Using ZENworks Workstation Manager to Manage Local User Accounts

To run thin-client applications on a terminal server, users need to have local user accounts on the terminal server. You can use Workstation Manager (installed with the Desktop Management Agent) and user policies to dynamically manage terminal server user accounts. If you plan to use Workstation Manager, complete the tasks in the following sections. If you don't plan to use Workstation Manager, see Using Non-ZENworks Methods to Manage Local User Accounts for other user management possibilities.


Installing the Novell Client and Desktop Management Agent

You must install the Novell Client and the Desktop Management Agent on each terminal server where you want ZENworks to dynamically manage terminal server accounts.

The Desktop Management Agent includes the Workstation Manager component that dynamically creates local user accounts on the terminal server. The Management Agent uses the Novell Client to authenticate to Novell eDirectory and access the Dynamic Local User policy.

  1. Download the Novell Client 4.9 SP1 (or later) from the Novell Download Web site and install the client on the terminal server.

  2. Install the Desktop Management Agent, making sure to install the Workstation Manager and Application Management components; the other components are optional.

    For information about installing the Desktop Management Agent, see Installing and Configuring the Desktop Management Agent.


Setting Up Workstation Manager

ZENworks Desktop Management includes Novell eDirectoryTM user policies that enable you to easily manage local user accounts and profiles on terminal servers. Workstation Manager, running on the terminal server, applies the policies when a user logs into the terminal server. This section helps you ensure that Workstation Manager is installed and configured correctly. Information about creating and using user policies is provided in Setting Up Dynamic Local User Accounts and Profiles.

Workstation Manager is installed as part of the Desktop Management Agent installation. You can verify that Workstation Manager is installed and running on the terminal server by checking for the Workstation Manager service in the Services window.

If you have multiple eDirectory trees, you should also make sure Workstation Manager is configured to read the eDirectory tree where your User objects reside. To do so:

  1. Click the Start menu > Settings > Control Panel > Network Identity.

  2. In the Novell Network Identity dialog box, click Settings.

  3. Verify that the Enable Workstation Manager box is selected and that the tree is set correctly.

  4. (Optional) Verify the Tree value in the Windows registry, underneath the HKEY_LOCAL_MACHINE/SOFTWARE/NOVELL/Workstation Manager/Identification key.


Configuring Passthrough Authentication

To simplify the process of launching terminal server applications, ZENworks Desktop Management provides passthrough authentication. With passthrough authentication, a user is not prompted for a username and password when he or she launches a terminal server application as long as the user's eDirectory account and Windows user account have the same username and password.

By default, passthrough authentication is configured automatically during installation of the Desktop Management Agent to the terminal server. However, to verify that configuration occurred correctly, we recommend you do the following:

  1. Turn on the terminal server's Use Client Provided Logon Information setting and turn off the Always Prompt for Password setting:

    1. At the terminal server, click Start > Programs > Administrative Tools > Terminal Services Configuration.

    2. Double-click a connection type (the default is RDP-Tcp) to enter the properties.

    3. In the Logon Settings tab, select the Use Client Provided Logon Information setting and deselect the Always Prompt for Password setting.

    4. Repeat for each connection type.

  2. Check the default profile configuration for the terminal server's Novell Client:

    1. At the terminal server, right-click the Novell icon (N icon) in the status area of the taskbar, then click Novell Client Properties.

    2. Click the Location Profiles tab.

    3. In the Location Profiles list, select Default, then click Properties to display the Location Profiles Properties dialog box.

    4. Select Login Service in the Service list, select Default in the Service Instance List, then click Properties to display the Novell Login dialog box.

    5. Deselect (turn off) the Save Profile After Successful Login option.

    6. Click the NDS tab.

    7. In the Tree field, select the eDirectory tree where the thin-client applications are configured as Application objects.

    8. Delete any information from the Context and Server fields.

    9. To save the configuration settings, click OK until you've closed all dialog boxes.


Setting Up Dynamic Local User Accounts and Profiles

After you installed and configured Workstation Manager on your terminal servers, you need to enable and configure the policies that control local user accounts. In addition, you can configure user profiles specific to the terminal server. The following sections provide instructions:


Creating a User Policy Package

You use the Windows 2000-2003 Terminal Server policies, available in a User Policy package, to manage dynamic local user accounts and roaming user profiles. You can use an existing User Policy package, or you can create a new User Policy package specifically for Windows 2000-2003 Terminal Server policies. If you already have a User Policy package that you want to use, skip to Configuring Dynamic Local User Accounts. Otherwise, complete the following steps to create a User Policy package:

  1. In ConsoleOne, right-click the container where you want to create the User Policy Package object, click New, then click Policy Package to display the Policy Package Wizard.


    Policy Package Selection page in the Policy Package Wizard

  2. In the Policy Packages list, select User Package, then click Next.


    Policy Package Name page in the Policy Package Wizard

    The package object's name must be unique within the container where it is created. If you plan to create multiple User Policy packages, you might want to use a more descriptive name, such as Win2000-2003 TS User Package. Or, you might want to create the policy in the same container where the policy's users reside.

  3. If necessary, change the package's object name and the container where it will be created, then click Next.


    Summary page in the Policy Package Wizard

  4. In the Summary page, select Define Additional Properties, then click Finish to create the User Package object and display the object's property pages.


    General Policies page on a User Package object

  5. Click the Policies tab, then click Windows 2000-2003 Terminal Server to display the Windows 2000-2003 Terminal Server policies page.


    Win2000 Terminal Server Policies page on a User Package object

  6. Continue with the next section, Configuring Dynamic Local User Accounts.


Configuring Dynamic Local User Accounts

You use the Dynamic Local User (DLU) policy to configure how Workstation Manager creates user accounts on the terminal server.

  1. In the Windows 2000-2003 Terminal Server Policies page, select the check box to the left of the Dynamic Local User Policy to enable the policy, then click Properties to display the Dynamic Local Users property page.


    Dynamic Local Users property page

  2. Configure the following fields:

    Enable Dynamic Local User: Select this option to enable Workstation Manager to dynamically create user accounts.

    Manage Existing User Account (if any): If you want Workstation Manager to apply the DLU policy to existing user accounts, select this option. Otherwise, the DLU policy applies only to new user accounts.

    Use eDirectory Credentials: Select this option to use eDirectory usernames and passwords for the local user accounts. With the user's eDirectory and Windows credentials synchronized and seamless authentication configured (see Configuring Passthrough Authentication), the user is not prompted for any credentials when launching a thin-client application from a terminal server.

    Volatile User (Remove User after Logout): Select this option if you want a user's account removed after the user exits the thin-client application and the session is closed. All user account information is removed. If you want to retain user profiles, you can configure terminal server user profiles. Instructions are provided in the next section, Configuring Terminal Server User Profiles.

    Member Of/Not Member Of: In the Not Member Of list, select the group (or groups) that you want users made members of, then click Add. Group membership determines a user's access rights on the terminal server. If none of the groups listed provides the exact file system rights you want assigned to user accounts, you can use the File Rights page (Dynamic Local User tab > File Rights page).

  3. Click OK to save your changes and close the Dynamic Local Users property page.

  4. Continue with the next section, Configuring Terminal Server User Profiles.


Configuring Terminal Server User Profiles

The Windows Terminal Server policy enables you to specify a network storage location for roaming user profiles. There are several advantages to using this policy: 1) It is applied only when a user logs into a terminal server, either through a remote or local session 2) It contains other configuration settings you can use to control client sessions.

Using this policy for user profiles is the same as configuring the Terminal Services Profile properties page for a user account on a Windows terminal server.

To configure user profiles through the Windows Terminal Server policy:

  1. On the Windows 2000-2003 Terminal Server Policies page, select the check box to the left of the Windows Terminal Server Policy to enable the policy, then click Properties to display the policy's property pages.

  2. Click the Terminal Configuration tab, then click Login to display the Login page.


    Login page for the Windows Terminal Server policy

  3. Enable the Inherit Client Configuration option.

    IMPORTANT:  If you don't enable this option, when a user launches a terminal server application, the policy causes the session to open to the terminal server's desktop rather than the launched application.

  4. In the Terminal Server Profile Path field, type the path to the network location where you want profiles stored. Keep in mind the following:

    • Make sure you use the %username% variable to ensure that each user's profile is saved to a separate directory. For example: 
      \\server\vol1\profiles\%username%

      Using the above path, the profile for user jsmith would be saved to the following location:

      \\server\vol1\profiles\jsmith
    • Make sure the user's profile directory already exists. In the above example, \\server\vol1\profiles\jsmith must already exist for jsmith's profile to be saved there.
    • Make sure the user has rights to his or her profile directory. If the profile directory is on a NetWare® server, you can assign rights through eDirectory. If the profile directory is on a Windows server, you must assign share rights through the user's Windows account.

  5. Click OK to save your changes and close the Windows Terminal Server property pages.

  6. Continue with the next section, Associating the User Package with Users.


Associating the User Package with Users

You must associate the User Policy package with users before it will take effect.

  1. If the User Package object's property page is not open, right-click the User Package, then click Properties.

  2. Click the Associations tab to display the Associations page.


    Associations page on the User Package object

  3. Click Add, then browse to and select the users you want the policy package applied to. You can add users, user groups, or containers.

  4. When you've finished adding users, click OK to save your information.