Active Directory Delegating Permissions

I needed to delegate permissions to helpdesk (besides making them domain admins) to create and modify users, and modify group membership.  This is slightly different from some of the built in permission groups, since we didn’t want helpdesk to delete users.  Permissions are delegated at the OU level, and remember that permissions are pushed down and inherited.

This is what I used to delegate these permissions:

  1. Right click the OU, and select “Delegate Control” and click “Next”
  2. Add your Security Group (I called mine Delegated Helpdesk)
  3. Click “Modify the membership of a group”, then “Next” and “Finish”
  4. First section done!
  5. Go through steps 1 and 2 again
  6. Select the button “Create a custom task to delegate” and click “Next”
  7. Select the button “Only the following objects in the folder:” and select “User objects”
  8. Click “Create selected objects in this folder” and click “Next”
  9. Click the following permissions:
    • Read All Properties
    • Write All Properties
    • Read and write general information
    • Read and write logon information
    • Read and write phone and mail options
    • Read and write web information
    • Change password
    • Reset password
  10. Click “Next” and then “Finish”
  11. You are now finished.  Users in the “Delegated Helpdesk” group should be able to create and modify users, and group membership

If you ever need to revert your changes, click on Properties–>Security (requires advanced view) for the OU, and remove the permissions.


Palo Alto Firewall AD Group Mapping

These commands will help troubleshoot and resolve issues with AD groups on your PAN device.

  1. show user group list
    1. Shows every AD group added to the PAN firewall
  2. show user ip-user-mapping all (or specific user)
    1. Shows the user and IP address mapping
  3. show user group-mapping state all
    1. Gives more detailed statistics of the command above
  4. show user group name “???”
    1. Shows the user members of the group specified
  5. debug user-id reset group-mapping all
    1. Re-pulls the user-to-group mapping from AD
  6. debug user-id refresh user-id agent all
    1. Refreshes all user-to-IP mappings
  7. debug software restart user-id (this command is usually not needed)
    1. Restarts the user-id service

Ruckus DHCP Filtering/Manipulation

By default, when a client connects to a Ruckus AP and sends a DHCP request, the DHCP request is converted to unicast, and once provided, additional DHCP requests seem to be ignored.  This normally works great, and significantly reduces broadcast traffic on your wireless network.  The only time this has proved to be an issue is if you have multiple virtual machines running on your laptop whose network adapters are bridged to your wireless nic.  Your laptop will get an IP address successfully, but your VM’s will not.

To solve this, you can either assign static IP’s to your virtual machines, or disable the Ruckus “Directed DHCP” feature on the AP.

To disable it per AP, SSH into the AP, and run this command:

#set qos directedDHCP disable

Use the “get qos” command to verify the command applied successfully.  If you want to apply this to all AP’s in your environment, SSH into the Zone Director and run:

#remote_ap_cli -A set qos directedDHCP disable

Linux Packet Capture

If you need to debug traffic going to a linux server or appliance, you can use tcpdump to generate a pcap file you can analyze in wireshark.

For example, ssh into the server, and use the following command:

tcpdump -s0 port 80 and host -wDebugTraffic.pcap

This will capture all traffic coming into port 80 from host and saved as file DebugTraffic.pcap

You can then use an ftp program (like WinSCP) to grab the file and analyze it in wireshark.

Here is a great resource for tcpdump commands: