Dynamic Local User policy user inclusions and/or exclusions not effective

  • 7021459
  • 18-Sep-2017
  • 18-Sep-2017

Environment

ZENworks Configuration Management 2017 Policies

Situation

The Dynamic Local User policy has been configured to include or exclude specific users.

The user is member of groups, which fail to resolve through ZENworks generated LDAP calls.

Resolution

Workaround
Configure the ZENworks Agent to skip requesting user group membership details in containment lookup:

Create the registry value HKLM\Software\Novell\ZCM\AgentSettings\DonotFetchUserGroups (Reg_SZ): True

Cause

In case the LDAP lookup fails for at least one user group, an error is returned to the ZENworks agent. If the containment lookup fails, the ZENworks agent skips any user inclusion / exclusion details and the DLU policy applies as assigned.

Status

Reported to Engineering

Additional Information

Please note that the zenserver service might need to get restarted on the different Primary Servers since the web server keeps returning already cached containment lookup group membership details.

This issue has been exhibited after adding a Open Enterprise Server with Domain Services for Windows configuration to an existing eDirectory tree and adding domain user group membership to existing users.

Looking up domain user group details through a previous installed LDAP server fails in this case as domain user group are stored in domain containers which do not resolve in ZENworks. Domain containers are of object class Container, which is different to "normal" eDirectory containers (Country, Organization, Organization Unit...). The Container object class is not contained in the eDirectory specific ldap lookup filter used in ZENworks and so objects below such domain containers fails to resolve in ZENworks.