Appendix C - DirectAccess User Interface Scripting

Updated: October 7, 2009

Applies To: Windows Server 2008 R2


This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (

DirectAccess user interface (UI) scripting allows you to use PowerShell scripts to run a combination of Netsh.exe and PowerShell commands and configure a DirectAccess server.

The DirectAccess Setup Wizard generates an Extensible Markup Language (XML) data file that can be passed as an input to the engine.ps1 PowerShell script. The location for the data file is %WINDIR%\DirectAccess\DirectAccessConfig.xml. This XML data file is generated whenever you save or apply settings with the DirectAccess Management Console. For more information and the engine.ps1 script file, see Perform DirectAccess Scripting (

By accessing the tag names inside the XML file, you can configure the DirectAccess server and all of the required Group Policies.

Here is an example of a data file:


CorpPrefix can be accessed by a script using the format $xmldata.root.ServerData.CorpPrefix.

Three helper functions provide the ability to do the following:

  • Expand variables

  • Construct commands

  • Run commands and log output

These functions are extensible and more commands can be added as needed. The functions are:

  • Executing PowerShell commands

    pscmdexec(string command, string description)

  • Executing Netsh.exe commands

    netshcmdexec(string command, string description)

  • Executing Internet Protocol security (IPsec) or Windows Firewall-related Netsh.exe commands

    netshipseccmdexec(string setstorecommand, string ipseccommand, string description)

Script usage

The script takes in as arguments the data file path and the log file path along with the mandatory mode parameter.

Engine.ps1 –mode <serveronly|gpsettingonly|all> [–data <dataFilePath>] [-log <logFilePath>]

The first option <serveronly|gpsettingonly|all> is the following:

  • Serveronly Configures only the DirectAccess server. Required settings and policies are not created for Group Policy.

  • GPSettingOnly Creates and configures Group Policy. It does not configure the DirectAccess server.

  • All Configures both the DirectAccess server and the Group Policies. This mode is equivalent to clicking Apply in the DirectAccess Management Console.

The data and log options are optional. If they are not present, the script uses %WINDIR%\DirectAccess\DirectAccessConfig.xml and generates the log file in the current directory with the name DirectAccessLog.txt.

Log file

The script generates a log file named DirectAccessLog.txt when run, which contains the details of what actions the script performed, with timestamps. The log file contents have the following format:

  • Time Stamp Step: description

  • Executing: the command being run

  • Output: output of the command

Limitation of the script

The script relies on the Dnscmd.exe tool to perform registration of the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) name on the Domain Name System (DNS) server. Either install Dnscmd.exe on the computer on which the script is being run with the Remote Server and Tools feature or add a new Address (A) record in DNS server for the name ISATAP with the intranet Internet Protocol version 4 (IPv4) address of the DirectAccess server. You can get this address from the XML file at <root>-<ServerData>-<TransitionTechnologies>-<ISATAP>-<CorpV4Address>.