Dynamic Local User Policy

Often, several users within a company have access to shared Windows NT workstations, and it would be an administrative nightmare to have to keep up accounts for all users of these shared systems. Consequently, ZENworks for Desktops 4 can dynamically create accounts on the local NT workstation while the user is logging into the system. The local account is literally created at login time.

By having the system automatically create the account at the time that the user is authenticated to the Novell Directory Services tree, any of these users can log into any Windows NT workstation and have a local account automatically created on that workstation. To prevent the system from allowing any user to log into a specific workstation, you can administer the Restrict Login Policy in the Windows NT specific Workstation Policy Package. The Restrict Login Policy allows you to specify which users can log into the specific workstation. Figure 8.11 displays the dynamic local user policy page.

NOTE

This policy option is available on all platforms excluding Windows 95-98.

The NDS Rights, Other, and Rights to Files and Folders pages are described in the "Creating a User Policy Package" section earlier in this chapter.

Checking the Enable Dynamic Local User option allows the system to start creating accounts on the local system. The following options can be set in this policy:

• Manage Existing NT Accounts (If Any) This option allows the ZENworks for Desktops 4 agents to manage a previously existing account for this user through the Dynamic Local User system. Any previously generated accounts are subject to the properties that you administer in this policy.

• Use NetWare Credentials The system uses the Novell Directory Services password as the password for the local account.

• Volatile User (Remove NT User After Logout) This check box is accessible only if you have previously checked the Use NetWare credentials box. This check box enables the system to remove the local account that was used for the dynamic user when the user logs out of the system. This feature in conjunction with the Manage Existing NT Account (If Any) option causes a previously created local account to become volatile and to be removed when that person logs out of the workstation.

• NT Username This field is accessible only if the Use NetWare Credentials option is disabled. The system uses the specified name for the local account when any Novell Directory Services user logs into the system.

• Full Name This field is accessible only if the Use NetWare Credentials option is disabled. The system uses the specified full name for the local account when any Novell Directory Services user logs into the system.

• Description This field is accessible only if the Use NetWare Credentials option is disabled. The system uses the given description for the local account when any Novell Directory Services user logs into the system.

• Member of/Not Member of These lists allow you to specify which local accounts, created or used for these users, are members of which local NT groups.

• Custom This button allows you to create new custom groups in order to make the dynamic local users members of these groups.

If the NetWare credentials are not used for the Dynamic Local User policy causing the NT username, full name, and description to be used this account will always be volatile and will be created and then removed each time a user logs into and out of the workstation.

Additionally, if any password restrictions (including minimum password age or length or uniqueness) have been placed in the local workstation policy, the Dynamic Local User system is not activated for that workstation. A dialog box notifying the user that Dynamic Local User features have been disabled is displayed whenever anyone attempts to log into the workstation.