7/8/09

Home Directories in Active Directory

Ok, Windows Admins who don't know this, listen up.

You know the way that you add home directories to user accounts in Active Directory? Yeah, you're fucking it up!


I have to say that I cannot stand it when admins don't read AT LEAST the bare minimum of basic Windows / Active Directory management. I cannot hold it back anymore, I feel like I'm gonna lose my mind. Everytime I go to a customer site and see where some chucklehead has added the home directory in some stupid way (see below).

1. Create a new directory, either by calling the same as the username or something close.
2. Share out this directory as a normal share or a hidden share
3. Change NTFS permissions manually, or better yet, not at all.
4. Open the user account properties and put in the drive letter and UNC path to this new share.

Ok, so now if you do anything in your life the correct way, do this (bare minimum):

1. Create a single directory under whatever path you like (eg...D:\Home or D:\Users)
2. Share this new directory, usually a hidden share (home$ or users$)
3. Allow SYSTEM and Domain Admins Full Control and Domain Users Read Only
4. Open user account properties and add the drive letter and the UNC path:
(eg...\\server\share\%username%)
5. You can literally use the %username% variable if you wanna.

Step 4 is the only step you have to do once you have created the initial share. What happens when you do step 4? Good question. It will create the home directory for you in the share specified and it will apply proper NTFS permissions with the user account with Full Control and remove the inheritance flag.

If you have a template user account and you copy it, it will create the home directory and apply security properly for you as well based on the username.


From now on, do this or I will come after you with a shovel and a hayfork.

Q

5/5/09

ScreenOS OID's for CPU and Sessions

In case you are looking for them, here are the OID's for CPU and sessions within ScreenOS.

I'd like to get a better list of OID's.  I mean, I imported the MIB's into the SMNP tool I was using, but I can't find any good resource OID's.

CPU Utilization
1.3.6.1.4.1.3224.16.1.3.0

Session Counters
1.3.6.1.4.1.3224.16.3.2.0

4/27/09

DSL Post - New Thought

I didn't try to implement path-mtu.  I'm gonna try it and see what happens.

There are two ways to do it, on the interface and flow settings.

Hm, I'll see what happens later.


ralf

4/24/09

One of My Favorite ScreenOS Hidden Commands

mod


Yup, mod.  As in modify.

This hidden command is what is used when you want to modify a policy, address, or service object.
I like it.

mod add trust “Corp Users 172.20.0.0/16” 172.20.0.0/16 172.20.0.0/16
mod policy 123 order 543

Yay geekdom.

4/20/09

I hate DSL, for today.

So, this client I've been working with is another victim of a hosted Exchange solution.

We moved them to a new office and the goddamn phone vendor that they hired put in a DSL.  Well, that's fine because it was a quick move and we had to do it quick.  And now they are putting in fucking CBeyond.  Whatever, I'm gonna punch that guy in the neck.

Well, we drop in a loaner 5XT we had sitting around but they could do everything except connect via RPC over HTTP to their Exchange provider.  Well, even better when we did traceroutes and the peering from Qwest to XO looked to be fucked.  The traces would die as it hit XO's network so we never thought to look at the firewall at first.  And let's all keep in mind that the tracert's and ping's are ICMP, not TCP.  Read on.

Well, I had the quy move outside the firewall and attempt to connect and it definitely worked fine.  So I threw in a 5GT that I had with the exact same config and it did not work either.  The pcap's I was grabbing showed shitty TCP CHECKSUM ERROR's and I thought for sure that some flow settings on the firewall were screwy.  I have seen that before where we have had to turn off tcp sequence checking (set flow no-tcp-seq-check) or tcp syn check (unset flow tcp-syn-check)  to fix issues in the past.  But that was modified accordingly with no positive results.  

So, for the fuck of it I was like, "well, I'll set the maximum segment size for the Internet bound traffic to see what happens."  The tcp-mss for encrypted traffic was set to 1350, a default for the ScreenOS version we were running.  The all-tcp-mss was at the default of 1500 so I kicked it down to 1400 (set flow all-tcp-mss 1400) and I'll be dipped in shit.  It worked.  So I moved it back to 1500 and ran a ping with 1500 byte packets (but forgot to set the no fragment flag) and it worked.  So while I'm writing this tonight I decided to move it back to 1500 and run the ping with the no fragment flag (ping -l 1500 4.2.2.2 -f).  This failed.  I found the sweet spot at 1464 bytes.  So I moved the MSS to 1464 and didn't get a login and then to 1460 and still did not.  My final tested MSS is set to 1450 right now.

I guess the reason I'm ranting about this is that I'm used to setting the encrypted tcp-mss size down because of the encryption overhead and the like, but haven't run into this before.

So if you read this, try this first and see what happens.

Word?  mkay.

6/19/08

Devaluation of Technical Certifications In Progress

I received this email as a member of a Juniper group within Google, and I was a bit blown away by the fact that someone, first of all, would be willing to pay someone else to get them certified. But then I realized after some thought, while consulting with some of the knuckleheads that I have had to work with that have > 5 certifications all from different vendors, and couldn't possibly due the work they were hired for. Honestly. I've seen it and been dumbfounded by the amount of coin they were pulling in and then they would have me do the work. Awesome.

Is this the end of how certifications are valued? I of course have NEVER thought highly of certifications. My biggest reason is because so many test questions are so loaded and NEVER straight forward and are so subjective that you have to guess what {Enter Vendor Name Here} wants instead of interesting factual information. Fuck I hate tests but not enough to be a jackoff loser to pay someone to take a test for me.

So, without further delay:

********

Obtain
Microsoft,Cisco,Comptia,Oracle,Citrix,CWNP,Ciw,Solaris,Jawa,ITIL,Vmware,Ec-council,Juniper,Norten and Many more Certificaitons Without Tests...Pay after check results…
Friends we have more then 45 testing centers( vue and prometric both).

On which we will do the exams on the candidates behalf,make them passand then provide their results to them, after that candidates willeasily able to check their results online on each vender officalwebsites. after checking their results they have to send us payment.

what things we need from the candidates:-
1. candidates full name ( that they want to appear on theirscoresheets and certificaites)
2. candidates full address ( for certificaiton delivery)
3. candidate any photo id proof colour scan copy
4. candidate phone number with country code

Benifits
Obtain Certificaiton At home
No need to Sit anymore for exams by themselves
100% Passing Gaurantee
Pay after check results on Vender official website

prices :- ( all prices are in USD)
Microsoft Any exam :- 500$
ccna :- 1000$
ccnp :- 4000$
ccsp :- 5000$
ccvp :- 5000$
Comptia A+ :- 2200$
Comptia Network+ :- 1400$
comptia Security+ :- 1500$
server+ :- 1500$
ccda :- 1200$
ccdp :- 2400$
ccie Writtern :- 2000$
Check point :- 1100$( each exam)
Citrix ( each exam) = 700$
CIW ( each exam) = 700$
Cwnp :- ask price first
Ec-council :- 1200$ ( each exam)
ITIL :- 1200$
LPI :- 900$ ( each exam)
Novel :- 700$ (each exam)
Oracle :- 800$ ( each exam)

all exams takes only 5-7 working days

so, intrested feel free to contact us on email@removed.com.


3/6/08