Compliance Mgmt
Hi,
I need Compliance mgmt help.
I want to run a command against 2500 switches that make all Fast Ethernet ports implement as speed auto & duplex auto, except Gig port and trunk ports. Any help appreciated.
THANKS
I am using;
LMS:3.2
RME: 4.3
CM:5.2.1
Since you have RME 4.3, you might also consider using a Netconfig port-based job. To do this, go to RME > Config Mgmt > Netconfig > Netconfig Jobs and create a new port-based job. Define an custom group with the ruleset:
Port.PortName StartsWith "Fa" AND
Port.CM.AccessStatus = "Configured"
Then select the Adhoc task, and enter the IOS commands:
speed auto
duplex auto
Deploy that to all of the required switches and that will accomplish what you want. Note: this requires that all switches are managed by Campus Manager.
Similar Messages
-
Ciscoworks LMS 3.2 - Compliance mgmt negation problem
Hi,
Strange problem, that I am sure is being caused by me.
Basically trying to run an advanced Compliance mgmt job, looking for a set of pre-requisites (this is working) and then removing all non compliance SNMP community strings from a sample device.
I use two lines for this removal
- snmp-server community [#!testR[OW]mon#] [#.*#] [#.*#]
- snmp-server community [#!SNMP#] [#.*#] [#.*#]
From what I see, this should remove all snmp-server communities from a device other than "testROmon", "testRWmon" and "SNMP". Obvious caveat is that they would all need to have two words after this (in this case, these are ro or rw and an ACL).
When I run this it seems to try and remove twice as many snmp community strings as there actually are on the device config? So I guess the core questions are: -
1) Does the above look sound and would it do what I think
2) Does the Compliance management engine parse the entire config independantly for each line of the above and hence explain why I am getting more removals than I would expect or is there a problem somewhere?
Any help on this appreciated as its driving me nutsThanks Joseph,
So if I also wanted to remove all SNMP traps bar: -
snmp-server host 10.10.10.x (where x is any ip in the last octet)
From a device, would I use
- [#snmp-server host (!#10\.10\.10\..*#).#]
Or doesn't this make sense? -
What means "commandLets" in Compliance mgmt in LMS 4.1
Hi,
I provided a compliance check using an advanced template. This check shows me a lot of non-compliant interfaces on one device. I would like to deploy the compliant configuration's commands to the non-compliant interfaces - so I click on the button deploy. The next window shows me: device, commands and commandlets. In the commandlets frame two templates are seen: dot1 and dot2 - these templates are components of the advanced template. After these templates is some number in the parentheses like pod1(000), pod1(0045), pod2(0075). My question is what these numbers mean, because I can select one of them??
Thank you very much
RomanHi Leolaohoo,
It is no duplicate post. I tried to search this problem on Cisco Support Community and there is no same problem. If are you right, so send me this link, please.
The customer has a problem that he see no phone registered on the CUCM in the LMS 4.1. UT discovered the phone, but the customer has no detail information about this phone.
Roman -
Ciscoworks LMS 3.2 compliance mgmt negation problem 2
Sorry one more question,
If I also wanted to remove all SNMP traps bar: -
snmp-server host 10.10.10.x (where x is any ip in the last octet)
From a device, would I use
- [#snmp-server host (!#10\.10\.10\..*#).#]
Any help appreciatedThanks Joseph,
But if the line is say: -
snmp-server host 10.10.10.1 testROmon
Would I not need the .*# for the extra word? I guess this would only be needed if I were also searching for variations in this word? -
Ciscoworks LMS 3.2 Compliance Mgmt
Would it be possible to create a template do the following?
1. check all interfaces, include Ethernet, FastEthernet, GigabitEthernet, Serial, Token, etc
2. if the interface is found to have "ip helper-address", it must match x.x.x.x and y.y.y.y
The reason is that I am running this search and replace script, and I need to verify afterward.
Name: ChkHelpers SubMode: Yes isPrerequisite: Yes
Ordered : No Prerequisite-Commandset : none Parent: none
interface [#.*#]
+ ip helper-address [#10\.\d\.\d\.\d\#]
Name: ReplOldHelpers SubMode: No isPrerequisite: No
Ordered : No Prerequisite-Commandset : ChkHelpers Parent: ChkHelpers
- ip helper-address 10.a.a.a
- ip helper-address 10.b.b.b
+ ip helper-address x.x.x.x
+ ip helper-address y.y.y.yThere are a few typos where, but in general what you have it correct.
Name: ChkHelpers
IsPrereq: yes
Submode: interface [INTF]
Body:
+ ip helper-address [#10\.\d+\.\d+\.\d+#]
Name: ReplOldHelpers
Prereq: ChkHelpers
Parent: ChkHelpers
Body:
- ip helper-address 10.a.a.a
- ip helper-address 10.b.b.b
+ ip helper-address x.x.x.x
+ ip helper-address y.y.y.y -
RME/compliance mgmt - deploy ntp
Hi,
Using RME 4.3.0
I'm trying to deploy new ntp settings across all network infrastructure. I prepare baseline template and check complance. When i try to deploy i'v got this issue:
Job finished sucessfully, but some of devices are still in pending state. All of this devices "wating" for deploy this command:
no ntp server X.X.X.X key 1 prefer
My template looks like this:
+ ntp server A.A.A.A
+ ntp server B.B.B.B
- [#ntp server (?!A.A.A.A|B.B.B.B).*#]
Is there any way to change this bahavior? To generate simply: "no ntp server X.X.X.X" instead of "no ntp server X.X.X.X key 1 prefer" while complance check?HI,
This error states that "but some of devices are still in pending state". So, kindly check if you have any device showing under " Pending Devices" category.
Kindly go to RME > Devices. Post the screenshot of this location here.
Thanks,
Gaganjeet -
Exchange 365 and in-place eDiscovery
I created dozens of in-place eDiscovery search in powershell for the users who have left the company, but we need to retain their mailboxes for legal compliance reasons. The powershells looked like this:
New-MailboxSearch -name "User1" -SourceMailboxes [email protected] -ExcludeDuplicateMessages $true -InPlaceHoldEnabled $true -ItemHoldPeriod 255
And when I go into the EAC> Compliance Mgmt> in-place eDiscovery, I can see all of them but their status says "Status: Search Not Started." So I used the EAC to edit one, and check if I missed something, but everything from the PS script
is correct, and when I clicked Save, again without actually changing anything, the search did start at that point! I looked at a few other cmdlets, and I found the start-mailboxsearch. So I issued:
start-MailboxSearch -Identity "User1"
But that comes back with "Unable to execute the task. Reason: TargetMailbox is required for copying messages returned by the search." So why am I able to use the EAC eDiscovery portion without having to specify TargetMailbox, but when I use Powershell
I do have specify it?Instead of an in-place hold, one workaround may be to use set-mailbox cmdlet with parameters LitigationHoldEnabled and LitigationHoldDuration .
This *may* have a couple advantages:
1. LitigationHold is the entire account and is binary (it's either on or off),
2. A New-MailboxSearch on that mailbox can still be done if needed (and assuming the account is on hold, see above),
3. A MailboxSearch for IPH/eDiscovery can be removed if no longer needed without affecting the account on hold.
Hope that helps and gives you a creative spark. -
Base device config storage in Ciscoworks
Thanks again to all who have assisted in my previous question. We are being asked to find a place within Ciscoworks to store a device config for each of the type devices that we have on our network.
So we would have 1 config for a 3750, a 2900, 3548's, etc. I was thinking we can label a config file, without addressing info, hostname, etc., on it and accomplish it that way. I could label one 3750 -12 port, 3750-48 port, etc., and just add the address info to the config when we deploy a config to a new device.
Is this the best way to do it or is there another way that would work better? We have Ciscoworks LMS 3.2.
Thanks again for you help.
Dave LehmannYou could use config labeling for this, but the recommended way to accomplish what you describe is with baseline templates. Go to RME > Config Mgmt > Compliance Mgmt > Template Mgmt. Create baseline templates for each device type that contains all of the general config commands you want. You can even add macro substitutions within the templates to be filled in during deployment. For example:
+ hostname [HOSTNAME]
+ snmp-server community ourReadOnly RO
+ snmp-server community ourReadWrite RW
+ enable secret 5 $1$...
During deployment, you would be given an opportunity to fill in the value of [HOSTNAME] for each device. Consult the online context-sensitive help for baseline compliance for more details. -
Report needed for overall view of update compliancy
I've been asked to provide a custom report to give an overall status for the update compliancy for the servers in place.
Have been fiddling about in sql mgmt studio and kind of understand where to get the information from, but am missing something. so I was hoping someone could point me in the right direction
I realize that this kind of report might take some querying time, but this is what the customer wants: instead of him going to the builtin report compliance 7 (category sw updates - compliance A) where he has to select a collection AND a baseline AND a compliance
status, he wants to obtain a list of all server systems being compliant to some server baselines and a list of all server systems being non-compliant to some server baselines
currently the sqlcode i Have to show the compliant servers, is:
SELECT
v_R_System.Name0
AS Servername,
v_GS_OPERATING_SYSTEM.Caption0
AS OS,
v_ConfigurationItems.CI_ID,
v_AuthListInfo.Title,
v_StateNames.TopicType,
v_StateNames
.StateID,
v_StateNames.StateName
FROM
v_ConfigurationItems
INNER
JOIN
v_AuthListInfo
ON v_ConfigurationItems.CI_ID
= v_AuthListInfo.CI_ID
CROSS
JOIN
v_R_System
INNER
JOIN
v_GS_OPERATING_SYSTEM
ON v_R_System.ResourceID
= v_GS_OPERATING_SYSTEM.ResourceID
CROSS
JOIN
v_StateNames
WHERE
(v_R_System.Client0
= 1)
AND(v_R_System.Operating_System_Name_and0
LIKE
'%server%')
AND
(v_AuthListInfo.Title
LIKE
'%server%')
AND(v_StateNames.TopicType
= 300)
AND(v_StateNames.StateID
=
'1')
ORDER
BY Servername
BUT if I now change the stateid to 2 in the query I get the same amount of rows back (being 134 servers with an sccm client times 4 server update groups)
so my problem is: how and when do i make the correct join here ?I was thinking that it might be better to use the assignmentstate views, and I quickly came up with this alternative:
SELECT
v_R_System.Name0
AS ServerName,
v_CIAssignment.AssignmentName
as
'Deployment Name',
v_StateNames.StateName
FROM
v_AssignmentState_Combined
INNER
JOIN
v_R_System
ON v_AssignmentState_Combined.ResourceID
= v_R_System.ResourceID
INNER
JOIN
v_FullCollectionMembership
ON v_R_System.ResourceID
= v_FullCollectionMembership.ResourceID
INNER
JOIN
v_CIAssignment
ON v_AssignmentState_Combined.AssignmentID
= v_CIAssignment.AssignmentID
INNER
JOIN
v_StateNames
ON v_AssignmentState_Combined.StateID
= v_StateNames.StateID
WHERE
(v_StateNames.TopicType
= 300)
AND(v_StateNames.StateID
= 1
OR
v_StateNames
.StateID
= 2)
AND(v_FullCollectionMembership.CollectionID
=
N'D01003FE')
ORDER
BY servername
at first glance this produces what I want, let me check with the customer.
you guys agree with that or not? -
LMS 4.2.3 baseline compliance template and standard ACL
When using a baseline compliance template to check and deploy a standard ACL, I encountered what seems to be a bug:
I configured a template with these commands:
+ip access-list standard 21
+; Hosts allowed access
+ permit host 10.20.30.40
+ permit host 40.30.20.10
+ deny any log
When I do compliance check and deployment, the last line is dropped by LMS.
In fact, when I look into the job's "Work Order", the commands are:
ip access-list standard 21
; Hosts allowed access
permit host 10.20.30.40
permit host 40.30.20.10
After the job run, "show running-config" shows the access list matching the "Work Order" (without the "deny any log" command.)
Is this a bug?Doesnt have any issues on my Lab 4.2.4. following is the Job Work order :
Name:
Archive Mgmt Job Work Order
Summary:
General Info
JobId: 2704
Owner: admin
Description: test_acl
Schedule Type: Immediate
Job Type: Compliance Check
Baseline Template Name: test_acl
Attachment Option: Disabled
Report Type: NAJob Policies
----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
Job Based Password: DisabledDevice Details
Device
Commands
Sup_2T_6500
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
10.104.149.180
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
-Thanks
Vinod
**Rating Encourages contributors, and its really free. ** -
LMS 4.2 Compliance check extended access-list
Hi,
I would like to check of our router has one specific line in an extended access-list. I have tried to use the 'baseline compliance' to get the output, but can't get the syntax right.
I would like to avoid checking on the line number in the access-list, because this is not the same on all the routers.
I have made a new compliance check like this:
'submode': ip access-list extended 'acl-name'
+deny tcp any any eq smtp
But that is not working, Can some one show me the 'right path'?
Thanks
SorenDoesnt have any issues on my Lab 4.2.4. following is the Job Work order :
Name:
Archive Mgmt Job Work Order
Summary:
General Info
JobId: 2704
Owner: admin
Description: test_acl
Schedule Type: Immediate
Job Type: Compliance Check
Baseline Template Name: test_acl
Attachment Option: Disabled
Report Type: NAJob Policies
----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
Job Based Password: DisabledDevice Details
Device
Commands
Sup_2T_6500
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
10.104.149.180
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
-Thanks
Vinod
**Rating Encourages contributors, and its really free. ** -
Software Update Compliance Report in SCCM 2012
Hi Everyone,
My question is in sccm 2007 we generate the compliance report based on update list without downloading the patches just adding the same to update list, However the update list is being replaced by update group in sccm 2012, How can we achieve the same
in sccm 2012 or do we need to build the custom report if yes please let me know.
Thanks In Advanced
ashu MaheshwariBecause of the retrograde reporting for WSUS data in SCCM, I have the "send info to WSUS" checked on the SUP so I can view data in the old WSUS console. By comparing what computers need how many patches and using the reports in SCCM, you can see massive
discrepancies in both how many computers need patches and how many patches each computer needs. For example, WSUS will say ComputerA needs 10 patches and SCCM will say it needs 6, or whatever. As far as these two points go, WSUS is far more accurate.
I first noticed this months ago.
I think this is not a matter of how the SCCM queries are written, but because SCCM is far more flaky than WSUS. To me, WSUS is like a good reliable run of the mile car and SCCM is like a race car--powerful but finicky and persnickety. It's harder to get
clients to fully check in with SCCM. SCCM can do lots but my biggest gripes with it are:
1) Clients especially flaky and persnickety, one tiny thing gets out of whack and it won't work
2) WSUS is far more accurate in reporting what patches are needed
3) For WSUS reporting, they took a lot of WSUS-related/patch reporting out of SCCM, towit you can't get the info you used to be able to get without writing a custom report. This is why you can easily find code samples on the net. And along that point I still
can't get report builder to work and I don't have another report tool available to me. I know the SQL code samples I have work because I can run the queries in Mgmt Studio.
Ben JohnsonWY -
Dear SAP - HR Experts .
In My Client side , they want to shift for Positive Time Mgmt (want to capture actual times).
They Usually run payroll on 25th day of every month .
if they implement Positive Time in Company then they will have Time Evaluation up to 25th of the month .
Suppose if a employee took two days absences from durring the period of 26th to 31st Jan . but we have Time Evaluation up to 25th day only and we run payroll for Jan upto 1st to 31st .
in that case Employee will recieve complete salary , while in actaul scenrio he was absent for 2 days .
so client have some quries about this situation ...
Q 1 : How his salary will deduct and recover the absence of 2 days ?
Q 2 : How we have to run Time Evaluation from 26th to 31th day of Jan .
Q 3 : what changes are required in PA03 and PU03 ?
Regards : rajneesh
Edited by: Rajneesh Kumar on Feb 13, 2009 8:53 AMHi Rajneesh,
Time evaluation period can vary from the payroll periods. You can run the payroll from first of the month till last day and Time evaluation from 26th of previous month till 25th of current month. In this situation employee will be paid for the whole month by the payroll and it will not take into account the absences/sick etc that took place after 25th of the month till the month end.
Later when you do Time evaluation during the following month system will capture those 2 days (as you mentioned) sick/absence took place after 25th of current month and it will deduct the amounts from the Payroll of the following month. But it will not deduct from the current month as the Time evaluation was only done till 25th of the month.
It doenst need any changes in PA03 / PU03
Hope this clarifies your query.
Thanks,
Tara -
ADA 508 Compliance Workflow Overview (tab key for navigation / WebAim Toolbar)
Hi,
I've been assigned to update interactive training for a State agency..... with of course, an emphasis on ADA / 508 compliance.
So, before I pinpoint my two questions/scenarios, here is a basic, initial attempt at providing an overview of ADA compliance workflow in Captivate and beyond.
PS - useful Captivate forum urls are at the end of this post. I'm using Captivate v.6
ADA Compliance Workflow Overview:
1. All assets need an alt tag and conceivably a description > highlight the asset, like a pic, and click the Accessibility button under Properties.
2. Create slide notes for each slide > load slide, highlight no assets and click the Accessibility tab under Properties. Copy and paste your notes > for screen readers.
3. Need closed captioning for video/audio content > I use Camtasia for CC and will use the JW player for screen reader of video content.
4. Interactivity needs to be accessible via the tab and enter keys.
What else am I missing?
Question 1
My question targets how to get the enter key to initiate after a successful tab. To be clearer.... I hit tab and I can navigate through all the buttons in the correct order, but hitting enter provides no action. I am gettining the yellow highlights around buttons when I tab through. Everything works very well when using the mouse, but blind users don't use mice.
I did create my own animation buttons in Flash and imported them in as animations. I then placed a Click Box behind the button animation to engage the rollover action. Could this be causing problems? The prebuilt (and clunky looking) buttons on the quizzes do work (ie) tabbing to them and hitting enter provides effective navigation.
I'm opting not to use the playback control skin, only my Flash nav bar.
Question 2 (Scenario 2)
I have downloaded the WebAim Toolbar feature designed for FireFox, used to check ADA compliance issues.
I am getting this error message:
A frame does not have a title attribute or value. Okay... I bet I can fix this via the .html file or via the standard.js file??
and these warnings:
Alert: Javascript in head - A javascript element is present in the page head section.
Alert: Flash - A Flash object is present.
Does anyone know if these alerts are worth fixing?
Obviously Captivate is going to pump out, or rather publish... javascript elements, but is this bad in the page head section?
And..... of course a Flash object is present...Captivate produces Flash / Shockwave files.
I'll obviously ask the programmers at WebAim for guidance as well. As always any help would be appreciated and Tanks in advance.
http://forums.adobe.com/message/117985#117985
http://gneil.blogspot.com/2008/09/target-6-million-settlement-is-your.html
http://kb2.adobe.com/cps/403/kb403160.html
http://forums.adobe.com/message/3515968#3515968
Screen grabs are attached.
Thanks, Calif Dreamin'Hi,
Attached is my zipped project file. I did create my own buttons in Flash - this might be the problem. I have only been problem solving with navigation on the first four slides.
To clarify, hitting the Enter key does engage navigation, however I’m having difficulty controlling the navigation so that it goes to the correct location.
I’m using Captivate v.6 / publishing SCORM 1.2 / Using IE to deliver via the SyberWorks LMS.
Here is question 1:
Question 1
My question targets how to get the enter key to initiate after a successful tab. To be clearer.... I hit tab and I can navigate through all the buttons in the correct order, but hitting enter provides no action. I am getting the yellow highlights around buttons when I tab through. Everything works very well when using the mouse, but blind users don't use mice.
I did create my own animation buttons in Flash and imported them in as animations. I then placed a Click Box behind the button animation to engage the rollover action. Could this be causing problems? The prebuilt (and clunky looking) buttons on the quizzes do work (ie) tabbing to them and hitting enter provides effective navigation.
I'm opting not to use the playback control skin, only my Flash nav bar.
Thanks for reaching out!!
Thanks,
Bill Farrell (aka Calif Dreamin’) -
So I've created a Software Update Group and I did NOT want anything in there dealing with Internet Explorer 11 since the organization is currently stuck at using 10 as the highest. So I made sure that Internet Explorer was NOT in the list and then I deployed
the package.
After running my Overall Compliance report it shows that the systems are compliant, but when I view the "Compliance 5 - Specific Computer" I see that "Internet Explorer 11 for Windows 7 for x64-based Systems" is listed in the report.
This is just a testing phase right now and I have not created a WSUS like Domain level GPO. I understand that the SCCM client creates a local policy on the clients for the location of the Software Update Point (Specify
Intranet Microsoft update service location), but the "Configure Automatic Updates" policy is set to Not Configured, which it looks like when this
is set, the "Install updates automatically (recommended)" at 3AM is the default.
Is the reason why the "Internet Explorer 11 for Windows 7 for x64-based Systems" update is showing up in the list due to the fact that the "Configure
Automatic Updates" policy is set to Not Configured
and therefore it is still reaching out to check Windows Update online?
So, if I do create a Domain level GPO to Disable the "Configure
Automatic Updates" policy, then the "Internet Explorer 11 for Windows 7 for x64-based Systems" update would not show up in the "Compliance 5 - Specific Computer" report?
By the way, I have a Software Update Maintenance Window configured for the hours of 1AM-4AM so the 3AM default time falls within this time frame, therefore, I am assuming the SCCM 2012 client will not allow the Windows Update Agent to install the "Internet
Explorer 11 for Windows 7 for x64-based Systems" update, even though it has detected it is "Required".
ThanksBut, don't you need a Deployment Package in order to deploy the Software Update Group? The Software Update Group uses the downloaded updates contained in the Deployment Package located in, wherever the Package Source is, right?
One more quick question that you will know right off hand, because, well, you just will I'm sure.
No. The software update group really has nothing to do with any update packages. The update group assigns updates to clients and in turn clients use update packages to download assign and applicable updates from. There is no connection between the two though
as the client can download an update from any available update package. Thus, it's more than possible to updates in an update package that are not in any update groups and it is also possible for an update to be in an update group without being in any update
package.
If the "Configure Automatic Updates" policy is set to "Not Configured" and since this keeps the 3AM Automatic Updates default, if I was to remove the Software Update Maintenance Window from being between 1AM-4AM, will the WUA agent install updates
at 3AM, or no because the SCCM 2012 client still manages and oversees it and basically blocks that from occurring?
No, ConfigMgr does not in any way block the WUA; however, the WUA can only autonomously install updates it downloads directly from WSUS. Thus, since there are no updates approved or downloaded in your WSUS instance, there's nothing for it to download and
install. If you happen to actually be going into WSUS and approving updates (which you should not be doing as its unsupported), then yes, it actually would install updates -- this is outside of ConfigMgr's control though. Generally, disabling the WUA via a
GPO is the recommended to prevent any accidental installations or reboots (as the WUA wil also check for initiate pending reboots outside of ConfigMgr).
Lots more info in these two blog posts:
- http://blog.configmgrftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
- http://blog.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/
Jason | http://blog.configmgrftw.com
Maybe you are looking for
-
Printing from email (Yahoo and a Rogers webmail) is not working properly. Only P 1 will print, even if "all" is selected in the print window. The print window defaults to "page 1 to 1" and nothing will change it. Docs from "MY Documents" print proper
-
Custom components and the navigator object
Hi all, I'm starting on a mobile project which is a ViewNavigator based application. I've created a custom component which contains a button. I'd like the button to be able to use the pushView method however as it's a custom component, it doesn't app
-
Keep your blood pumping with Stockwell Travel compression socks!
Traveling is annoying enough already - avoid having a blood clot thrown into the mix by wearing a pair of compression socks from Sockwell Travel!
-
Netflix unable to sign in on Apple TV (2nd gen)
Hi, I am experiencing a problem that has never occurred with my Apple TV before. Below is an iPhone photo I took of the screen that is giving me the error message of being "Unable to sign in." What seems weird is how the message below has HTML tags
-
Compressor 3.5.3 stalls at end and Final Cut Pro crashes
Compressor 3.5.3 stalls at end and Final Cut Pro crashes I have tried Compressor repair, deleted qmaster files been at for a week now and it is doing my head in. Anyone out there who can help please.