Local ASA passwords to allow ALL show commands, no config

Similar Messages

• Allow some show commands in AAA Authorization Set

  I'm working on creating AAA authorization sets for our environment and ran into a question!
  I'd like to be able to enable ALL show commands except 'show run'.  I would also like to enable 'show run interface'.  I've figured out how to enable all show commands and disable show run.  The problem I'm finding is that since 'show run interface' is a subset of 'show run' it seems to disable.  Even if I try to explicitly enable it.
  Is there a way to disable 'show run' but enable all other show commands and 'show run interface' with a AAA authorization set?
  ACS Version 4.1.
  Command set is configured:

  Changing it to 'deny running-config' does the exact same thing.  It looks like it's seeing the 'show running-config' then stoping on that before anything else.  I've tried adding 'permit run interface' in ACS and same thing.  Other AAA Authorization set commands work just fine.
  On the switch (its a 2960G-8TC-K) running 12.2(58)SE2.
  aaa group server tacacs+ SHS
  server 10.10.11.200
  aaa authentication login verifyme group TACACS+ local
  aaa authorization config-commands
  aaa authorization exec verifyme group TACACS+ local
  aaa authorization commands 0 default group TACACS+
  aaa authorization commands 1 default group TACACS+
  aaa authorization commands 15 default group TACACS+
  aaa accounting send stop-record authentication failure
  aaa accounting exec verifyme start-stop group TACACS+
  aaa accounting commands 15 default start-stop group TACACS+
  aaa accounting network verifyme start-stop group TACACS+
  aaa accounting system default start-stop group TACACS+
  aaa session-id common
  Debugs!
  Jun 21 11:07:39: AAA: parse name=tty0 idb type=-1 tty=-1
  Jun 21 11:07:39: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
  Jun 21 11:07:39: AAA/MEMORY: create_user (0x3A790DC) user='test' ruser='SGAVEJ01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Port='tty0' list='' service=CMD
  Jun 21 11:07:39: AAA/AUTHOR/CMD: tty0 (4105592267) user='test'
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV service=shell
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd=show
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=running-config
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=interface
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=GigabitEthernet
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=0/1
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD(4105592267): found list "default"
  Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Method=TACACS+ (tacacs+)
  Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): user=test
  Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV service=shell
  Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd=show
  Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=running-config
  Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=interface
  Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=GigabitEthernet
  Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=0/1
  Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=
  Jun 21 11:07:39: TAC+: Using default tacacs server-group "TACACS+" list.
  Jun 21 11:07:39: TAC+: Opening TCP/IP to 10.10.11.200/49 timeout=5
  Jun 21 11:07:39: TAC+: Opened TCP/IP handle 0x3A41210 to 10.10.11.200/49 using source 10.40.0.14
  Jun 21 11:07:39: TAC+: 10.10.11.200 (4105592267) AUTHOR/START queued
  Jun 21 11:07:39: TAC+: (4105592267) AUTHOR/START processed
  Jun 21 11:07:39: TAC+: (-189375029): received author response status = FAIL
  Jun 21 11:07:39: TAC+: Closing TCP/IP 0x3A41210 connection to 10.10.11.200/49
  Jun 21 11:07:39: AAA/AUTHOR (4105592267): Post authorization status = FAIL
  Jun 21 11:07:39: AAA/MEMORY: free_user (0x3A790DC) user='test' ruser='SGAVEJ01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

• SHOW commands without ENABLE...?

  I have a user who has been given read-only, privilege level 1, access and wants the ability to use the various SHOW commands.  We have ACS running in this environment.  Is there a way, through ACS, to give him these commands?  
  Policy Elements/Authorization and Permissions/Device Administration/Shell Profiles has ReadOnly with all shell attributes set to not in use, default/max privilege set to 1, nothing extra in custom attributes.  Same set of submenus, Command Sets, Limited has "Permit" "SHOW" with no arguments listed.  Under Access Policies, Standard Device Admin, Authorization, I have a rule for the identity group assigned to the user in all locations and all device types that assigns the shell profile of ReadOnly and the command set of Limited.  However, the user cannot perform any such commands
  What am I missing?  Is there another way to do this?  As I said, the key is to provide the show commands without the ability to make changes to the devices.

  Yes this can be done and it sounds like you have ACS configured correctly.  However, I am not sure if all show commands will be available without entering enable mode.  For example, show interfaces is not available until after you enter enable mode.
  What AAA commands do you have running on the devices?
  I am doing pretty much what you're doing but I allow the user to enter enable mode and then restrict them to a hand full of commands.  Also, I have ACS controlling the enable password on a per user basis.

• Create a privilege level that only allows access to show commands

  Hi,
  I would like to create a privilege level that would only give access to the show commands for certain users. What would be the best way to do this?
  Would I have to use the privilege mode level level command for every available show command or is there a more efficient way of doing this?
  In addition, could we manage such a privilege level from a Radius Server.
  Thanks for your help
  Stéphane

  Well, I think the best way to achive this is to use TACACS with command authorization feature.
  Configuration on the tacacs server ( only for show commands, read only access)
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2
  These commands are required on an IOS router or switch in order to implement command authorization through an ACS server:
      aaa new-model
      aaa authorization config-commands
      aaa authorization commands 0 default  group tacacs+ local
      aaa authorization commands 1 default  group tacacs+ local
      aaa authorization commands 15 default group tacacs+ local
       tacacs-server host 10.1.1.1
       tacacs-server key cisco123
  These commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
      aaa-server authserver protocol tacacs+
      aaa-server authserver host 10.1.1.1
      aaa authorization command authserver
  However, if you strictly want to use radius server then please try the below listed attribute for a single user or group.
  Service-Type = NAS Prompt
  http://www.ietf.org/assignments/radius-types/radius-types.xml#radius-types-4
  This might not work for ASDM.
  HTH
  Regards,
  Jatin
  Do rate helpful posts-

• Family of 5, all use the same Apple ID/Password/Account.  In settings/messages/send recieve you can "check" my email and up to three phone numbers.  Essentially allowing all iMessages to be sent

  Family of 5, all use the same Apple ID/Password/Account.  In settings/messages/send>recieve you can "check" my email and up to three phone numbers.  Essentially allowing all iMessages to be copied to shared account numbers.  Please help me figure out  how to prevent my children from recieving my text correspondence. 

  On the devices for the members of your family that you DO NOT want to see your iMessagees, go to
  Settings App
  Messages
  Send and Receive
  You should see a list of available contacts which would make messages appear. Make certain that each family member has their own individual contact and NOT the same one that you use. I find it useful to have each family member have their own icloud email and use that for iMessaging my kids. My kids do not have iPhones, but if yours do, their phone number should be listed as well. For iPads and iTouches, use icloud email addresses. If you need to send a message to all 3 kids, say, you can just add all three emails to the To box on your iMessage.
  Hope that makes sense.

• I got locked out of Mac os 9 and now I can't get into OS 9 or OS X.  All I see is the Macintosh SE and a finder face and text that says "mac os 9.2 welcome to mac os".  I can't get into COntrol Panel to reset the password to allow me to get in.

  I got locked out of Mac os 9 and now I can't get into OS 9 or OS X.  All I see is the Macintosh SE and a finder face and text that says "mac os 9.2 welcome to mac os".  I can't get into COntrol Panel to reset the password to allow me to get in.

  Do you have OS X and OS 9 installed on your Mac? If so, startup with the Option key depressed. This will open the Startup Manager window. Select the OS you want to start from & click the right arrow.
   Cheers, Tom

• Local Director reloading after running show commands

  I have a pair of 420's running 4.2.5 & I am experiencing when being in the LD & running show commands the Active will reload & the secondary takes over. Has anybody experienced this problem?

  Are you sure that the reload happens when a show command is typed? Have you seen any other messages? I am asking this because I have not heard of a reload with a show command. It could also be possible that some other procesor/memory intensive task is running and the show command was entered at the same time. You could check for bugs and upgrade if necessary.

• Firewall blocks Airplay (even under 'allow all traffic')

  Hi every body,
  I am somewhat at the end of my knowledge. I have a mac mini server running Lion 10.7.2 server. Interestingly, my the server's firewall blocks
  a) all airplay traffic and
  b) 'reading Airport confirguration' requests
  even when the firewall is set to 'allow all traffic'. However, when I completely switch it off, everything works just fine.
  Any help would really be appreciated.
  Thanks a lot.
  Nonresidentalien
  P.S. I have also tried to open ports 80 (t), 443(t), 554 (t/u), 3689(t), 5297(t), 5289(t/u), 5353(u), 49159(u) and 49163(u) with no success

  Pointing to the IPv6 thread was a good idea. After reading it, I found out that the firewall preferences in Server Admin only show you IPv4 related firewall rules.
  There is a terminal command that allows you to play with IPv6 rules. And by doing so, I was actually able to get AirPlay working again.
  First, you want to show you the current IPv6 firewall rules. In my case they looked like this (10.7.2):
  reptilehouse:~ sascha$ sudo ip6fw show
  01000        285      96163 allow ipv6 from any to any via lo0
  01100         66       5750 allow ipv6 from any to ff02::/16
  65000          0          0 deny ipv6 from any to any
  65535          6        306 allow ipv6 from any to any
  As you can see, rule number 01100 only allows traffic to the local subnet, while the next rule (65000) blocks anything else. So you want to get rid of 65000:
  reptilehouse:~ sascha$ sudo ip6fw delete 65000
  To confirm, show the rule table again and you should see 65000 is gone:
  reptilehouse:~ sascha$ sudo ip6fw show
  01000        285      96163 allow ipv6 from any to any via lo0
  01100         66       5750 allow ipv6 from any to ff02::/16
  65535          6        306 allow ipv6 from any to any
  Mind you, the rule numbers could be different on your system and you could see more or less rules. But you get the idea.
  What I don't know if whether this is sticky, e.g. survives a reboot.

• SHOW commands in SQLPlus

  Where can I find a list / explanation of the SHOW commands in SQLPlus?
  Thanks,

  Hi,
  Also, try this cool glogin script from Chris Foot to show the instance name in your SQL*Plus promt:
  COLUMN file_name FORMAT a44
  COLUMN tablespace_name FORMAT a20
  COLUMN owner FORMAT a15
  COLUMN segment_name FORMAT a20
  set lines 132
  set pages 100
  set termout off
  col dbname new_value prompt_dbname
  select instance_name dbname from v$instance;
  set sqlprompt "&&prompt_dbname> "
  set termout on
  set time on
  Here are the set options:
  APPI[NFO]ON
  Application info for performance monitor (see DBMS_APPLICATION_INFO)
  ARRAY[SIZE] {15|n}
  Fetch size (1 to 5000) the number of rows that will be retrieved in one go.
  AUTO[COMMIT] OFF|n}
  Autocommit commits after each SQL command or PL/SQL block
  AUTOP[RINT] OFF
  Automatic PRINTing of bind variables.(see PRINT)
  AUTORECOVERY ON
  Configure the RECOVER command to automatically apply
  archived redo log files during recovery - without any user confirmation.
  AUTOT[RACE] OFF} [EXP[LAIN]] [STAT[ISTICS]]
  Display a trace report for SELECT, INSERT, UPDATE or DELETE statements
  EXPLAIN shows the query execution path by performing an EXPLAIN PLAN.
  STATISTICS displays SQL statement statistics.
  Using ON or TRACEONLY with no explicit options defaults to EXPLAIN STATISTICS
  BLO[CKTERMINATOR] {.|c|OFF|ON}
  Set the non-alphanumeric character used to end PL/SQL blocks to c
  CMDS[EP] {;|c|OFF|ON}
  Change or enable command separator - default is a semicolon (;)
  COLSEP { |text}
  The text to be printed between SELECTed columns normally a space.
  COM[PATIBILITY] {V5|V6|V7|V8|NATIVE}
  Version of oracle - see also init.ora COMPATIBILITY=
  You can set this back by up to 2 major versions e.g. Ora 9 supports 8 and 7
  CON[CAT] {.|c|OFF|ON}
  termination character for substitution variable reference
  default is a period.
  COPYC[OMMIT] {0|n}
  The COPY command will fetch n batches of data between commits.
  (n= 0 to 5000) the size of each fetch=ARRAYSIZE.
  If COPYCOMMIT = 0, COPY will commit just once - at the end.
  COPYTYPECHECK OFF
  Suppres the comparison of datatypes while inserting or appending to DB2
  DEF[INE] {&|c|OFF|ON}
  c = the char used to prefix substitution variables.
  ON or OFF controls whether to replace substitution variables with their values.
  (this overrides SET SCAN)
  DESCRIBE [DEPTH {1|n|ALL}][LINENUM {ON|OFF}][INDENT {ON|OFF}]
  Sets the depth of the level to which you can recursively describe an object
  (1 to 50) see the DESCRIBE command
  ECHO OFF
  Display commands as they are executed
  EMB[EDDED] OFF
  OFF = report printing will start at the top of a new page.
  ON = report printing may begin anywhere on a page.
  ESC[APE] {\|c|OFF|ON}
  Defines the escape character. OFF undefines. ON enables.
  FEED[BACK] {6|n|OFF|ON}
  Display the number of records returned (when rows > n )
  OFF (or n=0) turns the display off
  ON sets n=1
  FLAGGER OFF|FULL}
  Checks to make sure that SQL statements conform to the ANSI/ISO SQL92 standard.
  non-standard constructs are flagged as errors and displayed
  See also ALTER SESSION SET FLAGGER.
  FLU[SH] OFF
  Buffer display output (OS)
  (no longer used in Oracle 9)
  HEA[DING] OFF
  print column headings
  HEADS[EP] {||c|OFF|ON}
  Define the heading separator character (used to divide a column heading onto > one line.)
  OFF will actually print the heading separator char
  see also: COLUMN command
  INSTANCE [instance_path|LOCAL]
  Change the default instance for your session, this command may only be issued when
  not already connected and requires Net8
  LIN[ESIZE] {150|n}
  Width of a line (before wrapping to the next line)
  Earlier versions default to 80, Oracle 9 is 150
  LOBOF[FSET] n
  Starting position from which CLOB and NCLOB data is retrieved and displayed
  LOGSOURCE [pathname]
  Change the location from which archive logs are retrieved during recovery
  normally taken from LOG_ARCHIVE_DEST
  LONG {80|n}
  Set the maximum width (in chars) for displaying and copying LONG values.
  LONGC[HUNKSIZE] {80|n}
  Set the fetch size (in chars) for retrieving LONG values.
  MARK[UP] HTML ON
  [HEAD text] [BODY text] [TABLE text]
  [ENTMAP {ON|OFF}][SPOOL {ON|OFF}]
  [PRE[FORMAT] ON]
  Output HTML text, which is the output used by iSQL*Plus.
  NEWP[AGE] {1|n} NULL text
  The number of blank lines between the top of each page and the top title.
  0 = a formfeed between pages.
  NULL text
  Replace a null value with 'text'
  The NULL clause of the COLUMN command will override this for a given column.
  NUMF[ORMAT] format
  The default number format.
  see COLUMN FORMAT.
  NUM[WIDTH] {10|n}
  The default width for displaying numbers.
  PAGES[IZE] {14|n}
  The height of the page - number of lines.
  0 will suppress all headings, page breaks, titles
  PAU[SE] OFF
  press [Return] after each page
  enclose text in single quotes
  RECSEP {WR[APPED]|EA[CH]|OFF}
  Print a single line of the RECSEPCHAR between each record.
  WRAPPED = print only for wrapped lines
  EACH=print for every row
  RECSEPCHAR {_|c}
  Define the RECSEPCHAR character, default= ' '
  SCAN OFF
  OFF = disable substitution variables and parameters
  SERVEROUT[PUT] OFF [SIZE n] [FOR[MAT] {WRA[PPED]|WOR[D_WRAPPED]|TRU[NCATED]}]
  whether to display the output of stored procedures (or PL/SQL blocks)
  i.e., DBMS_OUTPUT.PUT_LINE
  SIZE = buffer size (2000-1,000,000) bytes
  SHOW[MODE] OFF
  Display old and new settings of a system variable
  SPA[CE] {1|n}
  The number of spaces between columns in output (1-10)
  SQLBL[ANKLINES] ON
  Allow blank lines within an SQL command. reverts to OFF after the curent command/block.
  SQLC[ASE] {MIX[ED]|LO[WER]|UP[PER]}
  Convert the case of SQL commands and PL/SQL blocks
  (but not the SQL buffer itself)
  SQLPLUSCOMPAT[IBILITY] {x.y[.z]}
  Set the behavior or output format of VARIABLE to that of the
  release or version specified by x.y[.z].
  SQLCO[NTINUE] {> |text}
  Continuation prompt (used when a command is continued on an additional line using a hyphen -)
  SQLN[UMBER] OFF
  Set the prompt for the second and subsequent lines of a command or PL/SQL block.
  ON = set the SQL prompt = the line number.
  OFF = set the SQL prompt = SQLPROMPT.
  SQLPRE[FIX] {#|c}
  set a non-alphanumeric prefix char for immediately executing one line of SQL (#)
  SQLP[ROMPT] {SQL>|text}
  Set the command prompt.
  SQLT[ERMINATOR] {;|c|OFF|ON}|
  Set the char used to end and execute SQL commands to c.
  OFF disables the command terminator - use an empty line instead.
  ON resets the terminator to the default semicolon (;).
  SUF[FIX] SQL
  Default file extension for SQL scripts
  TAB OFF
  Format white space in terminal output.
  OFF = use spaces to format white space.
  ON = use the TAB char.
  Note this does not apply to spooled output files.
  The default is system-dependent. Enter SHOW TAB to see the default value.
  TERM[OUT] OFF
  OFF suppresses the display of output from a command file
  ON displays the output.
  TERMOUT OFF does not affect the output from commands entered interactively.
  TI[ME] OFF
  Display the time at the command prompt.
  TIMI[NG] OFF
  ON = display timing statistics for each SQL command or PL/SQL block run.
  OFF = suppress timing statistics
  TRIM[OUT] OFF
  Display trailing blanks at the end of each line.
  ON = remove blanks, improving performance
  OFF = display blanks.
  This does not affect spooled output.
  SQL*Plus ignores TRIMOUT ON unless you set TAB ON.
  TRIMS[POOL] ON
  Allows trailing blanks at the end of each spooled line.
  This does not affect terminal output.
  UND[ERLINE] {-|c|ON|OFF}
  Set the char used to underline column headings to c.
  VER[IFY] OFF
  ON = list the text of a command before and after replacing substitution variables with values.
  OFF = dont display the command.
  WRA[P] OFF
  Controls whether to truncate or wrap the display of long lines.
  OFF = truncate
  ON = wrap to the next line
  The COLUMN command (WRAPPED and TRUNCATED clause) can override this for specific columns.

• VM Template bypass Local Admin Password, can it be done?

  I was curious to know if there was a way to create a VM from Template in VMM without having to supply a password in the OS Configuration properties? I know that if we leave that field blank normally, when the VM creation occurs, it will get to about 98%
  and hang. When you "Connect via Console" option, it is sitting at the screen asking you to supply a password, then the installation finishes, and the VM is ready to go. We are trying to set up VM Templates in SCVMM 2012 R2 that are going to be more
  or less a user self-service situation. We have several powershell scripts that automate nearly 100% of our admin tasks for us, and in the VM Template, there is a simple batch file that copies down a directory, and launches a script and away it goes. After
  10-15 minutes, the Hyper-V VM is joined to our domain, page file virtual memory is set based on specs of VM, WSUS is connected and all updates applied since template creation, etc etc etc...
  Our goal is to have the server log on after creation from a template, run the bat file on the D:\ drive, and go completely untouched from start to finish. The Local Administrator account is renamed and given a new password as part of the setup postload scripts.
  But the only way to get the VM to do this is by putting in an initial password in the properties of the VM. How can we create a VM from template without supplying any password? So that once SCVMM creates the powered off VM, the person who created the VM powers
  it on, and then after their 15 minute break, have a server joined to the domain and ready for them to log into.

  Thank you for the reply, I appreciate it.
  I wasn't as clear as I should have been, reading over the initial post I see that now. We have these set up as Service Templates. There is a hardcoded Admin password already supplied in the Machine Tier properties so it does allow from start to creation
  a VM. But then none of the scripts we have set under the "Run Once" property of the configuration will run until an initial logon is provided, then the scripts kick off, the VM reboots twice and 15 minutes later....voila! Server ready to go. It was that initial
  logon we were wondering about bypassing.
  The basic process goes as such:
  1) Service Template launched with "Deploy" option in App Controller or SCVMM
  2) VM Guest syspreps from Machine Tier VM Template and configuration, a local admin password is provided, and VM powers on when complete.
  3) VM Guest stays powered on until local admin hits cntrl+alt+del, provides local admin password
  4) Run Once configuration kicks in, reads the "Auto_script.bat" file from root of D:
  5) Scripts join VM Guest to domain, uses domain credentials, runs a whole series of tasks, removes the domain credentials, reboots server.
  6) Server is now ready for customer to log on to and use, fully updated, on the domain, based on service template used also with the appropriate roles and features configured (File Server, IIS, etc).
  It's that step 3 we are hoping to get around somehow with scripts or whatever so that when the VM guest is powered on after creation, something other than the end user or us cntrl+alt+del the OS, logs on with admin password and fully automated deployment
  occurs from A-Z

• I have no Admin account now, and keeps asking me to: Type an administrator's name and password to allow this.

  i've installed the new beta Yosemite. After i found i didnt like it, i decided to return to Mavericks. Now, at the installation process i dont know what happened and now i dont have any admin account. so, the system keeps asking me to Type an administrator's name and password to allow this. and i cant do anything, because i only have an standard and a guest account. How can i make my standard account an admin one. Also, this makes me sick, because i cant install or configure anything.
  ps. i regret about installing Yosemite beta. not good at all
  these are some screenshots
  http://prntscr.com/4ce3nx
  http://prntscr.com/4ce43z

  Do you still have a Recovery partition? To see if you do, hold down the command and R keys whilst booting and erase your boot drive and then reinstall the version of OS X that you last paid for or downloaded.
  Call back if that doesn't work...
  Clinton

• Type an Administrator Name and Password to allow lpadmin to make changes.

  We have a lab full of PowerPC G5 Towers running 10.5 off a PowerPC G5 tower running 10.5 Server. We are using Open Directory and AFP to allow students to login to Network Accounts from Local Workstations. After Archive and Installing two of the G5 Machines and updating them, We encountered the error "Type an Administrator Name and Password to allow lpadmin to make changes." and it freezes up and doesn't allow us to enter the password or username or even move the mouse.

  To use the solution in the link above in this case, here's one way to go about things:
  - Restart while holding down command and s at the same time to boot into single-user mode.
  - Use the following commands to mount the filesystem (these are also listed on the screen when you start up):
  $ /sbin/fsck -fy
  $ /sbin/mount -uw /
  - You're going to need the root password, so if you haven't already set one, type 'passwd', hit return, and set one.
  - Load Directory Services:
  $ launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
  - Run the command mentioned in that other post, entering your root password when prompted:
  $ dseditgroup -o edit -p -a admin -t group _lpadmin
  - You may need to run it twice, because the first time it may say something about upgrading your groups or something like that.
  I hope that helps. It worked for me on multiple machines affected by this problem.
  Greg

• I loaded Mac OS X v10.7 Lion yesterday. Everything's running fine, except for a simple problem. Any time I want to copy a file, JPEG, etc., I am prompted "Finder wants to make changes. Type your password to allow this." I don't want this!! Is there a way

  I loaded Mac OS X v10.7 Lion yesterday. Everything’s running fine, except for a simple problem. Any time I want to copy a file, JPEG, etc., I am prompted “Finder wants to make changes. Type your password to allow this.” I don’t want this!! Is there a way to unlock “Finder” or rid this process?

  Back up all data.
  This procedure will unlock all your user files (not system files) and reset their ownership and access-control lists to the default. If you've set special values for those attributes on any of your files, they will be reverted. In that case, either stop here, or be prepared to recreate the settings if necessary. Do so only after verifying that those settings didn't cause the problem. If none of this is meaningful to you, you don't need to worry about it.
  Step 1
  If you have more than one user account, and the one in question is not an administrator account, then temporarily promote it to administrator status in the Users & Groups preference pane. You can demote it back to standard status when this step has been completed.
  Triple-click the following line to select it. Copy the selected text to the Clipboard (command-C):
  sudo chflags -R nouchg,nouappnd ~ $TMPDIR.. ; sudo chown -R $UID:20 ~ $_ ; chmod -R -N ~ $_ 2> /dev/null
  Launch the Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Paste into the Terminal window (command-V). You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. If you don’t have a login password, you’ll need to set one before you can run the command.
  The command will take a noticeable amount of time to run. Wait for a new line ending in a dollar sign (“$”) to appear, then quit Terminal.
  Step 2
  Boot into Recovery by holding down the key combination command-R at startup. Release the keys when you see a gray screen with a spinning dial.
  When the OS X Utilities screen appears, select
  Utilities ▹ Terminal
  from the menu bar. A Terminal window will open.
  In the Terminal window, type this:
  resetpassword
  That's one word, all lower case, with no spaces. Then press return. A Reset Password window will open. You’re not going to reset a password.
  Select your boot volume ("Macintosh HD," unless you gave it a different name) if not already selected.
  Select your username from the menu labeled Select the user account if not already selected.
  Under Reset Home Directory Permissions and ACLs, click the Reset button.
  Select
   ▹ Restart
  from the menu bar.

• Desktop to Trash Problem: "Finder wants to make changes. Type your password to allow this."

  Suddenly today I get a dialog box stating "Finder wants to make changes. Type your password to allow this," whenever I attempt to drag a file from the desktop into the Trash on the dock.  How can I stop this and return to a normal function of dragging desktop files into the trash?  Thanks in advance.

  Back up all data now.
  This procedure will unlock all your user files (not system files) and reset their ownership and access-control lists to the default. If you've set special values for those attributes on any of your files, they will be reverted. In that case, either stop here, or be prepared to recreate the settings if necessary. If none of this is meaningful to you, you don't need to worry about it.
  Step 1
  Launch the Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Drag or copy — do not type — the following line into the Terminal window, then press return:
  sudo chflags -R nouchg,nouappnd ~ $TMPDIR.. ; sudo chown -R $UID:20 ~ $_ ; chmod -R -N ~ $_ 2> /dev/null
  Be sure to select the whole line by triple-clicking anywhere in it. You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. You don't need to post the warning. If you don’t have a login password, you’ll need to set one before you can run the command.
  The command will take a noticeable amount of time to run. Wait for a new line ending in a dollar sign (“$”) to appear, then quit Terminal.
  Step 2
  Boot into Recovery by holding down the key combination command-R at startup. Release the keys when you see a gray screen with a spinning dial.
  When the OS X Utilities screen appears, select Utilities ▹ Terminal from the menu bar. A text window opens.
  In the Terminal window, type this:
  resetpassword
  That's one word with no spaces. Then press return. A Reset Password window opens. You’re not going to reset a password.
  Select your boot volume ("Macintosh HD," unless you gave it a different name) if not already selected.
  Select your username from the menu labeled Select the user account if not already selected.
  Under Reset Home Directory Permissions and ACLs, click the Reset button.
  Select  ▹ Restart from the menu bar.

• When I attempt to drag doc to trash "Finder wants to make changes" "Type your password to allow this"  When I do this the doc is immediately deleted.  How do I turn this off?

  When I attempt to drag doc to trash "Finder wants to make changes" "Type your password to allow this"  When I do this the doc is immediately deleted.  How do I turn this off?

  Please take these steps if you're prompted for a password when moving items in your home folder to the Trash.
  1. Triple-click anywhere in the line below on this page to select it:
  ~/.Trash  
  2. Right-click or control-click the highlighted line and select
  Services ▹ Show Info
  from the contextual menu.* An Info dialog should open.
  3. The dialog should show "You can read and write" in the Sharing & Permissions section. If that's not what it shows, click the padlock icon in the lower right corner of the window and enter your password when prompted. Use the plus- and minus-sign buttons to give yourself Read & Write access and "everyone" No Access. Delete any other entries in the access list.
  4. In the General section, uncheck the box marked Locked if it's checked.
  5. From the action menu (gear icon) at the bottom of the dialog, select Apply to enclosed items and confirm.
  6. Close the Info window and test.
  *If you don't see the contextual menu item, copy the selected text to the Clipboard (command-C). Open a TextEdit window and paste into it (command-V). Select the line you just pasted and continue as above.