The Dynamic Local User policy lets you create new users and manage existing users on the managed device after they have successfully authenticated to user source.
NOTE:
It is recommended that you install the latest version of the Novell Client on the managed device before the Dynamic Local User policy is enforced. To obtain the latest version of Novell Client, see the Novell Download Web site.
To implement the Dynamic Local User policy without the Novell Client, see Section 3.2.3, Implementing the Dynamic Local User Policy Without the Novell Client.
Dynamic Local User policy is not supported for Domain Services for Windows (DSfW) users.
In ZENworks Control Center, click the Policies tab.
In the Policies list, click New, then click Policy.
or
In the Policy Tasks, click New Policy.
The Select Platform page is displayed.
Select Windows, then click Next.
The Select Policy Category page is displayed.
Select Windows Configuration Policies, then click Next.
Select Dynamic Local User Policy as the Policy Type, click Next.
In the Define Details page fill in the following fields:
Policy Name: Provide a name for the policy. The policy name must be different than the name of any other item (group, folder, and so forth) that resides in the same folder. The name you provide displays in ZENworks Control Center.
Folder: Type the name or browse to the ZENworks Control Center folder where you want the policy to reside. The default is /policies, but you can create additional folders to organize your policies.
Administrator Notes: Provide a short description of the policy’s content. This description displays in ZENworks Control Center.
Click Next to display the User Configurations page, then use the options on the page to configure the user account.
The following table contains information about configuring dynamic local user accounts and managing them on managed devices:
Field |
Details |
---|---|
Use User Source Credentials |
Enables logging in through the user source credentials instead of the Windows Operating System credentials. |
Use the Credentials Specified Below (Always volatile) |
If you do not select Use User Source Credentials, the user account that is created is always volatile and is not accessible. This setting allows you to specify the following user credentials for a volatile user:
If a user logs in to a device that has the Dynamic Local User policy applied and then logs out of the device when the device is disconnected from the network, the user is unable to log in to the disconnected device again. For information on this issue, see Dynamic Local User Policy Troubleshooting. |
Manage Existing User Account (if any) |
Helps you to manage a user object that already exists. If you select both the Volatile User and the Manage Existing User Account (If Any) check boxes, and the user has a permanent local account that uses the same username specified in the user source, the permanent account is changed to a volatile (temporary) account and is removed when the user logs out. If a local user object already exists with a DLU user name, any changes to the DLU user name cannot be applied on the policy unless you enable Manage Existing User Account (if any). This setting must be enabled for the following scenarios to work:
|
Volatile User |
Specifies the use of a volatile user account for login. The user account that NWGINA creates on the local workstation can be either a volatile or a nonvolatile account. |
Enable Volatile User Cache |
Enables the caching of the volatile user account on the device for a specified period of time. If the Enable Volatile User Cache setting is set in disconnected mode, the following are possible:
|
Cache Volatile User for Time Period (Days) |
Allows you to specify the number of days to cache the volatile user account on the device. The default value is 5. You can specify a value from 1 to 999 days. This volatile user account is deleted after the expiry of the specified cache period when another DLU user logs out from the device. |
Not a Member Of |
Displays the available group to which a user can be assigned as a member. |
Member Of |
Displays groups a user is member of. |
Custom |
Click Custom to display the Custom Group Properties dialog box, through which you can add a new custom group and configure its rights. |
Edit |
Click Edit to view and edit the details of a custom group. You cannot edit the default Windows groups with this option. |
Delete |
Click Delete to delete a custom group. You cannot delete the default Windows groups with this option. |
Click Next to display the Login Restrictions page, then fill in the fields to configure user access:
Included / Excluded Users: Lists the users and containers that you want to include or exclude access to. For more information, see Rules for Users.
Included / Excluded Workstations: Lists the workstations and containers that you want to include or exclude access to. For more information, see Rules for Workstations.
The Excluded Workstations List displays the workstations and containers that you want to exclude DLU access to. Workstations listed or workstations that are in the containers listed here cannot use DLU access. You can make exceptions for individual workstations by listing them in the Included Workstations List. This allows DLU access to those workstations only, and excludes DLU access to the remaining workstations in the container. If the user account is already on the workstation, the option to exclude the device from receiving the DLU policy is ignored.
Click Next to display the File Rights page.
For a DLU Policy, the timeout duration for enforcing file rights, if it is configured, is 120 seconds. For large directory structures, the DLU policy might not be enforced because of a time out. To enforce the file rights, follow instructions in TID 7004171, in the Novell Support Knowledge base.
The following table contains information about managing Dynamic Local User file system access on the managed device:
Field |
Details |
---|---|
Add |
Allows you to select and assign appropriate file rights. To add a file/folder:
|
Edit |
Copy: Allows you to copy and add a file rights setting to the list.
Rename: Allows you to edit only the filename.
|
Move Up or Move Down |
Allows you to reorder the files or folders.
|
Remove |
Allows you to remove a file or a folder from the list.
|
Click Next to display the Summary page. Review the information and, if necessary, use the Back button to make changes to the information on the Summary page.
(Conditional) Select Create as Sandbox, if you want to create the sandbox version of the policy.
Click Finish to create the policy now, or select Define Additional Properties to specify additional information, such as policy assignment, system requirements, enforcement, status, and which group the policy is a member of.
Be aware of the following:
By default, all workstations are included.
For an indirect association, if an object is in both lists, the closeness of the association is considered. A direct association is closer than a group association, which in turn is closer than a folder.
If the closeness is the same, a workstation is directly added to Group A and Group B, and the Included List takes precedence.
Excluded List |
Included List |
Result |
---|---|---|
Workstation-A |
Workstation-B |
The policy is applied on all workstations except Workstation-A. |
Workstation Group-1 |
Workstation-A |
The policy is not applied on any workstations in Workstation Group-1, except for Workstation -A. The policy is applied on workstations that are not contained in Workstation Group-1. |
Container-1 |
Workstation Group-1 or Workstation-A |
The policy is not applied on any workstations in Container-1, except for Workstation Group-1 or Workstation-A. The policy is also applied on workstations that are not contained in Container-1. |
Be aware of the following:
By default, all users are included.
For an indirect association, if an object is in both the lists, the closeness of the association is considered. A direct association is closer than a group association, which in turn is closer than a folder.
If the closeness is the same, a user is directly added to Group A and Group B, and the Included List takes precedence.
Excluded List |
Included List |
Result |
---|---|---|
User-A |
User-B |
The policy is applied on all users except User-A. |
User Group-1 |
User-A |
The policy is not applied on any users in User Group-1, except for User -A. The policy is also applied on users that are not contained in User Group-1. |
Container-1 |
User Group-1 or User-A |
The policy is not applied on any users in Container-1, except for User Group-1 or User-A. The policy is also applied on users that are not contained in Container-1. |
To log a dynamic user with an e-directory account into a workstation using the Dynamic Local User policy:
Install the ZENworks Agent on the workstation.
After successful installation, create a DWORD value AllowDLUWithoutNovellClient under the following registry key and set its data to 1:
Windows XP (32-bit): HKEY_LOCAL_MACHINE\\SOFTWARE\\Novell\\NWGINA
For this registry key to be effective, it is mandatory that you reboot the Windows XP device.
Windows Vista (32-bit and 64-bit): HKEY_LOCAL_MACHINE\\SOFTWARE\\Novell\\Authentication
Windows 7 (32-bit and 64-bit): HKEY_LOCAL_MACHINE\\SOFTWARE\\Novell\\Authentication
This support is not available on managed devices running Windows Server operating systems.
NOTE:In Windows Vista or Windows 7, if the initial login screen does not have an option to enter the username, then do one of the following:
Enable the following setting from the Local Security policy:
Launch secpol.msc.
Navigate to Security Settings > Local Policies > Security Options.
Enable Interactive Logon: > Do not display last user name.
or
Create the following registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] dontdisplaylastusername =dword:00000001
For more information on the Registry key see, ZENworks Registry Keys Reference.
Create a user source on the ZENworks server, assuming the user source has one user with the credentials admin/novell.
Log in to the workstation using user-source credentials (admin/novell).
A Dynamic Local User account gets created.
IMPORTANT:
If the DLU policy is created to take the credentials other than the user-source credentials, a DLU user fails to unlock the workstation.