User Extensible Policies

This policy option is available across all platforms.

Microsoft has required that software packages that bear the Windows approved logo provide capabilities to be configured through .POL files. The poledit program allows you to edit these "extensible policies" and include them in the system .POL file. ZENworks also allows the policies that are stored in NDS to accept these additional extensible polices and provide them to all of the users who are associated with these policies.

The User Extensible policy allows you to import these special .ADM files into the NDS tree and have them administered and dispersed to the users associated with the policy package. Once these .ADM files have been imported into the tree, they can be administrated and associated to users in the NDS tree. These settings are applied like the User System Policies.

User Extensible Policies Page

When you first bring up the User Extensible Policies dialog box, you are presented with the User Extensible Policies page. An example of this page is displayed in Figure 8.10.

Figure 8.10. User Extensible Policies page of the User Extensible Policies policy.

graphics/08fig10.jpg

This page is split into three areas: ADM files, Policies, and the policy-specific window in the bottom-right corner.

The files in the ADM file list are the policies that are applied to the users associated with this policy. To add a policy file to the list, use the Add button. You are presented with a file dialog box where you can browse and select the file. Remember that this file should reside on the server, as it is stored there for retrieval by the policy managers. When you browse and select a file, make sure it is on the server, and that the drive that you use is mapped correctly for all users who are associated with the policy. You can enter a UNC path in the filename field of the dialog box and thereby get a UNC path for the ADM file; however if you browse and then select, the program puts a drive letter into the path, thus necessitating that each user has the same drive mapping.

When this policy is initialized, four .ADM files are automatically pulled in by the plug-in into ConsoleOne. These include ADMIN.ADM, COMMON.ADM, WINNT.ADM, and ZAKWINNT.ADM. Each of these files is stored in the ConsoleOne\bin\zen\admfiles directory and is considered the default package.

NOTE

The .ADM file must be stored on a server that users can access. The policy references the .ADM file and needs to retrieve it to apply it to the users and to allow the administrators to modify the settings. It's recommended, therefore, to use a UNC path in specifying the location of the file.


You delete the .ADM file from the applied set by selecting the file and pressing the Remove button.

NOTE

Other .ADM files are available depending on which version of Windows you are running on your workstation. For example, Windows 2000 clients also include SYSTEM.ADM; there is an INETRES.ADM file for restricting Internet Explorer.


You can also modify the settings of the .ADM files by selecting the file in the ADM files windows. When you select the file, its Registry content is displayed in the Policies window. The user interface for this window mimics the poledit program available from Microsoft. The small window underneath the Policies box displays information about the selected Registry setting along with any categories that are available for the specific key. Selecting the key in the policies window populates the details fields.

You can browse through the ADM files and turn on, turn off, or leave as set in the Registry (unchecked and grey) for each of the keys as you would in the poledit program. Once you have made your changes, choose Apply or OK to update the ADM files on the server.

The NDS Rights, Other, and Rights to Files and Folders pages are described in the "Creating a User Policy Package" section earlier in this chapter.

The Policy Schedule Page

The Policy Schedule page enables you to customize (outside of the package default schedule) when you want the ADM files applied to the workstation/desktop of the user.

This page enables you to select when the package should be applied: Event, Daily, Weekly, Monthly, or Yearly.

Once you have selected when you want the package applied, you have additional fields to select in the lower portion of the screen. The following sections discuss these options.

Event

When you choose to have the ADM files applied when a certain event occurs in the workstation, you also need to select which event affects the changes.

The events that you can select include the following:

  • User Login This causes the policies to be applied when the user logs into the system. This happens after the user enters a username and password, but before the desktop appears and the user login scripts have started.

  • User Desktop Is Active This runs the policies after the user has logged into the system and all login scripts have been completed, but before the desktop is displayed. This is available with Windows NT/2000 only.

  • Workstation Is Locked This causes the policies to be applied when the workstation is locked (such as when the screen saver is activated and is locked awaiting a password). This is available with Windows NT/2000 only.

  • Workstation Is UnLocked This runs the policies when the workstation becomes unlocked, after the user has supplied the password to unlock the system. This is available with Windows NT/2000 only.

  • Screen Saver Is Activated This runs the policies when the screen saver is activated on an idle system.

  • User Logout This applies the policies when the user logs out of the system.

  • System Shutdown This applies the policies when a system shutdown is requested.

Daily

When you choose to have the ADM files applied daily on the workstation, you have to select when the changes are made.

This schedule requires that you select the days when you want the policy applied. You select the days by clicking on the days you desire. The selected days appear as pressed buttons.

In addition to the days, you can select the times the policies are applied. These times, the start and stop times, provide a range of time when the policies are applied.

To keep all workstations from simultaneously accessing the servers, you can select the Randomly Dispatch Policy During Time Period option. This causes each workstation to choose a random time within the time period when they retrieve and apply the policy.

Weekly

You can alternatively choose that the policies be applied only weekly.

In the weekly screen, you choose on which day of the week you want the policy to be applied. When you select a day, any other selected day is unselected. Once you have selected the day, you can also select the time range when the policy may be applied.

To keep all workstations from simultaneously accessing the servers, you can select the Randomly Dispatch Policy During Time Period option. This causes each workstation to choose a random time within the time period when they retrieve and apply the policy.

Monthly

Under the monthly schedule, you can select on which day of the month the policy should be applied, or you can select the last day of the month to handle the last day because all months obviously do not end on the same calendar date.

Once you have selected the day, you can also select the time range when the policy is applied.

To keep all workstations from simultaneously accessing the servers, you can select the Randomly Dispatch Policy During Time Period option. This causes each workstation to choose a random time within the time period when it will retrieve and apply the policy.

Yearly

Select a yearly schedule when you want to apply the policies only once a year.

On the yearly page, you must choose the day that you want the policies to be applied. You do this by selecting the Calendar button to the right of the Date field. The monthly dialog box appears. Browse through the calendar to select the date you want to choose for your policies to be applied. This calendar does not correspond to any particular year and might not take into account leap years in its display. This is because you are choosing a date for each year that comes along in the present and future years.

Once you have selected the date, you can also select the time range when the policy is applied.

To keep all workstations from simultaneously accessing the servers, you can select the Randomly Dispatch Policy During Time Period option. This causes each workstation to choose a random time within the time period when they will retrieve and apply the policy.

Advanced Settings

On each of the scheduling pages you have the option of selecting the Advanced Settings button, which allows you some additional control on the scheduled action that is placed on each user's workstation. Pressing the Advanced Setting button gives you a dialog box with several tabs to set the specific details of the schedule.

When first displayed, the Completion tab is activated. The following sections describe each field on the tabs and how it relates to the action.

Completion

The Completion tab allows you to specify what should happen on the workstation once the scheduled action has completed. You can choose any of the following:

  • Disable the Action after Completion This prevents the action from being rescheduled after completion. If you decide that the policy should be applied every hour, choosing this turns off that action. The policy will not be reapplied. This rescheduling only occurs and is reset when the user logs off and back onto the system.

  • Reboot After Completion This causes the workstation to reboot after applying the policies.

  • Prompt the User Before Rebooting This allows the user to be prompted before rebooting. The user can cancel the reboot.

Fault

This tab allows you to specify what should occur if the scheduled action fails in its completion.

The following choices are available to failed actions:

  • Disable the Action This results in the action being disabled and not rescheduled or rerun.

  • Retry Every Minute This attempts to rerun the action every minute despite any schedule specified in the policy.

  • Ignore the Error and Reschedule Normally This assumes that the action ran normally, and reschedules the action according to the policy.

Impersonation

These settings allow you to specify the account that should be used when running the action.

The following choices are available for the user type that is used to run the scheduled item:

  • Interactive User This option runs the action with the rights of the currently logged in user. This should be used if it is acceptable to run this action and not have access to the secure portions of the Registry, because most local users do not have access to the secured portions of the Registry or file system.

  • System This option runs the action in the background with administrative privileges. This impersonation level should be used only if the action has no user interface and requires no interaction with the user.

  • Unsecure System This option runs the action as a system described above, but allows user interaction. This is available only on Windows NT and 2000 and should be used carefully because NT does not normally allow a cross-over between user and system space.

Priority

This tab allows you to specify at which level you want the action to run on the workstation.

The following choices are available within the priority schedule:

  • Below Normal This schedules the actions at a priority that is below the normal user activity. This level does not interfere with the behavior of the system and gives the user a normal experience.

  • Normal This schedules the action at the same level as any user activity. This can cause the workstation to perform at a slower level because the service is competing with the user for resources.

  • Above Normal This level schedules the action at a higher priority than the user requests and results in being completed before user activity, such as mouse and keyboard input, is serviced by the system. Using this level allows the action to be completed faster; however, it can impact the user by resulting in slow performance on the client.

Time Limit

This tab of the scheduled advanced settings allows you to specify how long the service should be allowed to run before it is terminated. You can use this option to protect yourself from having the action run for long periods of time on the workstation. This terminates the action, which might cause the action to not complete properly. This tab is not normally used because you usually want the action to complete.



Novell's ZENworks for Desktops 4. Administrator's Handbook
Novell ZENworks for Desktops 4 Administrators Handbook
ISBN: 0789729857
EAN: 2147483647
Year: 2003
Pages: 198
Authors: Brad Dayley

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net