Been a while, I have been made aware of an issue with DLU in AD environments causing problems, especially so with new PCs in the Active Directory. Perhaps I'm not searching properly so perhaps this fix is documented elsewhere, but I found a solution. Hardly a fix, more following a convention.
We use in some environments DLU. This is to allow users to login with a controlled desktop and to access secure Citrix apps external to our own environment.
I came across a problem where DLU would not work - I was under the opinion it does. In a meeting a colleague said that DLU was always a problem on Active Directory workstations.
Really? I didn't seem to think so. After a bit of debate I attempted to prove him wrong.
In typical fashion I failed miserably.
However I did succeed - here's how.
When you try to login with the DLU account, it stops at the next login screen.
I discovered that a specific DLU account we use for unlocking PCs was fine. Why was this, was there something different?
I was rather annoyed as I had got this working in the past.
I noticed a lot of people have been grumbling on the internet about this. I saw one suggestion of creating local accounts on every PC, which is a bit excessive and a lot of work to manage.
In my environment there is a transition to ensure that complex passwords are used. The Active Directory has the settings already. An argument is where AD is not used, complex passwords are still used - makes perfect sense to me?
I discovered that when I created a test account and bolted on a DLU it did not work. You don't need the equivalent account creating in the AD. But this creates the clue. If you create an AD account it will work and create the DLU - why?
This is total nonsense, you don't need the Active Directory account. What became apparent was that both accounts have a complex password. In reality if you attempt to login with an eDirectory account onto a Active Directory PC with DLU, if the Password does not conform to the Active Directory password policy, it won't work.
I created a new account eDirectory account, set password as something simple - fails.
I reset the accounts eDirectory password to a more complicated one - works.
I created a new account, set password to a more complicated one - works.
The account with the DLU we use to unlock accounts has guess what - a complicated password. Irrespective if there is an Active Directory account, if a user move has a normal account with AD, and moves to a context that has DLU in place, the login will bypass AD entirely.
In a nutshell if your entire organisation has Active Directory but there is a need in some cases to have DLU, provided your NDS passwords conform to whatever standard is set in your AD, it will work every time on every Active Directory PC.
It makes sense as one department we have all the users created with DLU, but when created we do so with complicated passwords. Our helpdesk when enabling the accounts, advise the users the prudence of using complicated passwords. Something must be working otherwise they would not be able to get in.
Hope this helps someone.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.