Can you sync S2 Netbox Access Levels With AD Security Groups?

Sure you can!  But it isn’t a feature that is accessible from the GUI.  We saw a need at USD290 to link our Active Directory Security Groups and S2 Access Levels to simplify employee onboarding and offboarding.  Is offboarding  a word?  Maybe jettisoning?  Regardless…I spent a morning crafting a PowerShell script that will run as a scheduled task and regularly synchronize these two groups.  This was a quick script to fill a void, we will be enhancing it in the near future to take into account disabled accounts too!  We also saw the need to track the NFC credential too.  This script allows you to store the credential in Active Directory in the ‘Pager’ field (or any field for that matter) and sync it up to S2 as well.

S2 has a very antiquated API available that we can leverage on the backend to inject this information.  The API is simple, and accepts some XML input and has provisions for authentication.  I would strongly suggest that you do not expose your S2 installation to the web when using this API.  There are authentication mechanisms available in the API, but they are poorly documented so they were omitted from this script.  I will reach out to S2 and see about improving this code with the proper Message Authentication Codes.

On to the script!  First things first – there are some prerequisites!

  • This script assumes that you have a separate OU in AD dedicated to your Access Control Security Groups
  • This script only plays nice when your AD Security Group Names match your S2 Access Level Names verbatim!
  • You must enable the API by going to Configuration ->Site Settings->Network Controller->Data Integration and checking the API checkbox
  • Backup your database before using this script!

That last one is important.  I have extensively tested this in our environment, and it works splendidly for our needs.  I will not be held responsible for any damage caused by this script when run in your environment.  Ultimately, this is a script you found on the internet that can completely ruin your S2 installation if not configured properly.  You have been warned!  The line that actually performs the writing to S2 is commented by default for testing.  Remove the leading # on the last line of the script to run the script live!

Security,Windows Admin
Share this Story:
  • facebook
  • twitter
  • gplus


  1. Izet Droce
    1487 days ago

    Hi Dean, what version is your S2 system? the S2 API document you have linked int he post is very old. I have never version of the Web-Based API for S2 Netbox (Release 4.4-4.6) if you are interested.

    • deangrell
      1487 days ago

      We are currently running 4.8.03 but any newer documentation would be appreciated! If you could, please e-mail it to me at d ean gr ell @gmail.com (remove the spaces!)

      Thanks Izet!

Leave a comment