Novell Cool Solutions

Login Profiles in the Novell Client for Vista


December 7, 2007 6:17 pm





With the release of the Novell Client for Vista 1.0, there are many new things and a few things that have been left behind. Vista itself mandated the loss of the GINA interface; in its place is a Credential Provider that supplies much of the same functionality, but in a new way. Also long gone are bindery and IPX, as well as a number of other links with the past. One thing that may seem the same, but is really new is the Login Profile feature.

Like Location Profiles … only better

The Novell Client for Windows has long had a feature called the Location Profile. This was an option that the administrator could enable to make it easier for a mobile user to connect to different networks on the go. A combo-box would appear on the login dialog that would let the user choose between settings for the office, or home, or a client site, and so forth. The new Login Profiles feature in the Vista client replaces Location Profiles, supplying the previous functionality with some important additions.

Differences between Location Profiles and Login Profiles

Location Profiles were designed primarily to deal with laptops that were taken from one site to another. The collection of information it managed affected everyone who used that machine, but since a laptop was often only used by a single person, that didn’t matter. It was possible to use Location Profiles on a desktop and define (for example) one profile for Marketing and another profile for Sales; but this solution wasn’t perfect. The user needed to know which profile to use and would have to deliberately switch to that profile every time he or she logged on. This meant an additional input on every login. Nothing prevented users from entering their usernames into the wrong profile and getting denied access. Furthermore, if only one profile existed, that tree/context/server would be presented as the default for every user who came up to the machine. If a user came up and changed that profile by logging into a different tree or context, the effects would remain on the machine and could pose problems for subsequent users logging in.

New! Login Profiles are per-user, not per-machine.

Login Profiles were designed to act per-user. Thus, when Alice enters her username, only the profile information that applies to her will be offered on the login dialog. If she uses more than one profile, they will all be available to her, but her logging in will not change things on the computer for Bob when he comes along and needs to log in. It is still possible to create System Login Profiles that apply to all users who access a machine, so the administrator can still set up a profile for Accounting and one for Sales, but the computer keeps better track of which profiles to use for which user.

User Profiles and System Profiles

Location Profiles, being maintained on a system-wide basis, could only be modified by the workstation administrator from the Client Properties page. The administrator could decide to allow users to modify a profile by setting the ‘Save Profile on Exit’ flag, but that meant that a profile might be inadvertently modified, simply by someone changing a context or tree and logging in. There are two kinds of Login Profiles — System and User. System profiles apply to everyone who logs onto the workstation, but User Profiles only apply to a single user. When the eDirectory username is entered, either at the primary login prompt (from the Credential Provider), or from the Red N-> Login dialog, the login system uses the username to identify all profiles that apply to that individual. If only one profile applies, that one is automatically selected. If there are multiple profiles, the one most recently used by that user is selected, and a drop-down profile list appears on the login dialog for the user’s choice. System Login Profiles are still administered through the Client Properties page, but User Login Profiles can be created or modified by an individual user through the Red N->User Administration sub-menu.

Display of the Login Profile Drop-Down

By default, the Login Profile List combo box on the Login dialog is only displayed if there are multiple profiles for the user (including any system profiles). The administrator can change this default through the Novell Client properties dialog -> Advanced Login -> Login Profile List setting. This parameter can take three possible values: “Automatic”, “Off”, and “On”. With the parameter set to “On”, the Login Profile list is always displayed, and with the parameter set to “On”, the profile list is never displayed. In the latter case, the user will be limited to one profile — the last one used. With the parameter set to “Automatic”, the profile list is only displayed when there are more than one profile.

NCIMAN definition of profiles

The administrator can pre-define System Login profiles through the use of the NCIMAN configuration tool. See NCIMAN for more information on its use. Login will default to using the ‘DEFAULT’ profile if a user has not previously logged into the system, so it is a good idea to start by defining what the ‘DEFAULT’ profile is — at a minimum, the Tree and Context must be filled in, and it is a good idea to also enter a value for the Server. The server field will be helpful if the name of the tree cannot be resolved via SLP. Other useful fields to set are the Windows username, the Windows Domain (if the user will be connecting to an NT Domain or Active Directory), and perhaps scripting and NMAS options.

The Username is not configurable

Since Login Profiles are specific to a user, or general for the entire system, the actual username itself is not a configurable field in the profile. There is a Credentials tab in the profile that contains the username, but editing is disabled: it should always be blank (for a System Login Profile) or pre-set with the username to whom the profile belongs. This also means that in an interactive login, if the username is changed in the Credentials tab, then the drop-down list of profiles will change to reflect which profiles apply to that user. If changing the username means changing the profile, then the profile data will also change — if the Advanced tab is open, the Tree, Context, and Server fields may change.

Possible Interactions with other Components

The Login Profiles feature has been tightly integrated to work with other parts of Login in a seamless fashion. However, there are two optional login components that may need to be considered — Contextless Login, and DHCP configuration. Contextless login is an optional Login extension that reads the username, performs an LDAP lookup on it, and then fills in the Tree and Context based on the directory information. Since these are fields that are also supplied by the Login Profile, there must be agreement between the two. In the current implementation of the Vista client, the initial values of the Tree and Context fields are determined by the login profile, and may then be overwritten by Contextless login. After a successful login, if the ‘Save on Exit’ flag is set in the profile, the profile data will be written back to the registry, meaning that even if the login profile was out of synch with Contextless login initially, it will agree after a successful login. DHCP lookup is another feature that can potentially conflict with login profiles. If DHCP lookup is enabled from the Client Properties page, login attempts to query the local DHCP server for options 85/86/87, which supply a default server/context/tree for the given workstation (regardless of username). The DHCP values are accepted if the user has not made an entry in the Tree/Context/Server fields, meaning that they can overwrite the values in the login profile. The administrator should choose carefully among the Contextless Login, DHCP discovery, and Login Profiles: attempting to use all of them at the same time may lead to unpredictable results.

Login Profiles — a Simpler Login Experience

In the end, login profiles are designed to simplify the login experience for the user, whether there is only one on a machine, or whether the machine is shared by many. It is designed to be unobtrusive, so that many users may not be aware of the feature’s existence, but a knowledgeable administrator (or user!) can configure different login profiles to gain additional convenience in working. By setting up different profiles that have different scripts, a user can create multiple work environments that change things such as drive mappings and startup executables. Multiple users on a machine can have separate execution environments. We hope this feature helps make the Novell Client for Vista more useful for you.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Categories: Uncategorized


Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.


  1. By:yetzel

    I have tried the Novell Client for Vista and was able to log in with no problem. When I was on the network, often times after I shut down the Vista machine, my NDS account would be locked out by intruder lock-out, and the intruder machine IP address is the Vista machine.s IP I logged on. Could you help me with this?

    Send me an e-mail to

    • By:websterr1

      I noticed no reply to this comment and I am having the same problem. I have Vista Business Edition with Vista Client 1.0 with update 5 applied. Any time I work on this PC I know that I will be locked out of my Novell account. I don’t even need to enter a bad password. Any idea on what to do? yetzel did you get any replies directly or solve it on your own?

  2. By:yetzel

    I downloaded and installed the Client for Vista Update 3, but I still get intruder lockout when I log-out of my NDS account from the Vista computer also now the Intruder IP address is a server IP address. Could anyone help me to figure out a configuration that does not incur Intruder lockout of my NDS account? Thanks.

  3. By:jefferyscottsmith

    Is this also applicable to the iPrint client (v5.0.4)? Can the Novell Client and iPrint client be seamlessly integrated (in a similar fashion to what NetIdentity did under Windows XP)?



  4. By:gilgutz

    What’s the status of this initiative? Has it been fixed or still under development? Thanks.