locked
Ordinary users resetting da connection with netstop iphlpsvc && net start iphlpsvc RRS feed

  • Question

  • Hi !

    powershell script:

     

    [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")

    $button1 = [System.Windows.Forms.MessageBox]::Show("Do you want to reset DA connection ?","reset",

    [System.Windows.Forms.MessageBoxButtons]::YesNo,

    [System.Windows.Forms.MessageBoxIcon]::Information,

    [System.Windows.Forms.MessageBoxDefaultButton]::Button3, 

     [System.Windows.Forms.MessageBoxOptions]::ServiceNotification

    )

     

    if ($button1 -eq [Windows.Forms.DialogResult]::Yes) 

                            {  

                                                                                                    stop-service -name iphlpsvc      

                                                                                

                                                                                                    start-service -name iphlpsvc

                                                    }

                                                                                                       else

                                                                                                       {

    }             

     

     

    Script works if I run it  independently, and it restarts iphlspsvc. My idea was to supply this script as AdminScript in direct access assistant,

     

    whenever user starts advanced diagnostics this script would run also, and ask user if he/she wants to reset da connection. As ordinary user has no permission restart iphlpsvc, this script runs with elevated permissions, so maybe it could work ?

     

    When I tested it with ordinary users, I know it runs,  because eventlog get’s application popup event. But the user never _see_ the popup. I think because here happens  the same as when you

    schedule something with At command, you have to make it interactive.

    Anybody any ideas ?

    Thursday, June 24, 2010 7:55 AM

Answers

  • Also, it should be considered what the side effects are by providing a script to disable DA access. While I can see that this would be useful during a proof of concept or pilot phase of a deployment, the goal of DirectAccess is to provide that always on capability to both users and IT. When you take that away, you end up with something like a VPN, which is not consistent with the DirectAccess vision, philosophy or design.

    A better solution would be to determine why it is believed that DA should be disabled, and if it's just for troubleshooting purposes, to consider using troubleshooting procedures that work while the DA is enabled.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Tuesday, June 29, 2010 8:56 PM
    Monday, June 28, 2010 11:34 PM

All replies

  • Hi,

    You are right, the script is executed by the DCA service and thus runs with elevated permissions. The problem is, the service isn't running in the interactive user context, but is run by the machine account, so the user won't see any popup.

    It might work if you manually configure the DcaSvc to run using the user's credentials and allow it to interact with the desktop. but this isn't something global that you can push to all clients.

    By the way, why do you want to restart the IP helper service? Which issue exactly is this going to solve?

    Thanks,

    Yaniv

    Thursday, June 24, 2010 5:56 PM
  • Are you aware of the DirectAccess Connectivity Assistant? This may help...

    http://technet.microsoft.com/en-us/library/ff384241.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, June 24, 2010 5:57 PM
  • Hi,

    Yes the scripts seems to run under “NT authority/system”.

    The reason I wanted this was that I was just wondering that users have no need to even open advanced diagnostics unless their DA is not working ? So I was just thinking of resetting and making da connection to work again  :)

    You can like shutdown and restart DA connection if you restart iphlpsvc ? Right ? Or are there better ways without booting ?

     BUT there seems to be also side effects restarting iphlpsvc. For example the DA assistant icon disappears, and you need to reboot or something to get it back....

    Thanks,

    Oraat

    Monday, June 28, 2010 6:43 AM
  • Weird, the icon doesn't disappear for me when I restart IP Helper.

    restarting IP helper actually restarts the whole process of finding the ideal transition technology and trying to connect using it. but DirectAccess should work seemlessly without ever restarting it.

    If there is a specific issue that you find which restarting IP Helper can fix, please let us know and we will investigate.

    Thanks

    Monday, June 28, 2010 4:31 PM
  • I have only ever used that service as a temporary "disable DA" option before DCA was available.

    You can manually run the dcatray.exe program (in %Program Files%\DirectAccess Connectivity Assistant) to get the icon back, but this should only be necessary if you restart the DCA service, not IP Helper.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, June 28, 2010 9:40 PM
  • Also, it should be considered what the side effects are by providing a script to disable DA access. While I can see that this would be useful during a proof of concept or pilot phase of a deployment, the goal of DirectAccess is to provide that always on capability to both users and IT. When you take that away, you end up with something like a VPN, which is not consistent with the DirectAccess vision, philosophy or design.

    A better solution would be to determine why it is believed that DA should be disabled, and if it's just for troubleshooting purposes, to consider using troubleshooting procedures that work while the DA is enabled.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Tuesday, June 29, 2010 8:56 PM
    Monday, June 28, 2010 11:34 PM