Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

behavior of windows 2000/XP policy

Status
Not open for further replies.
vale2

vale2

Technical User
Feb 21, 2003
50
0
0
FR
Hi all,

first of all : is it "normal" that when you apply a user policy with zen 4.1 to "userA" for example and specify "keep after logout" in winnt-2000-XP tab, you keep rights of userA when you log after in "workstation only" with "Administrator" local account.

Simple question : if drivers of your lan card are dead, how can you repair it?
It seems to me unbelievable that your profile applied for a simple user is applied too at your local Administrator.
I don't understand.

If they is no other way, i found that you can enable a temporary user and define a period in order to keep his profile called : Cache temp Users
Where can i find it? novell client? policy?

Thanks for your help!



 
Sort by date Sort by votes
The answer is to NOT "keep after logout"...

Not unbelievable.. makes perfect sense. It's doing exactly what you told it to.

You should be creating policies that get applied to people as they login.. never hope that a previous user policy is still in effect. Make it so everyone gets a policy with the appropriate permissions.

Marvin Huffaker, MCNE
 
Upvote 0 Downvote
ok so my question still "if drivers of your lan card are dead, how can you repair it?"

you have no more administrator rights, isnt'it?

In my opinion, something should exist to apply policy per user and not for workstation.


 
Upvote 0 Downvote
There are User policies that are different than Workstation policies..

But for now you are probably hosed. In the future, you should not use that setting that you mentioned you invoked that specifically tells ZEN to keep the policies in effect after logout.

It's off by default and if you look it up, you'll probably find that most people don't recommend using it. But Novell put it there cause there's probably 1 or 2 people out there that can see a value to it.

Personally, I don't like it. If you have imaging configured, you could easily blow down a clean image in 15 minutes and be up and running.

Marvin Huffaker, MCNE
 
Upvote 0 Downvote
ok so how do you configure users with laptops who work at home if you don't choose that option?

if you don't keep policy, they can modify what you have configured in your users rules, isn't it?
 
Upvote 0 Downvote
Use a different policy for mobile users than you use for local users.

ZfD is an great product that no network can do with out IMPO, but it does not allow you to have your cake and eat it to. You have to do the leg work fromt he start to make it work for you and you need to set your expectation right.

IMO, if you need to get into a workstation as administrator to fix somthing, then the workstation should be reimaged. To many problems come up with windows that IT wastes to much time troubleshooting when their time can be used for more productive things, like keeping the network running smooth.

Start developing a 15min do or die policy for your workstations. If you can't fix the issue in 15 minutes, then reimage it. This involves having policies that function correctly, app images that function correctly, and a workstation image that functions correctly. It typacly takes about 200 hours to complete all of it.


Now back to topic:

What I think is causing your problem is you have configured workstation policies with in your user policy. Don't really like that Novell lets you do this, but they do (and it's more of an M$ thing than it is a Novell thing). When you create your group policy for users, be sure to only enable settings for the user, not the machine. Only do machine options in a workstation policy. This way, when a user gets a policy applied, it will only be applied to their profile, no other profile will be affected.

Your problem is you have machine settings that are global to all users, and those settings are locking you out at your admin profile.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Brent Schmidt Certified nut case [hippy]
Senior Network Engineer
Keep IT Simple
 
Upvote 0 Downvote
ok, maybe i'm not very clear.
so mobile users own too desktops... so different policies are not very possible..
moreover, i dont' know if you have already encountered that problem: if you use a windows user profile (user without permissions)and put his documents on another drive D:\ then flash PC then recreate user, he can't anymore modify his file because he has no right to became owner of files (and new user ID is different from the old one).... so flash computers is not so easy....
Maybe user profile is too restrictive (a lot of rights problems using software even groupwise...)
I think what you say BS is wrong or maybe i don't understand what you say : when you apply user zen policy you apply to all users of your workstation (and there is no choice to except an user). Then you choose to apply windows user policy or windows workstation policy...

I'll upgrade as soon as possible to zen7, i'll inform you (i know that you can gave rights to specific directories to users), maybe it could help...

thanks for your help!
 
Upvote 0 Downvote
Your putting your self into a box and limiting your options there vale.


For starters, you can acomplish the policy settings for users desktops in the office and on the road. Only the user policy would have just the basics of it, the rest would be done in teh workstation policy. You only need to configure workstation policy settings in the admin user policy to unlock things when the admin logs in. This will work because the workstation policy is applied to the system first, the the user policy is applied. The admin user policy will override what ever is in the workstation policy to allow you to perform what ever work you wish to perform. There is also a setting with in ConsoleOne when you configure the policy that asks how you want the policies to be applied, merged or overwrite.

Having one partition for the OS and another for user data is a good way. Just do not use NTFS for the user data partition, or yea, you run into the whole user rights issue. Just create a FAT32 partition, and if XP/2k won't let you (some 30somthing gig limit hoopla), then get your self a thrid part partition manager that will do it (I use Linux).

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Brent Schmidt Certified nut case [hippy]
Senior Network Engineer
Keep IT Simple
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Chillybeans
  • Locked
  • Question
ZENworks preboot service not starting on Windows server 2008
Replies
1
Views
111
Provogeek
Provogeek
jrp611
  • Locked
  • Question
change windows 7 registry key
Replies
2
Views
116
eritguy
eritguy
dleggett
  • Locked
  • Question
Policy
Replies
1
Views
39
marvhuffaker
marvhuffaker
50ccer
  • Locked
  • Question
Using workstation policy for an automatic shutdown
Replies
1
Views
43
Provogeek
Provogeek
TAGross
  • Locked
  • Question
Protect policy at XP machine level from Zenworks 6.5 group policies 2
Replies
10
Views
117
TAGross
TAGross

Part and Inventory Search

Sponsor

Back
Top