Novell Home

Centralis Contex: The ConsoleOne Extensions for Thin Client Server Solutions

Novell Cool Solutions: Trench
By Ewen Anderson

Digg This - Slashdot This

Posted: 30 May 2001
 

Introduction

Centralis Contex is a set of snapins for ConsoleOne, Novell's administration software. It enables administrators to edit Windows NT Terminal Server / MetaFrame user environment settings from within the familiar Novell environment.

Many organisations have standardised on Novell's technologies for management solutions to take advantage of their market leading directory-enabled technology. Thin Client Server solutions such as Citrix MetaFrame and Microsoft Windows 2000 Terminal Services add an additional dimension, however, allowing delivery of this directory managed solution to thin client devices, and over slow communications links.

While it is possible to use the native administration consoles to manage the user settings for MetaFrame and Windows 2000 Terminal Services, there are three significant benefits to making these available within the Novell suite:

Firstly it Simplifies the management of users, providing a consistent tool and interface from which to carry out administration tasks.

Secondly it Standardises the process of managing users, automating many of the manual editing tasks, and allowing multiple users to be selected and changed at the same time, and template users to be created.

Finally it Centralises change, using Novell's synchronising technology to store the users settings in the NDS.

Feedback from some of the thousands of customers who use Centralis previous snapin (TCS Snap-in for NWAdmin) has also led to the inclusion of a number of additional features which enhance the functionality of this product.

Please note that Centralis Contex for NT Domains is available as part of the Centralis Integration Toolset (bundled with Centralis AXE and Lyncx), as Centralis Contex (versions for Account Management and Account Management for Active Directory) or as individual platform releases.

Overview of Contex

Contex has been developed by Centralis as a snapin for Novell's ConsoleOne and provides support for both NT4 and Windows 2000, and Domain and Active Directory based environments.

Contex exposes Windows Terminal Server and MetaFrame user configuration settings via tabs in Novell's ConsoleOne editor. There are currently two version of the software:

  • Contex for Account Management supports editing of user settings stored in the NT domain via Novell's NDS for NT, NDS Corporate Edition and Account Management.
  • Contex for ADSync supports editing of user settings stored in the Windows 2000 Active Directory via Novell's ADSync.

Both versions of the snapin offer feature enhancements to previous version of the NWAdmin snapin, and these enhancements include:

  • Multi-User Edit - Support for single & multi-user editing, with selection of fields to be affected by multi-user editing
  • Append - Option to automatically append username to profile path etc. during creation from a template or multi-user editing
  • Templates -- Option to create Template users for all exposed settings. Associate alias container with template object.
  • User Alias -- Option for automatic creation of a user Alias in specified container during creation from a template or multi-user editing.
  • Interface - Pages designed to have the ?look and feel' similar to that of the Terminal Server user policy manager.

Key Product Features

Profile Page

This property page (see fig 1 below) lets you assign properties related to the user's Terminal Server environment, such as Profile Path and Terminal Server Home Directory settings. It also provides the option to Map Root the Home directory drive if required (this option is only applicable when mapping to a NetWare volume and requires the Novell Client for NT/2000 v4.80 or later)

User Profile Path

The user profile path is used to enter a network path used for Terminal Server logons only when enabling a roaming or mandatory user profile for a selected user.

The path you enter follows the form: \\servername \ profilesfoldername \ username. For example, \\puma\profiles\jeffho.

When assigning a mandatory user profile, open System in Control Panel to the User Profiles tab and copy a preconfigured user profile to the user profile path location. Then, rename the NTUser.dat file in the user profile as NTUser.man.

If you specify both a user profile path and a Terminal Server profile path, the user profile path is used for Windows NT logons and the Terminal Server profile path is used for Terminal Server logons. If you specify only a user profile path, that path is used for both Windows NT and Terminal Server logons.

If a Novell User Template is used to create a user, which has a Terminal Server Home Directory and/or Profile Path specified, the Username is automatically appended during creation

If the directory specified in the user profile path does not exist, it is automatically created the first time the user logs on.

The Terminal Server profile path is used for Terminal Server logons only.

Terminal Server Home Directory

An assigned home directory becomes a user's default directory for the File Open and Save As dialog boxes, for command prompt, and for all applications that do not have a defined working directory. Home directories make it easier for an administrator to back up user files and delete user accounts by collecting many or all of the files in one location.

Each user on Terminal Server should have a unique home directory on a server. This ensures that application information is stored separately for each user in the multi-user environment. The home directory can be a local directory on a user's computer or a shared network directory, and can be assigned to a single user or many users.

If the home directory specified is not NetWare based then you must manually create it and assign the correct rights.

Map Root

Selecting the Map Root option map roots the selected drive to the user's home directory on the designated NetWare Server. Once mapped, users cannot navigate above this directory.

For example, setting,

Connect V
To \\puma\data\home\jeffho

and selecting the Map Root option, map roots the V drive to the \\puma\data\home\jeffho directory. The user cannot then navigate up the directory tree from the jeffho directory back to a previous level, i.e. the home or data directories. (requires the Novell Client for NT/2000 v4.80 or later)

Additional Notes

If you specify only the home directory for Windows NT, that home directory is used for both Windows NT and Terminal Server logons.

If you specify only the Terminal Server home directory, the default home directory is used for Windows NT logons, and the specified home directory is used for Terminal Server logons.

Configuration Page

The second Contex page is the Config page which allows the editing of the individual user configuration settings. After changes have been made, they can be applied to the selected user/s by pressing either OK or Apply.

The full range of settings available from this page is described below.

Allow Logon to Terminal Server

To permit or deny the user to log on at the Terminal server, click to select or clear the Allow Logon to Terminal Server check box. A user's ability to log on can be disabled temporarily without deleting the user's account.

Make sure the Logon field has the Enabled option selected before setting the users Terminal Server Login option.

Timeout Settings

These settings (specified in minutes) specify timeout intervals for a Terminal Server connection. The timeouts are:

Timeout Setting

Description

Notes

Max Connection Time

This setting specifies how long the user is allowed to be logged onto the server at one time. One minute before the connection timeout interval expires, the user is notified of the pending disconnection.

The user's session is disconnected or terminated, depending on the broken or timed-out connection action specified in the User Configuration dialog box.

This timer is not cumulative; every time the user logs on, the timer is reset

If a connection duration is specified, the session is disconnected or terminated when the specified duration elapses. If No Timeout is selected, the connection timer is disabled.

Max Disconnection Time

This setting specifies the maximum amount of time a disconnected session is retained in the disconnected state before the logon is terminated.

If a disconnect duration is specified, sessions in the disconnected state are terminated when the specified duration elapses. If No Timeout is selected, the disconnection timer is disabled.

Max Idle Time

This setting specifies how long the session can remain idle (no keyboard or mouse activity) before the user's session is disconnected or terminated, depending on the broken or timed out connection action specified in the User Configuration dialog box.

This timer is reset whenever there is keyboard or mouse activity on the user's client computer.

If an idle duration is specified, the session is disconnected or terminated when the specified interval elapses without any activity at the client. If No Timeout is specified, the idle timer is disabled.

Make sure the relevant (inherit user config) options are selected in the Citrix Connection Configuration Advanced Connection Settings window before setting the users Timeout options.

Client Devices

These settings specify whether or not Terminal Server automatically re-establishes client device mappings at logon.

Client Device Setting

Description

Notes

Connect client drives at Logon

If selected, automatically reconnects to any mapped client drives

NB: Make sure the relevant connection (inherit user config) box is selected in the Citrix Connection Configuration Client Settings window before setting the users Connection option.

These options are supported for Citrix ICA-based clients only. For Microsoft Terminal Server Clients, use logon scripts to map drives and printers.

Connect client printers at Logon

If selected, automatically reconnects to mapped client printers

Default to Main Client Printer

If selected, forces the default client printer to be the Terminal Server default printer

Initial Program

Specifies the program to be executed automatically when a user logs on to Terminal Server.

Initial Program Setting

Description

Notes

Command Line

Program information for the application to be auto-started

Enter text as you would type it at a command prompt

Working Directory

Working directory for the application to be auto-started

 

Inherit Client Config

Causes the logon process to use any initial program specified by the client

The check box is selected by default, and must be "ON" before setting any Initial Program options

Other Settings

A number of additional settings are available from Centralis Contex.

Setting

Description

Notes

Broken or timed-out connection

This selects the action taken when the users session is disconnected due to a disconnect request, connection error, modem carrier drop, idle timeout or connection timeout.

Options

  • Disconnected places the session in the disconnected state.
  • Reset terminates the session.

You can place the user session in a disconnected state or reset (terminate) the user session. If the user session is placed in a disconnected state, it will remain in that state until the session is reconnected or the disconnected session timer times out.

Reconnect sessions

This selects which clients can reconnect to a disconnected session.

Options

  • From Any Client, reconnects the disconnected session for that user (no new logon) when the user logs on from any client.
  • Previous Client Only, allows reconnection only when logging on from the client that the session was disconnected from, otherwise starts a new logon session.

Note that sessions started at clients other than the system console cannot be connected to the system console, and sessions started at the system console cannot be disconnected.

This option is supported only for Citrix ICA-based clients that provide a serial number when connecting.

Modem Callback

The client can be configured so that when a remote user dials in to a modem port, the application server dials the remote client back.

Options

  • Disabled prevents callback
  • Fixed Telephone Number dials a specified number
  • Roving telephone number allows the user to specify a number

These options are supported for Citrix ICA-based clients using ICA-Dialin only. Use Microsoft Remote Access Service (RAS) to configure callback options for Microsoft Terminal Server Clients.

Shadowing

Shadowing allows a user to remotely monitor the on-screen operations of another user. Select Disabled to disable shadowing. Select Enabled to enable shadowing.

Options

  • Input On allows the shadower to send mouse and keyboard data to the shadowed session.
  • Notify On requires the shadowed user to agree to be shadowed whenever another user attempts to shadow this user.

Note that sessions at the system console cannot be shadowed from other clients and the system console cannot be used to shadow other clients.

Shadowing is supported for Citrix ICA-based clients only.

Multiple user editing

If multiple users are selected and edited, Centralis Contex will display three pages, rather than the two used for single user editing. The additional page for multi-user editing provides an "Options" page. The Options page displays a tree containing all of the user settings which can be edited in the Profile and Config pages. Selecting attributes from this screen allows the administrator to select which attributes will be affected by the multi-user edit.

Below is the options page (fig 3) where the two settings Map Root on the Profile page and Disconnection Timeout settings on the Config page are selected. The administrator can change these settings and apply them to the selected users.

As an example, an administrator only wishes to change the Map Root setting, but wishes to change it for all users. All users can be selected within ConsoleOne, and the Contex tab selected. Contex will detect the multi-user edit operation, and offer the options screen. By selecting just the map root attribute, then editing this on the Profile page, the administrator can synchronise the single attribute across all the selected users, without changing any of their other personal settings.

Note that when the Centralis Contex is first displayed the Config and Profile page settings will all be disabled. The user must explicitly select in the options page, which settings they wish to change.

The two options at the bottom of the page determine whether to append the user name to the Profile Path and to the home directory path. These two paths are the ones shown on the Profile page. This allows the base profile or home directory for the selected users to be specified and then during processing of the changes each users Username will be appended to the base path as they are processed allowing them to remain personalised.

On the profile screen, an alias container can also be specified. In this container, an alias of all of the selected users will be created (see Adding Thin Client Server Settings to User Templates for more information on alias container creation).

Fig 3

Adding Thin Client Server Settings to User Templates

Centralis Contex also enables administrators to setup and edit a single template object. Templates allow standard settings to be created and stored, and then applied automatically to all users created using the template.

All the standard settings are exposed via the standard two pages, however the Profile page has an additional setting. This setting will allow the user to associate an Alias container with the template, meaning that any users created using this template will have an alias automatically created in the specified alias container. Below is the template snapin profile page, with the additional alias container selection option. If a container is not specified then no alias will be created. For more information on the User Alias, please see The User Alias in Thin Client Server Environments, below.

Once a template object has been created, any users created using this template will have the respective Terminal Server settings. Also, the users name will be appended to the profile path and local path if these paths were specified in the template object.

If a User Template is used to create a user, which has a Home Directory specified, both the Terminal Server profile and Terminal Server Home Directory paths will automatically use this path with the username appended.

The User Alias in Thin Client Server Environments

One feature of Contex is the ability to automatically create a user Alias in a specified context, whenever a user account is created. Note that an additional utility, Centralis Lyncx, has been created to create alias accounts for existing users (see below).

The Alias is used by administrators to deliver contextless login to Windows Terminal Server / MetaFrame environments, where users exist in multiple containers. Using the single sign on feature of the Citrix Feature Release 1 / XP client allows the Novell username and password to be passed into the session, but does not allow resolution across multiple contexts.

The following method can be used to deliver contextless login on a Terminal Server / MetaFrame environment. 

Steps

  1. Setup TSClientAutoAdminLogon
  2. Setup Alias users for all required users
  3. Limit the search for contextless login

TSClientAutoAdminLogon

The Novell Client supports login by a Terminal Server user passing their Username & Password into the session, e.g. using the single sign on feature of the Feature Release 1 Citrix client.

To set this up the following entries should added to the registry:-

HKLM\Software\Novell\Login
REG_SZ TSClientAutoAdminLogon    = 1
REG_SZ DefaultLocationProfile      = LocationProfile

LocationProfile = The Name of the Location Profile to be used e.g. Default

Some changes should also need to be made to the Location Profile which is to be used. In Novell Client Properties:

Select the Location Profiles tab
Select Default or other as specified above.
Select Properties
Select Properties again
Deselect Save profile after successful login 
(this prevents the context being changed in the profile when a user logs in)
Select the NDS tab
Enter the Tree and Context required

Using this method the Username and Password can be passed into the session, and login will be successful, however this only works for a user in the context specified in the Location Profile.

The feature is therefore useful, but effectively limited to a single, specified context. 

Using Aliases

To overcome this limitation, it is possible to use a single container to store pointers to each user as an Alias object.

To achieve this:

  1. Create a new OU
  2. Use Centralis Lyncx to create an Alias object for all users, anywhere in the tree, who will be given access to login to Terminal Server 
  3. Set the context specified in the Location Profile above to this new OU.

Now when a username and password is passed into the session the Novell Client will look for that name in the Alias list and if found it will login that user successfully.

Limiting the search for the Normal Contextless Login

Aliases for users are picked up by the normal NWGINA contextless login feature so to prevent users picking up their Alias on normal login, it maybe necessary to prevent the OU created for the Aliases being searched.

There are two methods of achieving this, either by removing browse rights for the public object, or by limiting the containers searched.

It is possible to limit the contexts in which the contextless login feature will search by adding values to the registry.  If no limits are specified then the search starts from the root of the tree and hence the User object and the Alias will both be detected and the user will be offered them as a choice although both will work.

The following are the entries that can be added to limit a search: 

HKEY_LOCAL_MACHINE
\SOFTWARE
\Novell
\Graphical Login
\NWLGE
\LgnCL
\CxPruning  

In this key, create another key that is named exactly the same as the tree.

\Tree

Within this key, create a DWORD type value named exactly the same as the context to be searched. Set the contents of this value to specify the depth of the search

0 = Search this context only. No sub-contexts
0xFFFFFFFF = Search this context and all descendent contexts.

Any other value specifies how many levels of sub-contexts should be searched. If no values are defined within this key, no search will be performed for that tree.

Centralis Lyncx

Centralis Lyncx (Locate Your Novell Context) is a companion utility which simplifies and accelerates the process of creating Aliases for multiple users. It allows administrators to select items and drag and drop them into a container, automatically creating Aliases for them.

Although Centralis Contex provides the facility to create an alias automatically for each user from the template, Lyncx can be particularly useful where large numbers of existing users need to be set up with an alias user.

  • Automated Alias Creation -- Centralis Lyncx significantly reduces the time required to create multiple Alias accounts
  • Flexible User Selection - Centralis Lyncx supports selection of users by name, group or container

It should be noted that Centralis Lyncx was created by Centralis as an in-house administration tool. While it has been used and tested by Centralis, we have made it available as a free download, and it has therefore not been subject to the full quality control associated with our commercial software releases. Users are therefore advised to test the software against a development tree before using it to manage their live environment.

Creating Alias Accounts for Multiple Users

  1. Load Centralis Lyncx
  2. Select the users, Tree, container or group
  3. Drag it into the Alias container
  4. Aliases are automatically created for all users within the specified selection.
  5. Repeat Drag and drop for each additional selection required.

How Centralis Lyncx Works

For more information, contact ewen_anderson@centralis.co.uk


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell