Dynamic Local User Policy (User Package)

A dynamic local user (DLU) is a User object that is temporarily or permanently created in the workstation's Security Access Manager (SAM) database.

A temporary user or account is known as a volatile user, and the duration is determined by the administrator. This type of account prevents the SAM from becoming too large.

If your environment has several users who log on to a shared workstation or Terminal Server, you can configure and enable the Dynamic Local User (DLU) policy. After you have configured and enabled this policy, Desktop Management dynamically creates user accounts on the local workstation or Terminal Server while the user is logging in to the system.

For Windows NT/2000/XP workstations and Windows 2000/2003 Terminal Servers, the Dynamic Local User policy lets you configure users created on Windows NT/2000/XP workstations and Windows 2000/2003 Terminal Servers after they have authenticated to the directory. After a user has been associated with a Configuration object, NetWare Graphical Identification and Authentication (NWGINA) can retrieve information from the Configuration object to create a user account on the workstation.

If a user is not defined as a DLU and does not have an account on the workstation, the user's account cannot be created. Therefore, the user cannot log in to the workstation, unless there is a previous account, or the administrator manually creates the user's account on the workstation. If the user is not defined as a DLU, the user's credentials from the Windows NT/2000/XP tab of the login dialog box are used to authenticate to the workstation.

If the user is defined as a DLU, the user's credentials from the directory or from the User Package, depending on how the administrator sets it up, are used.

If you configure a DLU in a User Policy Package to administer user access to NT/2000/XP workstations or Windows 2000/2003 Terminal Servers, and if you use a credential set other than the NetWare® credential set, the workstation user accounts created have a random, unknown password and are created as volatile user accounts. If volatile user caching is also enabled, the user accounts persist on the workstation for the duration of the cache life. However, these accounts are inaccessible because they have an unknown password.

If you use volatile user caching for users with non-NetWare credential sets, those user accounts are not accessible unless the users log in to the directory concurrently and have the Manage Existing User Account option set.

You can allow or restrict DLU login access to certain workstations by using the Login Restrictions page. Workstations and containers listed in the Excluded Workstation list cannot use DLU access; workstations listed or workstations that are part of containers listed in the Included Workstations list can use DLU access.

To properly manage group priorities, do not allow users associated with DLUs to be members of multiple groups.

To set up the Dynamic Local User policy:

  1. In ConsoleOne, right-click the User Package, click Properties, then click the appropriate platform page.

    NOTE:  For more information about Desktop Management support for the Windows NT platform, see "Interoperability with Windows NT 4 Workstations" in the Novell ZENworks 6.5 Desktop Management Installation Guide.

  2. Select the check box under the Enabled column for the Dynamic Local User policy.

    This both selects and enables the policy.

  3. Click Properties.


    The Dynamic Local User page.

  4. Fill in the fields:

    Enable Dynamic Local User: Enables creation of a User object that resides either temporarily or permanently in the workstation's Security Access Manager (SAM) database.

    NWGINA requires that you specify whether a local user is to be created.

    If this check box is not selected, NWGINA does not create a user in the local SAM. Instead, NWGINA attempts to find an existing user with the credentials indicated in the NWGINA login interface.

    If the Enable Dynamic Local User check box is selected, NWGINA gets the Username from the Configuration object and queries the local SAM to see if the Username already exists. If it does exist, NWGINA authenticates the user to the workstation or Terminal Server and access is granted. If the Username does not exist, NWGINA creates the user in the local workstation's or Terminal Server's SAM.

    If password restriction policies are set on the local workstation or Terminal Server, Dynamic Local User is not used. The password that DLU will use for the local account must meet local workstation password restrictions.

    Manage Existing User Account (If Any): Allows management through the existing user account. Enable this option if the User object you want to manage already exists. Workstation group assignments specified by Workstation Management are implemented, including changing the account from nonvolatile to volatile when the user logs in to the account. The account is also removed from the workstation after the user logs out.

    If this check box and the Volatile User check box are both selected, and the user has a permanent local account that uses the same credentials specified in eDirectory, the permanent account is changed to a volatile (temporary) account. The account is managed, but is removed when the volatile user cache age is reached or the user logs out.

    Any settings you change here overwrite the current account settings at the workstation or Terminal Server. If this option is not enabled, Workstation Management cannot manage the existing User object.

    Use eDirectory Credentials: Enables logging in through the user's eDirectory credentials instead of NT/2000/XP credentials. When creating the user account, NWGINA can use either the same credential set used for eDirectory authentication or a predetermined credential set specified in the Configuration object. When using eDirectory credentials to create the workstation user account, NWGINA queries the user's eDirectory account for the login name, full name, and description. The password for the NT/2000/XP user account is the same as that for the eDirectory user account.

    If eDirectory credentials are not used, the account is always volatile and is not accessible. Full Name and Description can also be included to provide a complete user description.

    If you don't use eDirectory credentials and the user account does not already exist (as indicated by the Manage Existing User Accounts check box), the user account is created as a volatile user account, which means that the user account is automatically deleted at logout. This is apparent because the Volatile User check box is automatically enabled if the Use eDirectory Credentials check box is not enabled.

    Volatile User (Remove User After Logout): Specifies the use of a volatile user account for login. The user account that NWGINA creates on the local workstation can be either a volatile or a nonvolatile account.

    Be aware that if you select both the Volatile User (Remove User After Logout) and Manage Existing User Account (If Any) check boxes, the volatile user account is removed when the user logs out, even if the account existed before the user logged in using DLU.

    User Name: The NT/2000/XP user name. The user name (not including the context) must contain fewer than 20 characters for a dynamic local user to log in.

    A user that is manually created via User Manager can't have a longer name.

    Full Name: The user's full name.

    Description: Enter any additional information that helps you to further identify this user account.

    Member Of: Lists the groups where this user has membership. When NWGINA creates the workstation user, it can provide group membership to any user groups. The groups that the user is added to are listed in the Members Of list. The default configuration is for the user to be added to the Users group. Other groups can be added by selecting the group and clicking Add. Groups can be removed by selecting the group and clicking Remove.

    Not Member Of: Lists available groups where this user has not been assigned as a member.

    Custom: Opens the Custom Groups page, where you can add a new custom group, delete an existing custom group, and view or modify properties of an existing custom group. Click the Help button on the Custom Group Properties dialog box for more information about the available options.

  5. (Optional) If you want to restrict DLU access to certain workstations, click the down-arrow on the Dynamic Local User tab > click Login Restrictions.


    The Dynamic Local User policy's Login Restrictions page.

    1. Select the Enable Login Restrictions check box to restrict DLU access to certain workstations.

      When you check the Enable Login Restrictions check box, the Add and Delete buttons are available.

    2. Select the Restrict Unregistered Workstations check box if you want to restrict DLU access to unregistered workstations

      In previous releases of ZENworks for Desktops, workstations that had not registered in eDirectory could not be given DLU access because they could not be listed in the Included Workstation list. If you enable this option, all unregistered workstations cannot be granted DLU access (like in previous versions of ZENworks for Desktops). If you do not select the Restrict Unregistered Workstations check box, all unregistered workstations can be granted DLU access even if they do not appear in the Included Workstations list.

    3. Use the Add and Delete buttons under the Excluded Workstations list box as appropriate.

      The Excluded Workstation box lists the workstations and containers that you want to exclude DLU access to. Workstations listed or workstations that are part of containers listed in this box cannot use DLU access. You can make exceptions for individual workstations by listing them in the Included Workstation list. This allows DLU access to those workstations only, while excluding DLU access to the remaining workstations in the container.

    4. Use the Add and Delete buttons under the Included Workstations list box as appropriate.

      The Included Workstations box lists the workstations and containers that you want to allow DLU access to. Workstations listed or workstations that are part of containers listed in this box can use DLU access. You can make exceptions for individual workstations by listing them in the Excluded Workstation list. This excludes DLU access to those workstations only, while allowing DLU access to the remaining workstations in the container.

  6. (Optional) Click the down-arrow on the Dynamic Local User tab > click File Rights if you want to manage DLU file system access on Windows NT/2000/XP workstations and Terminal Servers.


    The Dynamic Local User policy's File Rights page.

    You can control access to entire directories or to individual files. For example, if the Dynamic Local User policy creates the user as a member of a group that does not give access to a directory required to run an application, you can use this page to explicitly grant the required directory rights. Or, if the user has Full Control rights to a directory, you can use this page to limit rights to any of the directory's files.

    1. Use the Add button to modify the directories and files to which the user has been explicitly assigned file system rights.

      You will be prompted to enter or select the directory or file. The directory or file path must be from the perspective of the workstation or Terminal Server where the rights will be assigned. After you've added a directory or file to the list, select the directory or file, then use the File Rights box to assign the appropriate file rights (Full Control, Read, Write, Execute, Grant Permissions, and Take Ownership).

      The File Rights list displays the directories and files to which the user has been explicitly assigned file system rights. When you select a directory or file in the list, the assigned rights are shown in the File Rights box below the list. For an explanation of each of these rights (Full Control, Read, Write, Execute, Grant Permissions, and Take Ownership), refer to the Microsoft* Windows operating system documentation.

    2. Use the Arrow buttons on the right side of the File Rights list box to reposition the entries as appropriate.

      Directory rights are assigned in the order the directories are listed, from top to bottom. Because of directory rights inheritance, if a directory and its subdirectory are listed, the subdirectory must be listed after its parent directory. This ensures that the subdirectory's explicitly assigned rights will not be overridden by rights inherited from its parent directory.

      File rights always take precedence over directory rights, regardless of their position in the list. For example, if you assign Full Control rights to the c:\program files directory and Read and Execute rights to the c:\program files\sample.txt file, the user is assigned Read and Execute rights to the file regardless of whether the file is listed before or after the directory.

      It is possible to block the inheritance of rights on the NTFS files system, and under Windows XP, by default, the Windows directory does not allow rights to be inherited.

  7. Click OK to save the policy.

  8. Repeat Step 1 through Step 7 for each platform where you want to set a Dynamic Local User policy.

  9. When you have finished configuring all of the policies for this package, continue with the steps under Associating the User or Workstation Package to associate the policy package.