Can you sync S2 Netbox Access Levels With AD Security Groups?

Sure you can!  But it isn’t a feature that is accessible from the GUI.  We saw a need at USD290 to link our Active Directory Security Groups and S2 Access Levels to simplify employee onboarding and offboarding.  Is offboarding  a word?  Maybe jettisoning?  Regardless…I spent a morning crafting a PowerShell script that will run as a scheduled task and regularly synchronize these two groups.  This was a quick script to fill a void, we will be enhancing it in the near future to take into account disabled accounts too!  We also saw the need to track the NFC credential too.  This script allows you to store the credential in Active Directory in the ‘Pager’ field (or any field for that matter) and sync it up to S2 as well.

S2 has a very antiquated API available that we can leverage on the backend to inject this information.  The API is simple, and accepts some XML input and has provisions for authentication.  I would strongly suggest that you do not expose your S2 installation to the web when using this API.  There are authentication mechanisms available in the API, but they are poorly documented so they were omitted from this script.  I will reach out to S2 and see about improving this code with the proper Message Authentication Codes.

On to the script!  First things first – there are some prerequisites!

  • This script assumes that you have a separate OU in AD dedicated to your Access Control Security Groups
  • This script only plays nice when your AD Security Group Names match your S2 Access Level Names verbatim!
  • You must enable the API by going to Configuration ->Site Settings->Network Controller->Data Integration and checking the API checkbox
  • Backup your database before using this script!

That last one is important.  I have extensively tested this in our environment, and it works splendidly for our needs.  I will not be held responsible for any damage caused by this script when run in your environment.  Ultimately, this is a script you found on the internet that can completely ruin your S2 installation if not configured properly.  You have been warned!  The line that actually performs the writing to S2 is commented by default for testing.  Remove the leading # on the last line of the script to run the script live!

Security,Windows Admin


Lower case ‘t’ in GPO? Nah…

Update: Reader Ryan Engstrom pointed me to a MS Hotfix on the issue!  Well, the hotfix covers the backspace issue, I will test lowercase ‘t’ later tonight! 

Came across something very odd in Group Policy Management today.  I was attempting to break a GPO into two separate GPO’s – one for staff, and one for students.  The actual splitting was the easy part.  The difficulty came when I decided to indicate which was for Staff and which was for Students.  I was not able to use a lowercase ‘t’ in the name of the GPO.  Any other letter was fine!  I quickly toggled my Windows key, Ctrl key, Alt key, and anything else to make sure I wasn’t experiencing an input error caused by my hardware.  I then ended my mRemoteNG session, and fired up RDP directly thinking maybe mRemoteNG was messing with something.  I even undocked my Lenovo P70, and used the built-in keyboard.  I was stumped.  I needed a solution, so I opened up notepad, typed the name I wanted, and then copied and pasted it over to rename the GPO.  I couldn’t leave it at that.  I had to figure out what was going on.

You are probably reading this right now, and you have your own ideas of what you would have tried.  And you probably expect me to say that I was able to diagnose the issue and detail how I fixed it.  Well…that’s not going to happen.  I took to the phones and walked two other admins through this at different companies.  Both experienced the same issue.  Here is how you can check it out for yourself!

  • Launch Group Policy Management
  • Expand the “Group Policy Objects” folder (near the bottom of the folder list) 
  • Select a GPO…I used a disabled one for this example, so as to not interfere with anything
  • Now, if you right click and rename, all is well.  It will work.  You can type a lowercase ‘t’.  But…
  • lowercaset1

  • Select the ‘Settings’ tab on the right hand side.
  • Now on the left hand side, in your list of GPO’s, right click and try to append a lone ‘t’ to the end of your GPO name.  Can’t do it!  You also cannot press backspace
  • lowercaset2

This was a perfect storm.  I was checking the settings that were applied by the GPO and then decided to rename the object.  Give it a shot and see what you get!


Shameless plug for mRemoteNG?  Yea.  That’s what this entire blog entry is all about!


Windows Admin