A.4 Dynamic Local User Policy Troubleshooting

Unable to update the group membership of the user on the managed device

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: On the managed device, the group membership of the user is not updated according to the User Configurations settings of the Dynamic Local User policy.
Possible Cause: The DontUpdateGroupMemberships registry key is set to 1
Action: On the managed device, set the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NWGINA\Dynamic Local User\DontUpdateGroupMemberships to 0.

Dynamic Local User is unable to log on to the managed device

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If the password of the Dynamic Local User in the user source does not meet the password complexity requirements, the user fails to log on to the managed device.
Possible Cause: Password must meet complexity requirements is enabled in the password policy setting of the Group policy of the device (Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy).
Action: Do one of the following:

  • Ensure that the password specified for the user in the user source meets the password complexity requirements. For information on the password complexity requirements, double-click Password must meet complexity requirements in the password policy setting of the Group policy (Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy).

  • Disable the Password must meet complexity requirements setting on the managed device.

Subsequent to the first login, the DLU user is prompted to provide the credentials when he or she tries to log into the device again during the cache period specified in the policy

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If the Use the credential specified below and Enable Volatile User cache settings are configured in the Dynamic Local User policy, then subsequent to the first login, the DLU user is prompted to provide the credentials when he or she tries to log into the device again during the cache period specified in the policy.
Action: To enable the user to log into the device without being prompted on subsequent logins, ensure that the Manage existing user account option is enabled in the policy. This ensures that the ZENworks Agent manages the password on behalf of the user.

After logging out of a managed device that is disconnected from the network, a Dynamic Local User is unable to log in to the device again

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If a Dynamic Local User policy that has Use the credential specified below, > Manage existing user account, and Enable Volatile User Cache options enabled is assigned to a device and a user logs out of the device when the device is disconnected from the network, the user is unable to log in to the disconnected device again.
Action: Before the policy is assigned to the device or the device is disconnected from the network, perform the following steps on the managed device to use the user source password for logging in to the device:

  1. Open the Registry Editor.

  2. Go to \HKLM\SOFTWARE\Novell\NWGINA\Dynamic Local User\.

  3. Create a DWORD called EnableEDirPasswordForFA, and set the value to 1.

The DLU policy does not delete user profiles if the Roaming Profile policy is applied

Source: ZENworks 10 Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: User profiles created with a volatile DLU (Dynamic Local User) that has a Roaming Profile policy in effect are sometimes not deleted on user logoff.
Action: Set the DeleteRoamingCache registry key value. For details on setting the key value, see the Microsoft Support Web site.

For more information, see TID 7006386 in the Novell Support Knowledgebase.