Understanding the Search Policy

A search policy governs the behavior of the ZENworks for Desktops 4 agents as they search for user and workstation policies. With all of the ZENworks for Desktops 4 agents, there can be some significant walking of the tree as it searches for the policies of the identified user and workstations, especially if the tree is deep. This is the reason why ZENworks for Desktops 4 has this search policy.

Often the performance of your network searching with ZENworks for Desktops 4 is not an issue until you cross a partition boundary. When you cross a partition boundary, the system must make a connection and authenticate to another server. This is particularly time-consuming should the system need to cross a WAN link.

The search policy tells the ZENworks for Desktops 4 agent how far up the tree it should search and what order (object, group, container) should be followed to find the policies.

TIP

The search order is significant, because often the first policy found governs the behavior of the system.

The Search Level Tab

This tab on the Search Policy window (see Figure 10.2) enables the administrator to identify how far up the tree the ZENworks for Desktops 4 agents should travel in their search for policies.

The following fields can be administered in the search level features on the Search Level tab:

• Search for policies up to This field enables you to specify the container in the tree at which searching will complete. The choices that can be made through the drop-down list may be any of the following:

  • [Root] Search up to the root of the tree.

  • Object container Search up to the container that holds the object that is associated with the policy. For example, if you were searching for a User Policy Package, the object container would be the context of the user object.

  • Partition Search up the tree to a partition boundary. Crossing a partition boundary causes connections to other systems in the tree. This option is available for performance considerations.

  • Selected container This searches up to the specified container. When this option is chosen, the selected container field is activated and you can browse in this field to the desired container.

• Search level This field enables you to specify an additional level of container beyond that given in the search for policies up to field. A search level value of 0 causes searches to be limited to the specified container. A search level of a positive numerical value enables searching the number of containers specified. Should the search level be a negative number, the search proceeds at the specified level minus the number specified. For example, if the object container value were selected, the object is in the Provo.Utah.Novell container, and the search level is 0, the searching stops at the Provo.Utah.Novell container. If the search level is 2, the searching continues to the Novell container. If the search level is 1, no policy will be found because the object container is already above the search level.

At first it might not be apparent why a negative search level exists, but this value does have a purpose. Suppose that your tree is set up as Organization.Region.Company, whereby the organization is the container that is given to each organization in the company, and the region represents the area of the company. Now suppose that you want policies to be effective only for each organization. You could set up one single search policy at the Region.Company level with a selected container as Region.Company and a search level of 1. This would enable each organization to have a customized policy and ensure that no one organization's policies impact another's, because the search would stop at the organization level.

The Search Order Tab

This tab enables the administrator to identify the order that the agents should look for policies. The default order is always object, group, and then container. This policy enables the administrator to change this order.

You can modify the search order by selecting the item in the search order list and then using the up or down arrows to rearrange the list. Pressing the Remove button removes the selected order. Pressing the Add button adds that search order item, if any have been previously deleted.

TIP

Because the first policy that is found has the greatest significance in the behavior of the system, you should be sure that you have the order set (from top to bottom) in the way that you want to find that first policy.

You should be aware of when it is a good idea to use the search order policy. Because many ZENworks for Desktops 4 features stop walking up the tree when a policy is found, it would be wise to make policies search in order of object, container, and then group. This is because the proximity of these objects in the tree is always going to be closer to the partition on the server. The object is, obviously, always the closest in the tree to the workstation or user object. The container is the next closest in the tree-walking scenario because the container must be known in order for the object to be found in the tree. Consequently, the container is very close in the local replica to the object. Groups, however, can be stored in any container and they could be in a completely different part of the tree than the object.

Therefore, the amount of tree walking with a group can potentially be significant. Any significant walk of the tree has a corresponding performance cost, and you should consider this as you manage your tree and search policies.

The Refresh Interval Tab

The Refresh Interval tab on the Search Policy window enables the administrator to identify whether the policy manager should refresh the set of policies from eDirectory and how often to check eDirectory for new or changed policies. The policy manager in ZENworks for Servers is an agent that resides on the server and is responsible for getting ZENworks for Servers policies and enforcing them on the server. An option on the Refresh Interval tab gives this refresh interval configuration to this agent. If the check box is disabled, meaning the agent should not refresh from eDirectory, the agent gets the policies only at initialization time, or should the server or the agent be restarted. If the check box is enabled, the agent checks for any changes or new policies every time the interval has passed.

This same behavior is also available in Workstation Manager, the agent that enforces policies on the workstation. It also looks for new policies and scheduled actions, and only does that at boot time and at identified intervals.

NOTE

The workstation manager interval is specified in the Workstation Policy Package under the NT/2000 client configuration and 95/98 client configuration policies.