3.2 Dynamic Local User Policy

The Dynamic Local User policy lets you create new users and manage existing users on the managed device after they have successfully authenticated to user source.

NOTE:

  1. In ZENworks Control Center, click the Policies tab.

  2. In the Policies list, click New, then click Policy.

    or

    In the Policy Tasks, click New Policy.

    The Select Platform page is displayed.

  3. Select Windows, then click Next.

    The Select Policy Category page is displayed.

  4. Select Windows Configuration Policies, then click Next.

  5. Select Dynamic Local User Policy as the Policy Type, click Next.

  6. In the Define Details page fill in the following fields:

    Policy Name: Provide a name for the policy. The policy name must be different than the name of any other item (group, folder, and so forth) that resides in the same folder. The name you provide displays in ZENworks Control Center.

    Folder: Type the name or browse to the ZENworks Control Center folder where you want the policy to reside. The default is /policies, but you can create additional folders to organize your policies.

    Administrator Notes: Provide a short description of the policy’s content. This description displays in ZENworks Control Center.

  7. Click Next to display the User Configurations page, then use the options on the page to configure the user account.

    The following table contains information about configuring dynamic local user accounts and managing them on managed devices:

    Field

    Details

    Use User Source Credentials

    Enables logging in through the user source credentials instead of the Windows Operating System credentials.

    Use the Credentials Specified Below (Always volatile)

    If you do not select Use User Source Credentials, the user account that is created is always volatile and is not accessible. This setting allows you to specify the following user credentials for a volatile user:

    • User Name: Specify the user’s name.

    • Full Name: Specify the user’s complete name.

    • Description: Provide any additional information that helps the administrator to further identify this user account.

    • Use User Source Password: Select this option to create the account with the password configured in the user source. Ensure that you enable the setting Manage Existing User Account (if any). If both settings are enabled, a user who has logged into the workstation at least once, can login locally on the workstation and access it even in case of network logon failure.

    If a user logs in to a device that has the Dynamic Local User policy applied and then logs out of the device when the device is disconnected from the network, the user is unable to log in to the disconnected device again. For information on this issue, see Dynamic Local User Policy Troubleshooting.

    Manage Existing User Account (if any)

    Helps you to manage a user object that already exists.

    If you select both the Volatile User and the Manage Existing User Account (If Any) check boxes, and the user has a permanent local account that uses the same username specified in the user source, the permanent account is changed to a volatile (temporary) account and is removed when the user logs out.

    If a local user object already exists with a DLU user name, any changes to the DLU user name cannot be applied on the policy unless you enable Manage Existing User Account (if any). This setting must be enabled for the following scenarios to work:

    • Manually changing the user password.

    • Changing the user e-directory password.

    • Applying updated settings if the local user account is present on the device.

    Volatile User

    Specifies the use of a volatile user account for login. The user account that NWGINA creates on the local workstation can be either a volatile or a nonvolatile account.

    Enable Volatile User Cache

    Enables the caching of the volatile user account on the device for a specified period of time.

    If the Enable Volatile User Cache setting is set in disconnected mode, the following are possible:

    • On a device that has Novell Client installed, the last logged in user can log in to the system locally.

    • If you have enabled ZENworks GINA to use DLU without the Novell Client, then any previously logged in cached user can log in to the system locally.

    Cache Volatile User for Time Period (Days)

    Allows you to specify the number of days to cache the volatile user account on the device. The default value is 5. You can specify a value from 1 to 999 days.

    This volatile user account is deleted after the expiry of the specified cache period when another DLU user logs out from the device.

    Not a Member Of

    Displays the available group to which a user can be assigned as a member.

    Member Of

    Displays groups a user is member of.

    Custom

    Click Custom to display the Custom Group Properties dialog box, through which you can add a new custom group and configure its rights.

    Edit

    Click Edit to view and edit the details of a custom group. You cannot edit the default Windows groups with this option.

    Delete

    Click Delete to delete a custom group. You cannot delete the default Windows groups with this option.

  8. Click Next to display the Login Restrictions page, then fill in the fields to configure user access:

    • Included / Excluded Users: Lists the users and containers that you want to include or exclude access to. For more information, see Rules for Users.

    • Included / Excluded Workstations: Lists the workstations and containers that you want to include or exclude access to. For more information, see Rules for Workstations.

    The Excluded Workstations List displays the workstations and containers that you want to exclude DLU access to. Workstations listed or workstations that are in the containers listed here cannot use DLU access. You can make exceptions for individual workstations by listing them in the Included Workstations List. This allows DLU access to those workstations only, and excludes DLU access to the remaining workstations in the container. If the user account is already on the workstation, the option to exclude the device from receiving the DLU policy is ignored.

  9. Click Next to display the File Rights page.

    For a DLU Policy, the timeout duration for enforcing file rights, if it is configured, is 120 seconds. For large directory structures, the DLU policy might not be enforced because of a time out. To enforce the file rights, follow instructions in TID 7004171, in the Novell Support Knowledge base.

    The following table contains information about managing Dynamic Local User file system access on the managed device:

    Field

    Details

    Add

    Allows you to select and assign appropriate file rights.

    To add a file/folder:

    1. Click Add, then specify a file or folder.

    2. Select the file rights you want to assign to the specified file or folder.

    3. If you want to restrict the inheritance of the rights to only the immediate child file or folder, select Restrict inheritance to immediate child files/folders only.

    4. Click OK.

    Edit

    Copy: Allows you to copy and add a file rights setting to the list.

    1. Select a file or folder, then click Edit.

    2. Click Copy.

    3. Specify a new name.

    4. Click OK.

    Rename: Allows you to edit only the filename.

    1. Select a file or folder, then click Edit.

    2. Click Rename.

    3. Specify a new filename.

    4. Click OK.

    Move Up or Move Down

    Allows you to reorder the files or folders.

    1. Select the check box next to the file or folder you want to move.

    2. Click Move Up or Move Down to relocate it.

    Remove

    Allows you to remove a file or a folder from the list.

    1. Select the check box next to the file or folder.

    2. Click Remove.

  10. Click Next to display the Summary page. Review the information and, if necessary, use the Back button to make changes to the information on the Summary page.

  11. (Conditional) Select Create as Sandbox, if you want to create the sandbox version of the policy.

  12. Click Finish to create the policy now, or select Define Additional Properties to specify additional information, such as policy assignment, system requirements, enforcement, status, and which group the policy is a member of.

3.2.1 Rules for Workstations

Be aware of the following:

  • By default, all workstations are included.

  • For an indirect association, if an object is in both lists, the closeness of the association is considered. A direct association is closer than a group association, which in turn is closer than a folder.

  • If the closeness is the same, a workstation is directly added to Group A and Group B, and the Included List takes precedence.

    Excluded List

    Included List

    Result

    Workstation-A

    Workstation-B

    The policy is applied on all workstations except Workstation-A.

    Workstation Group-1

    Workstation-A

    The policy is not applied on any workstations in Workstation Group-1, except for Workstation -A.

    The policy is applied on workstations that are not contained in Workstation Group-1.

    Container-1

    Workstation Group-1 or Workstation-A

    The policy is not applied on any workstations in Container-1, except for Workstation Group-1 or Workstation-A.

    The policy is also applied on workstations that are not contained in Container-1.

3.2.2 Rules for Users

Be aware of the following:

  • By default, all users are included.

  • For an indirect association, if an object is in both the lists, the closeness of the association is considered. A direct association is closer than a group association, which in turn is closer than a folder.

  • If the closeness is the same, a user is directly added to Group A and Group B, and the Included List takes precedence.

    Excluded List

    Included List

    Result

    User-A

    User-B

    The policy is applied on all users except User-A.

    User Group-1

    User-A

    The policy is not applied on any users in User Group-1, except for User -A.

    The policy is also applied on users that are not contained in User Group-1.

    Container-1

    User Group-1 or User-A

    The policy is not applied on any users in Container-1, except for User Group-1 or User-A.

    The policy is also applied on users that are not contained in Container-1.

3.2.3 Implementing the Dynamic Local User Policy Without the Novell Client

To log a dynamic user with an e-directory account into a workstation using the Dynamic Local User policy:

  1. Install the ZENworks Adaptive Agent on the workstation.

  2. After successful installation, create a DWORD value AllowDLUWithoutNovellClient under the following registry key and set its data to 1:

    Windows XP (32-bit): HKEY_LOCAL_MACHINE\\SOFTWARE\\Novell\\NWGINA

    For this registry key to be effective, it is mandatory that you reboot the Windows XP device.

    Windows Vista (32-bit and 64-bit): HKEY_LOCAL_MACHINE\\SOFTWARE\\Novell\\Authentication

    Windows 7 (32-bit and 64-bit): HKEY_LOCAL_MACHINE\\SOFTWARE\\Novell\\Authentication

    This support is not available on managed devices running Windows Server operating systems.

    NOTE:In Windows Vista or Windows 7, if the initial login screen does not have an option to enter the username, then do one of the following:

    1. Enable the following setting from the Local Security policy:

      1. Launch secpol.msc.

      2. Navigate to Security Settings > Local Policies > Security Options.

      3. Enable Interactive Logon: > Do not display last user name.

      or

    2. Create the following registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] dontdisplaylastusername =dword:00000001

      For more information on the Registry key see, ZENworks 11 SP4 Registry Keys Reference.

  3. Create a user source on the ZENworks server, assuming the user source has one user with the credentials admin/novell.

  4. Log in to the workstation using user-source credentials (admin/novell).

    A Dynamic Local User account gets created.

    IMPORTANT:

    • If the DLU policy is created to take the credentials other than the user-source credentials, a DLU user fails to unlock the workstation.