Client logging of admin access

Similar Messages

• System has amnesia about non-admin access to system log

  Time Machine Buddy often doesn't show current backups. So I used the tip from Pondini to give my user account system log access. That worked fine.
  But it doesn't "stick." I fired up the Console app this morning, and the system log is grayed out.
  Any idea why, and what to do?
  Thanks,
  Harv

  Hey James,
  I did indeed get a reply in the Unix forum, and it worked fine. Here's the content:
  *BobHarris posted "Re: System has amnesia about non-admin access to system log" in "System has amnesia about non-admin access to system log" on Jun 2, 2010 6:21:28 PM.*
  *You could try*
  *sudo /bin/chmod +a "harv47 allow read,file_inherit" /var/log*
  *This assumes that your usename is 'harv47' on your Mac. This also assumes that the log files are created in the /var/log directory.*
  *In theory this will make sure that any file created in /var/log will inherit an ACL that allows harv47 read access to that file.*
  *However, I have not spent much time working with Mac OS X ACLs, so your mileage may vary.*
  *BobHarris posted "Re: System has amnesia about non-admin access to system log" in "System has amnesia about non-admin access to system log" on Jun 2, 2010 8:13:24 PM.*
  *Oh yea. You can view the ACL you applied, and see if the inherit_file worked using*
  *ls -leO@a /var/log*
  *again, assuming /var/log is the directory containing the log you are trying to read.*
  The system log continues to be accessible, even after the midnight "rollover."
  I'm a happy camper. I'm not sure if it's a coincidence or not, but TM Buddy has so far continued to show the log excerpts after the rollover as well.
  BTW, the SpamSieve app (Bayesian spam filter for Mail) is one of those database apps mentioned in your tips. It accounts for about 1 GB every backup.
  Thanks!
  Harv

• Exchange 2013 Give domain Admin access to all users inbox

  In the old 2007 exchange server we had domain admin access to everyones mailbox so we could open anyones email box using outlook client.
  But in 2013 exchange the mailbox delegation does not give us the option to add a "group" to the full access area, old allows to add a "user" who has a mailbox setup in exchange. I see there is Exchange Server group listed under Full Access
  , but it does not work added our domain Admin user to that group rebooted exchange and the test machine but did not work.
  Only option that works to allow mounting of xyz users mailbox via abc admin user is to actually add that abc admin user to the xyz mailbox under mailbox delegation > Full Access.
  Is  there a work around this, so we can simply have a group ABCD with user ABC or DEF etc. etc. so they can access everyones mailbox instead of going in and changing all users mailbox delegation one by one for the new user etc. ?

  Have you tried using the Exchange Management Shell?
  Get-Mailbox | Add-MailboxPermission -User Name_of_Group -AccessRights FullAccess -InheritanceType All
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
  I did i tried get-mailboxpermission and other than NT Authority and the end user the Deny was set to True for all inheritance rights. I tried your command, added user to the group i wanted under Enterprise OU in AD and restarted transport on exchange and
  logged in on the test machine again.
  Still no go, the user I am trying to add when using get-mailboxpermission shows up as Denied for fullaccess so is that overriding the group permissions ?
  RunspaceId      : 2xxxxxxx0
  AccessRights    : {FullAccess}
  Deny            : True
  InheritanceType : All
  User            : domain\abc
  Identity        : domain/Users/xyzuser
  IsInherited     : False
  IsValid         : True
  ObjectState     : Unchanged
  And for the group i just added with the above abc user inside it:
  RunspaceId      : 2xxxxxxxxx0
  AccessRights    : {FullAccess}
  Deny            : False
  InheritanceType : All
  User            : domain\newgroupadded
  Identity        : domain/Users/xyzuser
  IsInherited     : False
  IsValid         : True
  ObjectState     : Unchanged
  So is the users deny is causing this ? Not really sure why ABC domain admin/enterprise admin is the only one listed as no deny, there are other mailbox users that do not show up, I am assuming I have to create a new user a domain local user and that might
  work ? I wanted the Domain/Enterprise Manager/admin to have access so we would not have to keep toggling between users just to access someones inbox.
  Also further down the list of mailboxpermission i see the user abc (the user i want to add to the group to have access) is listed with Full access and Deny flag is set to False instead of True.
  So have two entries for user abc one with deny flag set to true and one with deny flag to false.
  AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
  Deny            : False
  InheritanceType : All

• ConfigMgr Clients connection over direct access.

  My test client machine is running Windows 8.1 and connecting to network through Direct Access. I am running SCCM 2012 R2 on Windows Server 2012.
  Test Machine: NYWIN8
  SCCM Server: SCCM01
  Domain: demo.local
  I would like to understand how configmgr handles clients connecting through direct access. What all functionality is available for such clients?
  On my client machine is see following errors:
  FSPSTATEMESSAGE.LOG
  Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7
  [CCMHTTP] ERROR: URL=HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED
  POLICYAGENT.LOG
  Policy
  http://SCCM01.demo.local/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 is not available.
  DATATRANSFERSERVICE.LOG
  DTS job {E6FAADEE-F22E-4E89-92EE-C2D9C10C3056} BITS job {9C444FAB-FD3C-4A6B-B8A4-81DA159E4E45} failed to download source file
  http://SCCM01.demo.local:80/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 to destination C:\Windows\CCM\Temp\{C9AA0DDC-BD37-442D-A00E-EE7404D47C12}.tmp with error 0x80190194
  DTS job {E6FAADEE-F22E-4E89-92EE-C2D9C10C3056} BITS job {9C444FAB-FD3C-4A6B-B8A4-81DA159E4E45} partially completed 0/1 with error 0x80190194 context 5
  Software Catalog Update Endpoint
  Failed to open portal registry key 'Software\Policies\Microsoft\CCM'. maybe haven't been created yet. Error 0x80070002
  WEDMTRACE.LOG
  No CCM Identification blob
  CAS.LOG
  The number of discovered DPs(including Branch DP and Multicast) is 0
  SMSCLIUI.LOG
  Failed to set DNSSuffix value to the registry.
  Are there any issues due to connecting using direct access?

  When I try to deploy any software (7-ZIP or Notepad++) to this client I get following error:
  The software change returned error code 0x87D00607(-2016410105).
  I can deploy same software fine to other machines connecting on LAN.
  Server Logs:
  Portlctl
  PORTALWEB's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
  PORTALWEBs http check returned hr=0, bFailed=0
  awbsctl
  AWEBSVCs http check returned hr=0, bFailed=0
  AWEBSVC's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
  Client Logs:
  CAS
  The number of discovered DPs(including Branch DP and Multicast) is 0
  CCMEVAL
  Client's current MP is http://SCCM01.DEMO.local and is accessible
  ClientLocation
  Current AD forest name is Demo.local, domain name is Demo.local
  Domain joined client is in Intranet
  Rotating assigned management point, new management point [1] is: SCCM01.demo.local (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>
  Assigned MP changed from <SCCM01.demo.local> to <SCCM01.demo.local>.
  ContentTransferManager
  No data since 11/13/2013
  CTM job {F6085C09-4C39-489E-A6F6-2C268398B7F2} successfully processed download completion.
  DataTransfer
  DTS job {B227AB6E-6D0F-4709-B8C6-AA8B66CBBE2D} BITS job {AE61D01C-E251-45FA-8B2C-2E22DDD91016} failed to download source file
  http://SCCM01.demo.local:80/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 to destination C:\Windows\CCM\Temp\{22619283-47B1-445A-9262-C1FA54AD0F64}.tmp with error 0x80190194
  DTS job {B227AB6E-6D0F-4709-B8C6-AA8B66CBBE2D} BITS job {AE61D01C-E251-45FA-8B2C-2E22DDD91016} partially completed 0/1 with error 0x80190194 context 5
  Filebits
  BranchCache Is Not Enabled
  Failed to check PeerDistribution status. NOT able to do branch cache.
  FSPSTATEMESSAGE
  Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7
  [CCMHTTP] ERROR: URL=HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED
  Successfully sent location services HTTP failure message.
  InternetProxy
  Failed to get proxy for url 'HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp'. Error 0x87d00215
  InventoryAgent
  Inventory: 9 Collection Task(s) failed.
  SCCLIENT
  Event maps to notification type = Application Enforcement Failed   (Microsoft.SoftwareCenter.Client.Data.WmiConnectionManager at EventWatcher_EventArrived)
  SMSCLIUI
  Failed to set DNSSuffix value to the registry.
  IPCONFIG /ALL from CLIENT:
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : NYWIN8
     Primary Dns Suffix  . . . . . . . : demo.local
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : demo.local
     System Quarantine State . . . . . : Not Restricted
  Ethernet adapter vEthernet (Internal):
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #3
     Physical Address. . . . . . . . . : 00-15-5D-01-0B-07
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::d3f:4e51:c648:7b26%26(Preferred)
     Autoconfiguration IPv4 Address. . : 169.254.123.38(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.0.0
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 872420701
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
     DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                         fec0:0:0:ffff::2%1
                                         fec0:0:0:ffff::3%1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter vEthernet (External):
     Connection-specific DNS Suffix  . : home
     Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
     Physical Address. . . . . . . . . : 84-A6-C8-AF-03-DE
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::9cb5:5132:1f47:e7c6%24(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Thursday, January 2, 2014 1:27:53 PM
     Lease Expires . . . . . . . . . . : Saturday, January 4, 2014 12:27:55 PM
     Default Gateway . . . . . . . . . : 192.168.1.1
     DHCP Server . . . . . . . . . . . : 192.168.1.1
     DHCPv6 IAID . . . . . . . . . . . : 730113736
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
     DNS Servers . . . . . . . . . . . : 192.168.1.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Wireless LAN adapter Local Area Connection* 3:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
     Physical Address. . . . . . . . . : 84-A6-C8-AF-03-DF
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Bluetooth Network Connection:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
     Physical Address. . . . . . . . . : 84-A6-C8-AF-03-E2
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Ethernet:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : home
     Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
     Physical Address. . . . . . . . . : E0-DB-55-D2-5E-59
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.home:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : home
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter iphttpsinterface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : iphttpsinterface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : fd64:fc00:d17b:1000:e1a7:9cc8:c3c7:d819(Preferred)
     Temporary IPv6 Address. . . . . . : fd64:fc00:d17b:1000:c598:7f17:e286:369d(Preferred)
     Link-local IPv6 Address . . . . . : fe80::e1a7:9cc8:c3c7:d819%10(Preferred)
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 369098752
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Tunnel adapter isatap.{DC7D2C63-1506-49EC-A40F-AA4E56DE4001}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes

• Help needed restricting users admin access to devices using ACS 4.2

  I have users that access the network via a VPN client to a PIX 515 which authenticates to the ACS (using the default group for unknown users) which uses an external Active Directory Database.
  The problem I have is that as the ACS authenticates these users, it now allows them admin access to the PIX. How do I restrict access? I have looked at NARs using the 'All AAA clients, *, *' approach but that just stops their VPN access. ( I have a separate group called 'PIX ACCESS' which will contained only defined users for admin access).
  Incidentally I have other devices on the network which are AAA clients, in particular Nortel switches. I can set the group settings for that RADIUS set up to 'Authenticate Only' (RADIUS Nortel option) and that works fine, I was expecting the ACS to have a similar setting for TACACS+.
  So how do I allow the unknown users to authenticate to their AD database but restrict them admin access to the AAA clients?

  Very common problem. I've solved it twice over the last 6 years with ACS. I'm sketchy on the details. But here goes. First option to explore is using RADIUS for VPN access, then TACACS on all the Cisco switches and PIX firewall. That would make it alot easier. I think that with TACACS, you can build a NAR based on TCP port number instead of IP address....
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
  So you'd have a group with 3-4 Administrators that can access PIX CLI, and another group of VPN users that can't access the PIX but can VPN in. So on the VPN group, put a NAR that restricts access to SSH/Telnet TCP ports?
  This comes up everytime I install an ACS server, (every 2-3 years), and it's always a trick.
  Please let me know if this works for you. And if it doesn't, let us know how you fixed it. I think I can get back into the ACS I last did this with and take a look, but I'd have to call up and make a special trip.

• ISE 1.2 Admin Access via Active Directory

  Hi Experts,
  Good Day!
  I want to configure my ISE 1.2 to authenticate (for admin) against the active directory. I know it is possible but our AD doesn't have any groups named for admins.
  Is it possible for the ISE 1.2 to configure a local user ID and check it to the AD for the password of the UserID?
  Thanks for your great help.
  niks

  Niks,
  I just got done doing this.  First of all you have to have the Active Directory setup as an external data source.  Once you do that Click on Administration - - Admin Access.
  For the Authentication Type ensure that Password Based is toggled and change your data source to Active Directory (or whatever you named it).
  Then click in Administrators - - Admin Users.  Click Add a user - - Create Admin User.  Ensure to check the External box and you will notice the Password field goes away.  Fill out the appropriate information and then assign them to an Admin Group.
  Once you are done with that you can test that user by logging out of your ISE session.  You will notice that when you try to log back in you will have a choice of the data sources used to authenticate the user.  Change the selection to Active Directory and enter the AD user/password for the newly created account you should be good to go.
  Make sure that you don't delete or disable your original admin account in this process.  (Change the password if you like.)

• ISE Admin Access with AD Credentials fails after upgrade 1.2.1 to 1.3.0

  Hello,
  After upgrading ISE VM from 1.2.1 to 1.3.0.876, I can't connect on ISE with AD Credentials (Invalid Username or Password). It worked find before upgrading to 1.3.
  On another ISE VM in 1.3.0.876 version (w/o upgrade) with this kind of configuration, it's OK.
  I have double check the Post-upgrade tasks (particularly rejoining Active Directory). Everything worked find after this upgrade except the admin access with AD credentials.
  I don't use user certificate-based authentication for admin access. So I didn't execute application start ise safe CLI.
  My 802.1x wireless users passed authentication with AD credentials. So the ISE had correctly join my AD.
  I didn't find anything related to this admin access with AD credentials failure in the output of show logging application ise and show logging.
  I don't find anything related to this in bug search on Cisco tools.
  I tried to :
  - update the SID of my Admin AD Group, the result is still the same.
  - delete my admin access with AD credentials configuration then make this configuration again, but still the same error.
  Any ideas on this ? Could I find elements in another log ?
  Regards.

  Dear Markus,
  After logging as user "prdadm"
  su - prdadm
  bssltests% bash-3.00$ ls -a
  .                            .dbenv_bssltests.sh-old      .sapenv_bssltests.sh         startdb.log
  ..                           .dbenv_bssltests.sh-old10    .sapenv_bssltests.sh-new     startsap_.log
  .bash_history                .dbsrc_bssltests.csh         .sapenv_bssltests.sh-old10   startsap_DVEBMGS00.log
  .cshrc                       .dbsrc_bssltests.sh          .sapsrc_bssltests.csh        startsap_DVEBMGS01.log
  .dbenv_bssltests.csh         .login                       .sapsrc_bssltests.sh         stopdb.log
  .dbenv_bssltests.csh-new     .profile                     dev_sapstart                 stopsap_.log
  .dbenv_bssltests.csh-old     .sapenv_bssltests.csh        local.cshrc                  stopsap_DVEBMGS00.log
  .dbenv_bssltests.csh-old10   .sapenv_bssltests.csh-new    local.login                  stopsap_DVEBMGS01.log
  .dbenv_bssltests.sh          .sapenv_bssltests.csh-old    local.profile                trans.log
  .dbenv_bssltests.sh-new      .sapenv_bssltests.csh-old10  sqlnet.log
  bash-3.00$
  bash-3.00$
  I have changed envt settings in .dbenv_bssltests.csh & .dbenv_bssltests.sh
  .sapenv_bssltests.sh & .sapenv_bssltests.csh  [4 files]
  Regards,
  Ankita

• Unable to view client logs from sccm console

  Hi
  unable to connect to ccm and unable to view client logs from console. Console installed is on another server that is not site server
  Regards Sushain KApoor

  Hi
  SCCM right click tools adds multiple ‘Client Tools’ entries
  are comming when i right click on the clients. when i check for logs it shows client logs written only. More over when i try to connect to C$ i am able to connect to from console right click tools but when i go for connecting ccm folder it says no directory
  found admin$\system32\ccm, but my machine is of 64 bit OS hence it should go to syswow64. any ideas how to resolve the same.
  i am planning to go with
  http://blog.danovich.com.au/2010/11/16/sccm-right-click-tools-adds-multiple-client-tools-entries/ this option
  Regards Sushain KApoor

• Identity Service Engine (ISE) Admin Access

  Is it possible to authenticate the ISE administrator via an external Radius Server? The option I find is that it will not work, 
  The manual reads: 
  In Cisco ISE, you can authenticate administrators via an external identity store such as Active Directory, LDAP, or RSA SecureID. There are two models you can use to provide authentication via an external identity store:
  Is this the case ?

  Sure you can!
  Make sure you have the RADIUS server added to the ISE (Administration > Identity Management > External Identity Sources  Select RADIUS Token from the left menu).
  Then head over to Administration > System > Admin Access.  Change the * Identity Source to your RADIUS Server and click Save
  Log out and you will see an new entry on the log in screen.  Click the dropdown for Identity Source and choose your RADIUS Server.  If this connection gets dropped for any reason, you can always log in using the internal identity source as a fallback.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Clients are unable to access a New wireless Controller 5508

  Clients are unable to access the public ssid, which is wide open(or any other ssids).
  I'm using LAG and I can ping each interface on the controller.  Ap's show a total of 2 and 2 are up. 
  interface name is public vlan identifier 107, ip add 10.1.255.252, interface dynamic
  Software version 7.0.98.0
  Model No.
  AIR-CT5508-K9
  Burned-in MAC Address
  50:3D:E5:1A:2F:60
  Maximum number of APs supported
  25
  FIPS Prerequisite Mode
  Disable
  UDI :
  Product Identifier Description
  AIR-CT5508-K9
  Version Identifier Description
  V01
  Serial Number
  FCW1508L0KT
  Entity Name
  Chassis
  Entity Description
  Cisco Wireless Controller
  Profile Name
  Type
  SSID
  Status
    Enabled
  Security Policies
  (Modifications done under security tab will appear after applying the changes.)
  Radio Policy
  All 802.11a only 802.11a/g only 802.11g only 802.11b/g only
  Interface
  jmhmanagementpublicspacelabsvoice
  Broadcast SSID
  Enabled
  Layer 2 security none
  Below is the errors that are in the controller's log.
  spamApTask0: Dec 06 14:54:43.895: %LWAPP-3-DECODE_ERR: spam_lrad.c:1932 Error decoding join request from AP 00:00:00:00:00:00
  *spamApTask0: Dec 06 14:54:43.895: %LWAPP-3-JOIN_DB_ERR: spam_lrad.c:6216 Could not allocate an entry in the database for AP 00:00:00:00:00:00 - dropping the join request (# of APs joined = 2)
  *spamApTask0: Dec 06 14:54:43.895: %LWAPP-3-AP_DB_CREATE_ERR: spam_lrad.c:4945 Unable to create an entry for AP 00:00:00:00:00:00 in the database - invalid mac address
  *spamApTask0: Dec 06 14:54:43.895: %LWAPP-3-PAYLOAD_MISSING: spam_lrad.c:5400  Join request does not contain BOARD_DATA payload
  *spamApTask0: Dec 06 14:54:24.728: %LWAPP-3-DECODE_ERR: spam_lrad.c:1932 Error decoding join request from AP 00:00:00:00:00:00
  *spamApTask0: Dec 06 14:54:24.728: %LWAPP-3-JOIN_DB_ERR: spam_lrad.c:6216 Could not allocate an entry in the database for AP spamApTask0: Dec 06 14:54:43.895: %LWAPP-3-DECODE_ERR: spam_lrad.c:1932 Error decoding join request from AP 00:00:00:00:00:00
  *spamApTask0: Dec 06 14:54:43.895: %LWAPP-3-JOIN_DB_ERR: spam_lrad.c:6216 Could not allocate an entry in the database for AP 00:00:00:00:00:00 - dropping the join request (# of APs joined = 2)
  *spamApTask0: Dec 06 14:54:43.895: %LWAPP-3-AP_DB_CREATE_ERR: spam_lrad.c:4945 Unable to create an entry for AP 00:00:00:00:00:00 in the database - invalid mac address
  *spamApTask0: Dec 06 14:54:43.895: %LWAPP-3-PAYLOAD_MISSING: spam_lrad.c:5400  Join request does not contain BOARD_DATA payload
  *spamApTask0: Dec 06 14:54:24.728: %LWAPP-3-DECODE_ERR: spam_lrad.c:1932 Error decoding join request from AP 00:00:00:00:00:00
  *spamApTask0: Dec 06 14:54:24.728: %LWAPP-3-JOIN_DB_ERR: spam_lrad.c:6216 Could not allocate an entry in the database for AP
  I have attached show run-config and show running-config

  For the public WLAN, what is 10.1.1.1?  Is it a real DHCP server, is it a FW?  If it's a FW, then you'll need to disable dhcp proxy:
  CLI config dhcp proxy disable
  GUI Controller > Advanced > DHCp, and uncheck the box for proxy.
  As for all of your other SSID, they are all pointd at the management interface.  Double check the WLAN config, and point them to the interface you want the user to get an IP address in.
  HTH,
  Steve
  Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

• Using Windows Network Policy Server to authenticate Prime Infrastructure 1.2 admin access

  Dear all,
  How can I authenticate admin access to the Prime infrastructure 1.2 using AAA mode RADIUS with Windows Network Policy Server as RADIUS server? I find some information using ACS as RADIUS server but cannot find how to for Windows NPS.
  I try to configure the NPS but an error prompted when logging in to PI using an account in the NPS server, "No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server"
  Thanks for your help.
  Dennis

  Ok, I was able to resolve this over the weekend.  The actual fix is a little complicated.  You can find the full explination here: http://technologyordie.com/windows-nps-radius-authentication-of-cisco-prime-infrastructure
  The basics are that Prime (1.3 is the version I am using at this point) expects two AV pairs from radius.  They are as as follows:
  NCS:role0=Admin
  NCS:virtual-domain0=ROOT-DOMAIN
  "Admin" is the name of the group you would like your users to have access at and "ROOT-DOMAIN" is the name of the domain you would like them to have access to.
  For TACACS+ I suspect the AV Pairs are going to be the same but I have not been able to test that.

• Server Admin Access

  I have a user who had full remote admin access to her Mac Server from her Mac desktop. We recently changed out her desktop for a new iMac. She no longer has full admin remote access to the server. Did I miss something on the setup of the new machine? She can walk to the server and log in with full admin access, but the remote session does not allow for full admin rights.  Any help would be appreciated.

  Remote access via what? Server.app? Server Admin.app? Remote Desktop?
  What OS(es) were running previously, what OS(es) are running now?
  What admin rights are unavailable (i.e. what can't she do?)

• I forgot my Keychain password and I can't log in or access my applications folder to change it

  I forgot my Keychain password and I can't log in or access my applications folder to change it. Help?

  I've already done that several times. It only changes the admin password, my problem is I can't change the Keychain password, but since i can't log in without it I don't know how to change it.

• User admin access

  Hi all,
  I have an issue that I'm not sure how to script in to resolve.
  I have a script that runs, binds them to AD, sets an AD group as admins to the machine, which the user is part of. That works, but when they shut down and go offline, they can login with their cached credentials, but they are no longer admins to their own machines. I have to login as local admin and set the user as admin. How do I add this to the script so that the user is always admin regardless if they are off or online and I don't have to touch every machine after they have logged in to add them as admins.
  Thank you in advanced!

  Jeremy Mlazovsky <[email protected]> wrote in
  news:zJI6h.4247$[email protected]:
  I guess I over simplified my example too much. In reality, I have
  several users who need admin access to one or two workstations each, but
  are essentially regular users elsewhere.
  > Why use DLU?
  >
  > Just make a local account for him on that one computer and add him to
  > the Administrators group.
  >
  > Brian Mantler wrote:
  >> I would like to give a user admin access to one specific workstation,
  >> but regular access to all other workstations.
  >>
  >> For example I want user John to have admin access to CPU1, but
  >> regular access to all other CPU's.
  >>
  >>
  >> I have a user policy package that has the appropriate group policy
  >> and DLU policy associated to John. The DLU has Enable Login
  >> Restrictions and inlcludes just CPU1.
  >>
  >>
  >> When John logs in to CPU1 he becomes a member of the local
  >> administrators and the appropriate group policy is placed in effect.
  >>
  >> If a regular user logs into CPU1 they receive our standard group
  >> policy and become members of the local users group.
  >>
  >> However, if John logs into a different computer, say CPU2 he does not
  >> get any DLU created. In this situation, I would like John treated
  >> like our regular uses and a local user created that has only regular
  >> user rights
  >>
  >> Any ideas?
  >>
  >> Thanks
  >
  >

• How can i give multiple users admin access?

  I would like to give another user on my macbook pro admin access, so that they can install programs without having to ask me for the password each time. I do not want the password to be the same for my profile, because I don't want them getting into my account. So is it possible to have a separate password for admin use only? This might be a dumb question and I know their is probably a simple way to do this, but I'm new to macs so any help would be greatly appreciated. Thank you.

  Convert a standard user to an administrator
  Choose Apple menu > System Preferences, then click Users & Groups.
  Click the lock icon  to unlock it, then enter an administrator name and password.
  Select a standard user or managed user in the list of users, then select “Allow user to administer this computer.”
  http://support.apple.com/kb/PH18891