15.2 Using ZENworks Workstation Manager to Manage Local User Accounts

To run applications on a terminal server, users need to have local user accounts on the terminal server. You can use Workstation Manager (installed with the Desktop Management Agent) and user policies to dynamically manage terminal server user accounts. If you plan to use Workstation Manager, complete the tasks in the following sections. If you don’t plan to use Workstation Manager, see Section 15.3, Using Non-ZENworks Methods to Manage Local User Accounts for other user management possibilities.

15.2.1 Installing the Novell Client and Desktop Management Agent

You must install the Novell Client and the Desktop Management Agent on each terminal server where you want ZENworks to dynamically manage terminal server accounts.

The Desktop Management Agent includes the Workstation Manager component that dynamically creates local user accounts on the terminal server. The Management Agent uses the Novell Client to authenticate to Novell eDirectory™ and access the Dynamic Local User policy.

  1. Download the Novell Client 4.91 SP1 (or later) from the Novell Download Web site and install the client on the terminal server.

  2. Install the Desktop Management Agent, making sure to install the Workstation Manager and Application Management components; the other components are optional.

    For information about installing the Desktop Management Agent, see Section 12.0, Installing and Configuring the Desktop Management Agent.

15.2.2 Setting Up Workstation Manager

ZENworks Desktop Management includes eDirectory user policies that enable you to easily manage local user accounts and profiles on terminal servers. Workstation Manager, running on the terminal server, applies the policies when a user logs into the terminal server. This section helps you ensure that Workstation Manager is installed and configured correctly. Information about creating and using user policies is provided in Section 15.2.4, Setting Up Dynamic Local User Accounts.

Workstation Manager is installed as part of the Desktop Management Agent installation. You can verify that Workstation Manager is installed and running on the terminal server by checking for the Workstation Manager service in the Services window.

If you have multiple eDirectory trees, you should also make sure that Workstation Manager is configured to read the eDirectory tree where your User objects reside. To do so:

  1. Click the Start menu > Settings > Control Panel > ZENworks Agent Options.

  2. In the ZENworks Agent Options dialog box, click Settings.

  3. Verify that Enable Workstation Manager is selected and that the tree is set correctly.

  4. (Optional) Verify the Tree value in the Windows registry, underneath the HKEY_LOCAL_MACHINE/SOFTWARE/NOVELL/Workstation Manager/Identification key.

15.2.3 Configuring Passthrough Authentication

To simplify the process of launching terminal server applications, ZENworks Desktop Management provides passthrough authentication. With passthrough authentication, a user is not prompted for a username and password when he or she launches a terminal server application as long as the user's eDirectory account and Windows user account have the same username and password.

By default, passthrough authentication is configured automatically during installation of the Desktop Management Agent to the terminal server. However, to verify that configuration occurred correctly, we recommend you do the following:

  1. Turn on the terminal server’s Use Client Provided Logon Information setting and turn off the Always Prompt for Password setting:

    1. At the terminal server, click Start > Programs > Administrative Tools > Terminal Services Configuration.

    2. Double-click a connection type (the default is RDP-Tcp) to enter the properties.

    3. In the Logon Settings tab, select the Use Client Provided Logon Information setting and deselect the Always Prompt for Password setting.

    4. Repeat Step 1.b and Step 1.c for each connection type.

  2. Verify the default profile configuration for the terminal server’s Novell Client:

    1. At the terminal server, right-click the Novell icon (N icon) in the status area of the taskbar, then click Novell Client Properties.

    2. Click the Location Profiles tab.

    3. In the Location Profiles list, select Default, then click Properties to display the Location Profiles Properties dialog box.

    4. Select Login Service in the Service list, select Default in the Service Instance list, then click Properties to display the Novell Login dialog box.

    5. Deselect (turn off) the Save Profile After Successful Login option.

    6. Click the NDS tab.

    7. In the Tree field, select the eDirectory tree where the terminal server applications are configured as Application objects.

    8. Delete any information from the Context and Server fields.

    9. To save the configuration settings, click OK until you’ve closed all dialog boxes.

15.2.4 Setting Up Dynamic Local User Accounts

After you installed and configured Workstation Manager on your terminal servers, you need to enable and configure the policies that control local user accounts. The following sections provide instructions:

Creating a User Policy Package

You use the Windows 2000-2003 Terminal Server policies, available in a User Policy package, to manage dynamic local user accounts. You can use an existing User Policy package, or you can create a new User Policy package specifically for Windows 2000-2003 Terminal Server policies. If you already have a User Policy package that you want to use, skip to Configuring Dynamic Local User Accounts. Otherwise, complete the following steps to create a User Policy package:

  1. In ConsoleOne, right-click the container where you want to create the User Policy Package object, click New, then click Policy Package to display the Policy Package Wizard.

    Policy Package Selection page in the Policy Package Wizard

  2. In the Policy Packages list, select User Package, then click Next.

    Policy Package Name page in the Policy Package Wizard

    The package object’s name must be unique within the container where it will be created. If you plan to create multiple User Policy packages, you might want to use a more descriptive name, such as Win2000-2003 TS User Package. Or, you might want to create the policy in the same container where the policy’s users reside.

  3. If necessary, change the package’s object name and the container where it will be created, then click Next.

    Summary page in the Policy Package Wizard

  4. In the Summary page, select Define Additional Properties, then click Finish to create the User Package object and display the object’s property pages.

    General Policies page on a User Package object

  5. Click the Policies tab, then click Windows 2000-2003 Terminal Server to display the Windows 2000-2003 Terminal Server policies page.

    Win2000 Terminal Server Policies page on a User Package object

  6. Continue with the next section, Configuring Dynamic Local User Accounts.

Configuring Dynamic Local User Accounts

You use the Dynamic Local User (DLU) policy to configure how Workstation Manager creates user accounts on the terminal server.

  1. On the Windows 2000-2003 Terminal Server platform page, select the check box to the left of the Dynamic Local User Policy to enable the policy, then click Properties to display the Dynamic Local Users property page.

    Dynamic Local Users property page

  2. Configure the following fields:

    Enable Dynamic Local User: Select this option to enable Workstation Manager to dynamically create user accounts.

    Manage Existing User Account (if any): If you want Workstation Manager to apply the DLU policy to existing user accounts, select this option. Otherwise, the DLU policy applies only to new user accounts.

    Use eDirectory Credentials: Select this option to use eDirectory user names and passwords for the local user accounts. With the user’s eDirectory and Windows credentials synchronized and passthrough authentication configured (see Section 15.2.3, Configuring Passthrough Authentication), the user is not prompted for any credentials when launching an application from a terminal server.

    Volatile User (Remove User after Logout): Select this option if you want a user's account removed after the user exits the application and the session is closed. All user account information is removed. If you want to retain user profiles, you can configure roaming profiles. Instructions are provided in Windows Desktop Preferences Policy (User Package) in Workstation Management in the Novell ZENworks 7 Desktop Management Administration Guide.

    Member Of/Not Member Of: In the Not Member Of list, select the group (or groups) that you want users made members of, then click Add. Group membership determines a user's access rights on the terminal server. If none of the groups listed provides the exact file system rights you want assigned to user accounts, you can use the File Rights page (Dynamic Local User tab > File Rights page).

  3. Click OK to save your changes and close the Dynamic Local Users property page.

  4. Continue with the next section, Associating the User Package with Users.

Associating the User Package with Users

You must associate the User Policy package with users before it can take effect.

  1. If the User Package object’s property page is not open, right-click the User Package, then click Properties.

  2. Click the Associations tab to display the Associations page.

    Associations page on the User Package object

  3. Click Add, then browse to and select the users you want the policy package applied to. You can add users, user groups, or containers.

  4. When you've finished adding users, click OK to save your information.