To run applications on a terminal server, users need to have local user accounts on the terminal server. You can use Workstation Manager (installed with the Desktop Management Agent) and user policies to dynamically manage terminal server user accounts. If you plan to use Workstation Manager, complete the tasks in the following sections. If you don’t plan to use Workstation Manager, see Section 15.3, Using Non-ZENworks Methods to Manage Local User Accounts for other user management possibilities.
You must install the Novell Client and the Desktop Management Agent on each terminal server where you want ZENworks to dynamically manage terminal server accounts.
The Desktop Management Agent includes the Workstation Manager component that dynamically creates local user accounts on the terminal server. The Management Agent uses the Novell Client to authenticate to Novell eDirectory™ and access the Dynamic Local User policy.
Download the Novell Client 4.91 SP1 (or later) from the Novell Download Web site and install the client on the terminal server.
Install the Desktop Management Agent, making sure to install the Workstation Manager and Application Management components; the other components are optional.
For information about installing the Desktop Management Agent, see Section 12.0, Installing and Configuring the Desktop Management Agent.
ZENworks Desktop Management includes eDirectory user policies that enable you to easily manage local user accounts and profiles on terminal servers. Workstation Manager, running on the terminal server, applies the policies when a user logs into the terminal server. This section helps you ensure that Workstation Manager is installed and configured correctly. Information about creating and using user policies is provided in Section 15.2.4, Setting Up Dynamic Local User Accounts.
Workstation Manager is installed as part of the Desktop Management Agent installation. You can verify that Workstation Manager is installed and running on the terminal server by checking for the Workstation Manager service in the Services window.
If you have multiple eDirectory trees, you should also make sure that Workstation Manager is configured to read the eDirectory tree where your User objects reside. To do so:
Click the
menu > > > .In the ZENworks Agent Options dialog box, click
.Verify that Enable Workstation Manager is selected and that the tree is set correctly.
(Optional) Verify the Tree value in the Windows registry, underneath the HKEY_LOCAL_MACHINE/SOFTWARE/NOVELL/Workstation Manager/Identification key.
To simplify the process of launching terminal server applications, ZENworks Desktop Management provides passthrough authentication. With passthrough authentication, a user is not prompted for a username and password when he or she launches a terminal server application as long as the user's eDirectory account and Windows user account have the same username and password.
By default, passthrough authentication is configured automatically during installation of the Desktop Management Agent to the terminal server. However, to verify that configuration occurred correctly, we recommend you do the following:
Turn on the terminal server’s
setting and turn off the setting:Verify the default profile configuration for the terminal server’s Novell Client:
At the terminal server, right-click the Novell icon (N icon) in the status area of the taskbar, then click
.Click the
tab.In the
list, select , then click to display the Location Profiles Properties dialog box.Select
in the list, select in the list, then click to display the Novell Login dialog box.Deselect (turn off) the
option.Click the
tab.In the
field, select the eDirectory tree where the terminal server applications are configured as Application objects.Delete any information from the
and fields.To save the configuration settings, click
until you’ve closed all dialog boxes.After you installed and configured Workstation Manager on your terminal servers, you need to enable and configure the policies that control local user accounts. The following sections provide instructions:
You use the Windows 2000-2003 Terminal Server policies, available in a User Policy package, to manage dynamic local user accounts. You can use an existing User Policy package, or you can create a new User Policy package specifically for Windows 2000-2003 Terminal Server policies. If you already have a User Policy package that you want to use, skip to Configuring Dynamic Local User Accounts. Otherwise, complete the following steps to create a User Policy package:
In ConsoleOne, right-click the container where you want to create the User Policy Package object, click
, then click Policy Package to display the Policy Package Wizard.In the
list, select , then click .The package object’s name must be unique within the container where it will be created. If you plan to create multiple User Policy packages, you might want to use a more descriptive name, such as Win2000-2003 TS User Package. Or, you might want to create the policy in the same container where the policy’s users reside.
If necessary, change the package’s object name and the container where it will be created, then click
.In the Summary page, select
, then click to create the User Package object and display the object’s property pages.Click the
tab, then click Windows 2000-2003 Terminal Server to display the Windows 2000-2003 Terminal Server policies page.Continue with the next section, Configuring Dynamic Local User Accounts.
You use the Dynamic Local User (DLU) policy to configure how Workstation Manager creates user accounts on the terminal server.
On the Windows 2000-2003 Terminal Server platform page, select the check box to the left of the
to enable the policy, then click to display the Dynamic Local Users property page.Configure the following fields:
Enable Dynamic Local User: Select this option to enable Workstation Manager to dynamically create user accounts.
Manage Existing User Account (if any): If you want Workstation Manager to apply the DLU policy to existing user accounts, select this option. Otherwise, the DLU policy applies only to new user accounts.
Use eDirectory Credentials: Select this option to use eDirectory user names and passwords for the local user accounts. With the user’s eDirectory and Windows credentials synchronized and passthrough authentication configured (see Section 15.2.3, Configuring Passthrough Authentication), the user is not prompted for any credentials when launching an application from a terminal server.
Volatile User (Remove User after Logout):
Select this option if you want a user's account removed after the user exits the application and the session is closed. All user account information is removed. If you want to retain user profiles, you can configure roaming profiles. Instructions are provided in Windows Desktop Preferences Policy (User Package)
in Workstation Management
in the Novell ZENworks 7 Desktop Management Administration Guide.
Member Of/Not Member Of: In the
list, select the group (or groups) that you want users made members of, then click . Group membership determines a user's access rights on the terminal server. If none of the groups listed provides the exact file system rights you want assigned to user accounts, you can use the File Rights page ( tab > File Rights page).Click
to save your changes and close the Dynamic Local Users property page.Continue with the next section, Associating the User Package with Users.
You must associate the User Policy package with users before it can take effect.
If the User Package object’s property page is not open, right-click the
, then click .Click the
tab to display the Associations page.Click
, then browse to and select the users you want the policy package applied to. You can add users, user groups, or containers.When you've finished adding users, click
to save your information.