standard group?
For administration groups, check the Unassigned Targets report, accessible from the Associations tab.
For more details, look for the section "Identifying Targets Not Part of Any Administration Group" in the Administration Groups chapter of the EM 12c Administrator's Guide:
http://docs.oracle.com/cd/E24628_01/doc.121/e24473/administration_group.htm#EMADM10011 -
Accounts being created with administrative group rights
Hello,
The server is a Windows 2003 R2 Enterprise fully patched used for Shared Hosting purposes. It runs Hsphere control panel. I am trying to identify how the following hack is happening.
1) There are users being created with Administrative group rights. Below is the EventViewer log for the user creation:
User Account Created:
New Account Name: username
New Domain: PCNAME
New Account ID: PCNAME\username
Caller User Name: PCNAME$
Caller Domain: DOMAINNAME
Caller Logon ID: (0x0,0x3E7)
Privileges -
Attributes:
Sam Account Name: username
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
AllowedToDelegateTo: -
Old UAC Value: 0x2DAB2B0
New UAC Value: 0x2DAB2B0
User Account Control: -
User Parameters: <value not set>
Sid History: -
Logon Hours: <value changed, but not displayed>
There exists entries as well where the primary group ID is changed to the Administrative group, but I am omitting such.
2) I tried to identify what Caller Logon ID: (0x0,0x3E7) means. I found out from here:
http://blog.joeware.net/2013/01/14/2667/ that I can use LogonSessions.exe to identify it.
Output from LogonSessions.exe is pasted below (snippet):
[0] Logon session 00000000:000003e7:
User name: DOMAINNAME\PCNAME$
Auth package: NTLM
Logon type: (none)
Session: 0
Sid: S-1-5-18
Logon time: 9/11/2014 12:41:53 PM
Logon server:
DNS Domain:
UPN:
4: System
316: smss.exe
364: csrss.exe
392: winlogon.exe
440: services.exe
452: lsass.exe
628: svchost.exe
756: LMAgent.exe
840: svchost.exe
1000: spoolsv.exe
1252: avagent.exe
1268: camWMIAgent.exe
1324: cissesrv.exe
1380: cpqrcmc.exe
1404: vcagent.exe
1440: svchost.exe
1480: HsQuotas.exe
1740: inetinfo.exe
1780: EmailAgent.exe
1856: snmp.exe
1884: sysdown.exe
1920: smhstart.exe
2192: svchost.exe
2388: cmd.exe
2396: hpsmhd.exe
2444: cqmgserv.exe
2464: cqmgstor.exe
2484: HSphere.exe
2596: wmiprvse.exe
2676: cmd.exe
2684: rotatelogs.exe
2692: cmd.exe
2700: rotatelogs.exe
2732: searchindexer.exe
2812: hpsmhd.exe
2824: cqmghost.exe
2852: svchost.exe
3044: cmd.exe
3052: rotatelogs.exe
3080: cmd.exe
3088: rotatelogs.exe
5452: svchost.exe
5596: GravitixService.exe
7392: csrss.exe
7232: winlogon.exe
6888: csrss.exe
9832: winlogon.exe
10388: wawrapper.exe
10352: cpqnimgt.exe
9496: msiexec.exe
6068: w3wp.exe
4748: webalizer.exe
3) I also learned from http://support.microsoft.com/kb/243330/en-us that Sid: S-1-5-18 means:
SID: S-1-5-18
Name: Local System
Description: A service account that is used by the operating system
That is all great info, but I am not sure I can put together what I have learned to attempt and get closer towards identifying how in the world users are being created and then being assigned administrative group rights.
I am a Linux person mostly, but I am comfortable following a properly explained thread regarding windows 2003 R2 Enterprise issues.
The server is fully patched and it is running Lumension security product. What's more, Norman Malware tracker, tdskiller.exe (Kaspersky) and McAfee rootkitremover.exe have been run without any apparent Malware/Virus infection
Hope someone with advanced admin skills can advise.
Thank youHi,
You mentioned that, “I am trying to identify how the following hack is happening”, would you please tell us that why did you think the event represent a hacking behavior?
In a Shared Server Hosting environment, the underlying hosting control panel tool (Hsphere in this case) should be creating only virtual FTP users with a specific group. So no users with Administrative group should be ever created. If this happens,
it constitutes a breach of server security=positive hacking attempt.
>how in the world users are being created and then being assigned administrative group rights.
In addition, would you please be more specific about this question? Did you find the event message on a domain joined machine?
I want to be able to understand in full how/what process is allowing users to be created with Admin rights. In other words, I want to know what IP was used to issue the command, if ASP.net was used (abused in this case), or anything else related to
it so that we can patch this particular hole.
Best Regards,
Amy -
Photoshop Elements 11 installed on Mac Mini OS X 10.9.5. Application running successfully on bot main user and administrative accounts for considerable time with no warning messages. When established a new user account on same computer and try to call up elements receive message “Some ot the application components are missing from the Application directory. Please reinstall the application.” How do I correct this problem without disturbing application in main user account?
Brooks lansing if you create a new Administrator account does the same issue occur? If so then it is likely that there is a file permission failure and file permissions have been set for the existing Users instead of the groups they belong to.
Have you removed and reinstalled Photoshop Elements 11? This may reset the file permissions to the correct state to allow it to work under new accounts. -
same user with administrative rights on all the servers in single domain user as a part of administrator group in all the servers:
same user is configured as administrator on all the servers in one domain at windows 2003 server. Should this user be made part of domain admin and then this can be set up in the group of administrator for all the servers.
How this is technically different?
If same user is set up as an administrator on all the servers in domain, will it have the same access on all the files as a domain admin user?
dhomyaIf the account is not admin on the domaincontrollers and the account is not member of domain admins or any other privileged AD group, the account has only user privileges on AD and thus cannot perform actions like creating and managing accounts,
groups, OUs,policies, sites, ...in other words cannot potentially ruin Active Directory.
I think that is a pretty big difference.
In fact, it is bad practice to perform you daily server management with an AD privileged account.
In regards of file access. The domain administrator will be just an admin, and thus has the privilies assigned to the local admin group, just as any other admin. But if it are different accounts they might be member of different groups assigning different
privileges. Always be carefull when assuming resulting privileges will be the same.
MCP/MCSA/MCTS/MCITP -
Hi is there any Transcation to find Account group for particular Customer. Other than XD07 as we dont have authorization for XD07 in production.
Regards
NageshHi,
in XD03, enter customer number, view the customer and go to "Extras / administrative data", there you can see the account group.
Best regards, Christian -
Managing Monitoring Templates Based on Target Properties (not Administration Groups)
I understand how to create administration groups, based on a hierarchy of target properties. In addition, I've assigned monitoring templates to these various groups with limited success.
But I would like to be able to setup different monitoring templates, metric values, compliance configuration, etc based on the target properties themselves and not just the hierarchy.
For example, lets say I have a hierarchy of administration groups starting with "Cost Center" at the top and "Location" as the next level. Now, I want to set up some compliance rules based on Operating Systems and want to do this across all my systems, regardless of administration group. (ie all Solaris 10 machines setup one way, Solaris 11 machines another).
Can I do this?does your RCDC info look something like the following?
<my:Control
my:Name="GroupMemberOfSG"
my:TypeName="UocListView"
my:ExpandArea="true"
my:Caption="Security Groups"
my:RightsLevel="{Binding Source=rights,
Path=isAdminAccount}">
<my:Properties>
<my:Property
my:Name="ColumnsToDisplay"
my:Value="DisplayName,Email,Domain,DisplayedOwner"
/>
<my:Property
my:Name="EmptyResultText"
my:Value="There are no groups according to the filter definition." />
<my:Property
my:Name="PageSize"
my:Value="20" />
<my:Property
my:Name="ShowTitleBar"
my:Value="true" />
<my:Property
my:Name="ShowActionBar"
my:Value="false" />
<my:Property
my:Name="ShowPreview"
my:Value="false" />
<my:Property
my:Name="ShowSearchControl"
my:Value="false" />
<my:Property
my:Name="EnableSelection"
my:Value="false" />
<my:Property
my:Name="SingleSelection"
my:Value="false" />
<my:Property
my:Name="ItemClickBehavior"
my:Value="
ModelessDialog " />
<my:Property
my:Name="ListFilter"
my:Value="/Group[(Type='Security') and ((ComputedMember='%ObjectID%')
or (ExplicitMember='%ObjectID%'))]"
/>
</my:Properties>
</my:Control>
</my:Grouping>
Anthony Marsiglia -
How to add first log on user to local administrator group
Hi All,
When first time user log in to system, i need to add that particular user to local administrator group?
How to achieve it using vbscript?
Thanks
DivakarIt is also now against federal law in the US, Canada and, I believe, the UK.
In the US HIPAA and the federal network security act (???) and Sarbanes-Oxley all prohibit users running as Admins. This may not specifically affect your
installation but it does show how important this is.
There is NEVER a good reason to make a user an administrator. It is only lack of technical know how that leads to this scenario. Any vendor product that
requires this is not a safe product to use in a corporate network. Malware specifically looks for this as an attack vector.
I spent three years arguing with Inuit to get there software to work. Every time they said you have to run as an admin I told them it would never be. We
were always able to find a way. Now QuickBooks installs as a standard user with no issues.
It can be done.
¯\_(ツ)_/¯
It is also now against federal law in the US, Canada and, I believe, the UK.
In the US HIPAA and the federal network security act (???) and Sarbanes-Oxley all prohibit users running as Admins. This may not specifically affect your
installation but it does show how important this is.
There is NEVER a good reason to make a user an administrator. It is only lack of technical know how that leads to this scenario. Any vendor product that
requires this is not a safe product to use in a corporate network. Malware specifically looks for this as an attack vector.
I spent three years arguing with Inuit to get there software to work. Every time they said you have to run as an admin I told them it would never be. We
were always able to find a way. Now QuickBooks installs as a standard user with no issues.
It can be done.
¯\_(ツ)_/¯ -
Wmi script to find out the time when the user was added to local administration group
Hi Friends,
i need a script/query based on wmi/wql that find out the time when the user was added to local administration group on this computer
Regards
Tanoj
OSLM ENGINEER - SCCM 2007 & 2012WMI does not keep security information.
Unless you have enabled auditing, this information is not retained in any way.
If auditing is enabled, you can write a powershell script to look for the specific event in the eventlog. More specifically, you should look for all security events with id 4732 containing the group.
this one command does the trick
get-eventlog -logname security -instanceid 4732 -message *administrators*
https://technet.microsoft.com/en-us/library/dd772663(v=ws.10).aspx
MCP/MCSA/MCTS/MCITP -
RECOVERING FORGOTTON ADMINISTRATOR PASSWORD FOR MACBOOK PRO WITH OS MOUNTAIN LION REQUIRES (A) OPTICAL DISK READER or (B) ANOTHER COMPUTER. I HAVE NONE OF THE TWO. I HAVE BEEN ABLE TO LOGIN TO APPLE SUPPORT AND COMMUNITIES. NO SOLUTION IS AVAILABLE
Terribly sorry Joseph Kriz. I had absolutley no intention of annoying anyone. This was the first time I have been communicating in a discussion group, and as I wrote my comments I had no idea how my typing would reflect and where my question would be going. Hope my unintentional typing will be forgiven and causes no further agitation.The only additional comment I can make on your response is that "I do not use capital letters or CAPS LOCK while I try to enter my administrator password". Thank you for guiding me
-
Creating Administration Groups using custom Target Properties?
I've added a Target Property "Usage" to my 'host' Target type. I would like to use this property when creating my Administration Groups. When I try to create my Administration Group hierarchy, the only Target Property's available to use are the default ones (Lifecycle, Location, etc). Usage does not show up.
Is there a way to make this work or is this just a limitation of OEM?Hi Timothy
Typically you want to create user groups for functional areas or grouped reports/queries. You can enter as many users as needed into a user group and only those who have the checkbox next to their name in the user group screen will have authorization to create/modify queries in the infosets where the usergroup is assigned. If you are creating 2 usergroups with the same users and authorizations then that is redundant but if the list of users is different or the authorizations may change then it would make sense to have 2 usergroups. You should have some naming convention to follow when creating the queries but the Z prefix is not required.
Andy -
Hi Gurus,
I want to create a new user ID for the administration of the SLD.
As my Web AS's UME is config to abap datasource. I created a SLD_ADMIN via SU01 (I cannot create a UME-based ID via portal's "User Administration")
After that I edited the UserID(datasource ABAP)'s portal role. I included the following:
Assigned Groups: SAP_SLD_ADMINISTRATOR(UME DATABASE)
Assigned Roles: LcrAdministrator(UME DATABASE)
Assigned Actions: LcrAdministrator, LcrInstanceWriterAll, LcrInstanceWriterCR (UME Type)
But whenever I try to access to the SLD administration link of my instances' SLD
http://<hostname>:5XX00/sld/cimom
I get an error : " 403 Forbidden: You are not authorized to view the requested resource."
What did I do wrong? Are there anymore group/roles I need to assign? My "administrator" ID runs well with the same assigned group.
Thanks,
JansenHello Jansen,
You should also certain groups that you can find in the SLD Configuration guide to the user. Also in Visual admin you need to add this use to the administrator group under the following path
services -> security provider -> Policy configurations tab -> Security roles tab -> administrators -> add the user in it
regards,
Anand -
Add Managed By AD value to Local Administrator group.
Hi,
I'd like to add the user account of the AD computer's Managed by attribute to the Local Administrator Group.
Could that be done via GPP?
Thanks in advance.Hi,
I am doubtful about it, as when I run %manager%, the system could not recognize the variable, and also I didn't find out the environment variable.
I would like suggest you use script to do that, first retrieve all "Managers", then add them to each computers local admins group.
For scripting, please refer to the below link:
http://social.technet.microsoft.com/Forums/en-US/ITCG/threads
Best Regards,
Yan Li
Yan Li
TechNet Community Support
Maybe you are looking for
-
Tired of a game and want to sell it?
Suppose you buy a game and you get sick of it. You're thinking, "Hey maybe I'll sell it to my mate across the road". Guess what,... you can't. It's not like a game you purchased for your PC or Mac and you sell it to one of your friends or on Ebay. Th
-
SYSTIMESTAMP - is this a bug?
Hi, According to the docs "SYSTIMESTAMP returns the system date, including fractional seconds and time zone, of the system on which the database resides." and "CURRENT_TIMESTAMP returns the current date and time in the session time zone". Here's the
-
How to create a working SaveAsDoc command
Hi Everybody, I need to create a SaveAs command to save converted document (from previous versions to CS5) without any user intervention. Unfortunately all the utility functions like IDocFileHandler, IDocumentUtils, etc. don't work or miss the saveAs
-
i am a music store user and have been for some time. i live in the uk and can download everythign but the tv shows. this is something i would love to be able to do. anyone got any ideas as to when apple willl allow it for the uk. cheers sam
-
Adobe Flash in Windows 7 IE9 (p.s.)
To clarify, the Adobe icon is on my Computer's System and Security page. (Hewitt Packer, HP P7-1210 Control panel, System and Security)