The Dynamic Local User policy lets you create new users and manage existing users on the managed device after they have successfully authenticated to the user source.
NOTE:Ensure that the latest version of the Novell Client is installed on the managed device before the Dynamic Local User policy is enforced. To obtain the latest version of Novell Client, see the Novell Download Web site.
In ZENworks Control Center, click the
tab.In the
list, click , then click to display the Select Policy Type page.Select
, click to display the Define Details page, then fill in the fields:Policy Name: Provide a name for the policy. The policy name must be different than the name of any other item (group, folder, and so forth) that resides in the same folder. The name you provide displays in ZENworks Control Center.
Folder: Type the name or browse to the ZENworks Control Center folder where you want the policy to reside. The default is /policies, but you can create additional folders to organize your policies.
Description: Provide a short description of the policy’s content. This description displays in ZENworks Control Center.
Click
to display the User Configurations page, then use the options on the page to configure the user account.The following table contains information about configuring dynamic local user accounts and managing them on managed devices:
Field |
Details |
---|---|
|
Enables logging in through the user's authoritative source credentials instead of using the Windows credentials. |
|
Allows you to specify the following user credentials for a volatile user:
If a user logs in to a device that has the Dynamic Local User policy applied and then logs out of the device when the device is disconnected from the network, the user is unable to log in to the disconnected device again. For information on this issue, see Dynamic Local User Policy Troubleshooting. |
|
Helps you to manage a user object that already exists. If you select both the and check boxes, and the user has a permanent local account that uses the same username specified in the user source, the permanent account is changed to a volatile (temporary) account and is removed when the user logs out. |
|
Specifies the use of a volatile user account for login. The user account that NWGINA creates on the local workstation can be either a volatile or a nonvolatile account. |
Enable Volatile User Cache |
Enables the caching of the volatile user account on the device for a specified period of time. |
Cache Volatile User for Time Period (Days) |
Allows you to specify the number of days to cache the volatile user account on the device. The default value is 5. You can specify a value from 1 to 999 days. This volatile user account is deleted after the expiry of the specified cache period when another DLU user logs out from the device. |
|
Displays the available group to which a user can be assigned as a member. |
|
Displays groups a user is member of. |
|
Click to display the Custom Group Properties dialog box, through which you can add a new custom group and configure its rights. |
|
Click to view and edit the details of a custom group. You cannot edit the default Windows groups with this option. |
|
Click to delete a custom group. You cannot delete the default Windows groups with this option. |
Click
to display the Login Restrictions page, then fill in the fields to configure user access:Included / Excluded Users: Lists the users and containers that you want to include or exclude access to. For more information, see Rules for Users.
Included / Excluded Workstations: Lists the workstations and containers that you want to include or exclude access to. For more information, see Rules for Workstations.
The
displays the workstations and containers that you want to exclude DLU access to. Workstations listed or workstations that are in the containers listed here cannot use DLU access. You can make exceptions for individual workstations by listing them in the . This allows DLU access to those workstations only, and excludes DLU access to the remaining workstations in the container. If the user account is already on the workstation, the option to exclude the device from receiving the DLU policy is ignored.Click
to display the File Rights page.For a DLU Policy, the timeout duration for enforcing file rights, if it is configured, is 120 seconds. For large directory structures, the DLU policy might not be enforced because of a timeout. To enforce the file rights, follow instructions in TID 7004171, in the Novell Support Knowledgebase.
The following table contains information about managing Dynamic Local User file system access on the managed device:
Field |
Details |
---|---|
|
Allows you to select and assign appropriate file rights. To add a file/folder:
|
|
: Allows you to copy and add a file rights setting to the list.
: Allows you to edit only the filename.
|
or |
Allows you to reorder the files or folders.
|
|
Allows you to remove a file or a folder from the list.
|
Click
to display the Summary page.Click system requirements, enforcement, status, and which group the policy is a member of.
to create the policy now, or select to specify additional information, such as policy assignment,Be aware of the following:
By default, all workstations are included.
For an indirect association, if an object is in both lists, the closeness of the association is considered. A direct association is closer than a group association, which in turn is closer than a folder.
If the closeness is the same, a workstation is directly added to Group A and Group B, and the
takes precedence.
Excluded List |
Included List |
Result |
---|---|---|
Workstation-A |
Workstation-B |
The policy is applied on all workstations except Workstation-A. |
Workstation Group-1 |
Workstation-A |
The policy is not applied on any workstations in Workstation Group-1, except for Workstation -A. The policy is applied on workstations that are not contained in Workstation Group-1. |
Container-1 |
Workstation Group-1 or Workstation-A |
The policy is not applied on any workstations in Container-1, except for Workstation Group-1 or Workstation-A. The policy is also applied on workstations that are not contained in Container-1. |
Be aware of the following:
By default, all users are included.
For an indirect association, if an object is in both the lists, the closeness of the association is considered. A direct association is closer than a group association, which in turn is closer than a folder.
If the closeness is the same, a user is directly added to Group A and Group B, and the
takes precedence.
Excluded List |
Included List |
Result |
---|---|---|
User-A |
User-B |
The policy is applied on all users except User-A. |
User Group-1 |
User-A |
The policy is not applied on any users in User Group-1, except for User -A. The policy is also applied on users that are not contained in User Group-1. |
Container-1 |
User Group-1 or User-A |
The policy is not applied on any users in Container-1, except for User Group-1 or User-A. The policy is also applied on users that are not contained in Container-1. |