DLU based login corrupts user profile when logging-in to different devices with roaming profile

  • 7010457
  • 16-Jul-2012
  • 24-Jul-2014

Environment

Novell ZENworks Configuration Management
Dynamic Local User (DLU)
Roaming Profiles (RP)
Windows Group Policies (GPO)
Windows 7

Situation

  • Group Policies do not apply
  • Corrupt Windows profile
  • User has non-existent or incorrect rights various subkeys under HKCU\Software\Policies and/or HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

Resolution

This is fixed in version 11.3.1 - see KB 7015288 "ZENworks Configuration Management 11.3.1 - update information and list of fixes" which can be found at https:// www.novell.com/support/search.do?usemicrosite=true&searchString=7015288
 
Workaround: 
Have the local user profile removed on each user logoff using the DLU policy Volatile user option.

This requires the DLU Volatile User cache to be disabled. This can be done at:
ZCC > Policies > [DLU Volatile User Policy] > Details > Volatile user > Enable Volatile User cache

Cause

DLU creates a new SID at each login.  If a user visits a machine where the user is cached (already exists) the existing SID will clash with the new SID.

Status

Reported to Engineering

Additional Information

Note:  There could be many possible causes giving the symptom of Windows Group Policies not being correctly applied.  In this case, the following must all be true:
  • Windows 7 (or Vista)
  • Dynamic Local User set to use Volatile User Cache or Volatile user option not enabled
  • Roaming Profiles
  • Windows Group Policies
  • A user will always be able to log in correctly to a machine that they have not logged in to before (or longer than the Volatile Cache period)
  • A user will never be able to log in correctly to a machine that they have logged in to before (within the Volatile Cache period)
  • Once a user's Roaming Profile becomes broken, it stays broken
  • The problem can be prevented by setting the Volatile Cache to off
Steps to reproduce:
  1. Create a user that has Dynamic Local User, Windows Group Policy and Roaming Profile Policies assigned
  2. Log the user in to Machine A and Windows Group Policies will be correctly applied; logout
  3. Log the user in to Machine B and Windows Group Policies will be correctly applied; logout
  4. Log the user in again to Machine A and and Windows Group Policies will NOT be correctly applied; Registry keys in Situation, above, will either be missing or permissions will be wrong; i.e. Assigned to a SID rather than a user