Can you sync S2 Netbox Access Levels With AD Security Groups?

Sure you can!  But it isn’t a feature that is accessible from the GUI.  We saw a need at USD290 to link our Active Directory Security Groups and S2 Access Levels to simplify employee onboarding and offboarding.  Is offboarding  a word?  Maybe jettisoning?  Regardless…I spent a morning crafting a PowerShell script that will run as a scheduled task and regularly synchronize these two groups.  This was a quick script to fill a void, we will be enhancing it in the near future to take into account disabled accounts too!  We also saw the need to track the NFC credential too.  This script allows you to store the credential in Active Directory in the ‘Pager’ field (or any field for that matter) and sync it up to S2 as well.

S2 has a very antiquated API available that we can leverage on the backend to inject this information.  The API is simple, and accepts some XML input and has provisions for authentication.  I would strongly suggest that you do not expose your S2 installation to the web when using this API.  There are authentication mechanisms available in the API, but they are poorly documented so they were omitted from this script.  I will reach out to S2 and see about improving this code with the proper Message Authentication Codes.

On to the script!  First things first – there are some prerequisites!

  • This script assumes that you have a separate OU in AD dedicated to your Access Control Security Groups
  • This script only plays nice when your AD Security Group Names match your S2 Access Level Names verbatim!
  • You must enable the API by going to Configuration ->Site Settings->Network Controller->Data Integration and checking the API checkbox
  • Backup your database before using this script!

That last one is important.  I have extensively tested this in our environment, and it works splendidly for our needs.  I will not be held responsible for any damage caused by this script when run in your environment.  Ultimately, this is a script you found on the internet that can completely ruin your S2 installation if not configured properly.  You have been warned!  The line that actually performs the writing to S2 is commented by default for testing.  Remove the leading # on the last line of the script to run the script live!

Security,Windows Admin


S2 Access Control and Holiday Schedules

So…we just recently added Access Control to most of our exterior doors district wide as part of our Safety and Security upgrades.  This has been a huge undertaking and we have battled with contractors non stop.  But that is not what this post is about.  This post will focus solely on the biggest hangup with our new S2 NetBox installations.  Holidays.  It is such a minor thing, and could be fixed very easily by tweaking some UI elements, but alas – it is broken.  Phil Elliott over at Spring Hill has warned us about this several times.  He explained the intricacies of holidays in S2, and reiterated that he has to review it every year to make sure it is right.   If there is a feature of your product that your users have constant trouble with every time they go to use it, your feature needs re-engineered.

So what is it about holidays that is so difficult to implement?  Well, let’s dive into some screenshots and I will show you!

In the software, we first have to manually add all of the holidays at our school.  This includes calendar holidays, teacher workdays, Winter and Summer breaks, and the unknown snow days (but we won’t get into those today).  When setting up each holiday, we need to assign it to a group.  Holiday 1, holiday 2, or holiday 3.  There is no rhyme or reason to these, they are just there for you to use as you see fit.  We utilize them as follows:

  • Holiday Group 1 – Calendar Holidays
  • Holiday Group 2 – No School, but building staff are present
  • Holiday Group 3 – Extended Breaks or snow day.  No Staff

Here is a picture depicting the setup for Labor day of 2016.  Calendar holiday – so it gets the Group 1 designation.  We also prepend our holidays with the year (a tip from Phil@Spring Hill) to make for easier changes next year!

Labor Day 2016

And here is a picture of today’s teacher inservice.  No student’s are here, but our staff still needs to get in the buildings.  Holiday Group 2.

September23rd Workday

Pretty straightforward so far?  Hold on!  Once you have defined all of your holidays for the year, you need to assign them to “Time Specs”.  These time specs are then assigned to doors, and you are done!  Therein lies the problem.  Let’s dig in.  Look at the following picture and tell me what would happen at 7:30AM on Labor Day?  Labor Day is a hol1 (Holiday Group 1).

The door would not unlock.  If you want to apply a holiday to a time spec, you have to NOT check it.  So in this time spec, the doors would unlock on Monday through Friday, and any Holiday Group 2.  It’s backwards, and it can be confusing.  If you take the time to think about it – it finally starts to make sense.  If the verbiage could just be changed from “Days of the week” to something like “Select the days and holiday groups which you would like the doors to unlock” it would be a bit easier.  Am I over complicating this?