General discussion

  • Creator
    Topic
  • #2273750

    Programming ISA Server 2000

    Locked

    by r. a. caluste ·

    Hi,

    I’m looking for a way to add an account to a specific protocol rule that will expire in a given period of time.

    Manually, i just add the account to its acl and at the end of the day, i remove the account from its acl. I would like to automate this task.

    I have looked into ISA Server’s SDK using the object FPC.Root, traversing through the collection of Array(1).ArrayPolicy.ProtocolRules
    and getting the AppliestoAccounts collection.

    I am able to display the accounts in the AppliestoAccounts collection. How do I add an existing account to the collection? If i use the FPCAccounts.add method, it creates a new account in my Active Directory and it doesn’t add the account in that particular Rule’s AppliestoAccounts list.

    Or is there another way, an add-on of sorts, to give a user temporary access for a limited period of time only? Let’s say, I’ll give userA only 1 hour of internet access now, so that after one hour, it will automatically revoke the access given to userA.

All Comments

  • Author
    Replies
    • #2700689

      Reply To: Programming ISA Server 2000

      by r. a. caluste ·

      In reply to Programming ISA Server 2000

      Point value changed by question poster.

    • #2700684

      Reply To: Programming ISA Server 2000

      by cg it ·

      In reply to Programming ISA Server 2000

      doesn’t quite work that way. ISA works with Active Directory security groups. you add users to that group, then add that group to the applies to section of the protocol. you can limit the amount of time users in that group have access to the internet via day/time. You COULD specify an expiration date of the users password in the users Active Directory account to 1 day.

      To my knowledge theres no way to grant temporary access for a specific user account for a specific period of time outside of Active Directory and in ISA server itself.

      • #2700681

        Reply To: Programming ISA Server 2000

        by cg it ·

        In reply to Reply To: Programming ISA Server 2000

        and after thinking about it, you could create a user account in Active Directory with a expiration date/time of the password. Add that user into the applies to section of the protocol rule you allow them to use e.g. http then set the time they are allowed access in ISA server. It’s not automated but would work. Prolly be able to create a script or security template with the attributes you want and apply it to the accounts you want.

      • #3337492

        Reply To: Programming ISA Server 2000

        by r. a. caluste ·

        In reply to Reply To: Programming ISA Server 2000

        Thank you for your answer. I appreciate it very much. Sorry if it took this long for my reply, i’ve been very busy with work. Again, many thanks.

    • #2716860

      Reply To: Programming ISA Server 2000

      by smight ·

      In reply to Programming ISA Server 2000

      I think the previous answer was on the right track. I wonder if you could create the user in AD and then use account policies or group policies to restrict the log on (authentication) time. But from your question, it sounds like you want to add a user (at a random time, let’s say 2:00pm) and then arbitrarily have the access expire after 60 minutes or something like that. This is much different than setting logon periods or access periods using ISA2000 scheduling. I’d like to plug away at this issue but it would help if you would post your specific objective so that I can know I am working on the right thing.

      Good luck,
      Chris Britt

      • #3337489

        Reply To: Programming ISA Server 2000

        by r. a. caluste ·

        In reply to Reply To: Programming ISA Server 2000

        Thank you for your answer. I appreciate it very much. Sorry if it took this long for my reply, i’ve been very busy with work. Again, many thanks.

    • #2707587

      Reply To: Programming ISA Server 2000

      by techierob ·

      In reply to Programming ISA Server 2000

      I might be on a slight tangent here – my experience with ISA has only been on a very superficial level; in that all the rules and settings I have applied have only half done what they have supposed to do 🙁

      Regardless, ISA works hand in hand with AD. The one thing that springs to mind is the “Access policy” tab and Schedule settings. With this you can effectively set timeframes for access for certain groups. I don’t know what you are trying to acheive with “temporary access” to certain protocols, but I know that you can limit access to protocols / services within this tab.

      This will effectively give a timeframe in which services or protocols can be used. It will be like saying “You can only access the Web during 9-5”. If Im reading this right, you dont want to
      specify a time frame – but rather have it automatically set when the user logs on.

      I would look within this tab first, have you tried http://www.isasrver.org??

      I hope my wild tangent hits something remotely relevant 🙂

      • #3337490

        Reply To: Programming ISA Server 2000

        by r. a. caluste ·

        In reply to Reply To: Programming ISA Server 2000

        Thank you for your answer. I appreciate it very much. Sorry if it took this long for my reply, i’ve been very busy with work. Again, many thanks.

    • #2707584

      Reply To: Programming ISA Server 2000

      by r. a. caluste ·

      In reply to Programming ISA Server 2000

      To clarify my question, consider this scenario:

      I have a limited list of people whom the management allowed to have internet access.
      From time to time, certain individuals may ask me (with written approval from their heads) to give them internet access for the day.

      I would open up the ISA console and add their account to the Applies To tab of my protocol rule.
      At the end of the day, I have to manually remove their accounts from the Applies To tab.

      My goal is to automate this task. Enable internet access for them for 1 day and at the end of the day, reset their settings back to normal.

    • #2720522

      Reply To: Programming ISA Server 2000

      by cg it ·

      In reply to Programming ISA Server 2000

      ok I’ve messed around with ISA server 2000 [not 2004] on our test network trying to come up with a way to allow a user internet access for 1 hour at a random picked time then after that time not allow them access again but allow the user to be a domain user.

      Ha Ha! can’t be done, at least I couldn’t configure ISA to do it. We could not create script we could run for a particular computer and a particular user that would automatically add a user to the Internet Access group, track the time the user was allowed to be a member of the group, then take the user out of the group but still allow the user to have a domain user account.

    • #2722318

      Reply To: Programming ISA Server 2000

      by paulvs1_ ·

      In reply to Programming ISA Server 2000

      how do you do that

    • #3300766

      Reply To: Programming ISA Server 2000

      by scottsman ·

      In reply to Programming ISA Server 2000

      I cannot test this at the moment but you can give this a try.

      Create a scheduled task to run a script once every 24 hours.

      <% 1. DelUserFromGroup("MyDomain","MyUsername","MyGroup") 2. 3. Sub DelUserFromGroup (strDomain,strUsername,strGroupname) 4. Dim User 5. Dim Group 6. 7. Set User = GetObject("WinNT://" & strDomain & "/" & strUsername & ",user") 8. Set Group = GetObject("WinNT://" & strDomain & "/" & strGroupname & ",group") 9. Group.Remove(User.ADsPath) 10. Group.Setinfo 11. 12. Set User = nothing 13. Set Group = nothing 14. End Sub %>
      Change the domain as needed.

      you can use this script to add the new user

      strDomain=”Workgroup”
      strUser=”jdoe”
      strGroupName =”Internet Allow”

      Set oDomain = GetObject(“WinNT://” & strDomain)
      Set oGroup = oDomain.GetObject(“Group”, strGroupName)
      oGroup.Add (“WinNT://” & strDomain & “/” & strUser)
      Set oDomain=Nothing
      Set oGroup=Nothing

      change the domain and such as needed.

      Depending how much script knowledge you have you can add a little gui to each and than delegate the responsibiltiy of adding the names.

      I hope this points you in the right direction.
      good luck

    • #3337487

      Reply To: Programming ISA Server 2000

      by r. a. caluste ·

      In reply to Programming ISA Server 2000

      This question was closed by the author

Viewing 8 reply threads