ZCM Agent consumes grace logins

  • 7001549
  • 07-Oct-2008
  • 30-Apr-2012

Environment

Novell Client for Windows 2000/XP/2003
Novell ConsoleOne
Novell eDirectory
Microsoft Windows XP Professional
Microsoft Windows Vista
Novell ZENworks 10 Configuration Management
Novell ZENworks 10 Configuration Management with Support Pack 1 - 10.1

Situation

After enabling the grace logins feature in Console One for a user to change their password a user receives a prompt similar to "you have 6 remaining grace logins to change your password" when logging in to the nwclient. 
 
If the machine has the ZCM agent installed then a user will experience the grace login number to drop by 2 for each login if DLU is enabled the counter will drop by 3. 
 

Resolution

To ease the side affect of this issue, the amount of grace logins can be configured to 6 or 9 so the end user will technically still have 3 grace logins before the user is locked out.  

Additional Information

Neither ZEN nor client32 has any control over the grace login fields. The Grace logins are a function of eDirectory.

The reason two grace logins are taken on every login when the ZCM agent is present is because the ZCM agent connections are separate from the nwclient connections.  Nwclient will login using an NCP connection but ZCM will login using an LDAP connection.  Both logins will consume a grace login as they are completely separate individual connections.  When eDir is presented with user credentials for the purpose of a login, eDir first checks if the password is expired.  If it is expired, eDir will only grant the connection if there are remaining grace logins left.  But then if it does grant the connection, it will decrement the remaining grace logins allowed.


For other TIDs relating to login issues, see TID 3273870 - Troubleshooting ZCM login problems