DLU - Warm Fuzzies

marvhuffaker · Feb 27, 2004

Need some warm fuzzies about DLU. I have a unique situation that I have not run into before and am hoping someone else has seen it and can help me work around it.

ZFD4.01, WinXP... DLU policy enabled for the users which btw, works great.

However, my client sets up each machine with one local windows account only. They want to retain the settings, but use the DLU to avoid having two login prompts (1 - Novell account, 2 - Default Windows account).

So here is why it's such a problem.

- when you use the eDirectory credentials, it creates a new profile and settings for their 'standard' windows login are not used. So in otherwords, none of their settings are there, it pretty much looks like a new install with nothing configured.

- when I specify not to use the eDirectory credentials, and put in their 'standard' windows account name in the DLU settings... it logs in fine, profiles are there. But it assigns a random password to the account. Therefore, if they take their laptops home, they can not login to Workstation Only because the account is locked with a password that was randomly generated.

So I am looking for thoughts on how to work around this. Thanks.

Marvin Huffaker MCNE, CNE
Marvin Huffaker Consulting

http://www.redjuju.com

terry712 · Feb 29, 2004

just to see if i undersatnd this

bing crosby gets his new laptop from IT. on it someone has already created a BCrosby account with a profile already nicely setup. yes/no - this has what password?

first time bing uses laptop it's on a network - so he logs into the tree - he has a dlu associated which i assume has the wee tick saying something like handle existing local accounts - this should use his existing local account and profile - or would you get a new one with the discription - created by novell blah blah - this first time i assume it says your pwd has expired do you want to cx it

do you end up with two profiles bcrosby and bcrosby.000

why have they made the local one isnt it easier to modify the default .dat and then let the dlu kick in
only downside is prior to home use the victim must have one successful network login

marvhuffaker · Feb 29, 2004

No, that's not how it is.. More like this.. (btw, Bing Crosby???)

Without DLU - Joe User gets laptop.. A local WinXP user named "COMPANYUSER" has been created with administrator privileges and no password. A custom profile has been copied to the COMPANYUSER account. Joe logs in with his JOE account, and then is asked for the password for the COMPANYSUER local account. Since no password, he presses ENTER and he's in. Everything is good. The same COMPANYUSER account is created on all 200+ systems. Only Administrator and COMPANYUSER exist on any given system.

Turn on DLU with these settings...

- Check the Handle existing local accounts...
- Uncheck use eDirectory Credentials
- Put "COMPANYUSER" in for the username.
- Add user to ADMINISTRATORS group.

First time they login, it uses the COMPANYUSER profile that is already in place. When they logout, I believe the local COMPANYUSER account gets deleted but keeps the directory.

As long as the user is logging into Novell, it works. The problem is that when they take their laptop home, the COMPANYUSER account is no longer valid.The directory is still there, but the account is gone.

If you create the user manually, you end up with COMPANYUSER and COMPANYUSER.000 in the directories.

I do know that their existing setup is a little strange but need to figure out a way to work with it in it's current configuration and gradually move it to a more practical and efficient setup.

Marvin Huffaker MCNE, CNE
Marvin Huffaker Consulting

http://www.redjuju.com

terry712 · Feb 29, 2004

so the volatile account is ticked -
this takes the companyaccount with it as well as joe and bing

as for bcrosby - all our test users are dead singers - makes it easy

i need to do this on a pc to try it

marvhuffaker · Feb 29, 2004

Well, I've got to do some testing too. But one thing about it is that when you Uncheck the eDir Credentials, you don't have to option of checking the volatile user. It grays it out.

So when not using the NDS name, there aren't any options that you can use to control the local account. Just the account name and that's it.

I'm thinking that a better way to do it would be to have it use DLU and the NDS account name, then push out the profile it needs rather than trying to use one that has already been preconfigured. But changing that across the entire company is not easy.

Marvin Huffaker MCNE, CNE
Marvin Huffaker Consulting

http://www.redjuju.com

lerdalt · Mar 1, 2004

You might want to double check the client version and revision of the management agents. It seems like there were some DLU issues related to dll's as the client and management agents were going through various service packs. Been awhile since I've dealt with it though as well.

marvhuffaker · Mar 1, 2004

I've been told by a Novell guy that it's working as designed, so I'm looking for more of a workaround than a bug fix.

Marvin Huffaker MCNE, CNE
Marvin Huffaker Consulting

http://www.redjuju.com

Provogeek · Mar 3, 2004

Marvin, try removing the check mark from Manage Local User Accounts. This way, DLU will not touch this defualt user.

Better yet, use Group Policies (assuming Win2k/XP). One of my issues with DLU was when a user would login into a machine and the account got created, IE would have to be configured. The way I worked around this was to create a Group Policy to disable Internet Connection Wizard. Now IE just opens and it's ready to rock. In some cases I have also distributed proxy settings, altered the logo, and changed the window title.

For Outlook, I strip that out of my defualt image for workstations, so it's just no there. Most everything else is done through the policy to configure the users profile.

The last part I am still trying to figure out my self is how to disable the usless services. I can disable them in my image, but they come right back when I dump the image onto a workstation.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Brent Schmidt Certified nut case [hippy]

Senior Network Engineer

http://www.kiscc.com

marvhuffaker · Mar 4, 2004

Hey Brent, thanks.

I did some testing with the "manage local user accounts" unchecked, and it pretty much disables the functionality of the DLU in this situation. I put the Novell account in, and then I'm prompted to enter the password for the local user account, which is blank. But with DLU in this configuration and without DLU at all result in the same thing.

I will do some testing in my lab to see if I can duplicate what my client is doing, but then create the same environment with Zenworks instead of his current manual setup.

I have also invited my client to join the discussion since he may be able to provide additional details that may help with coming up with a better long term solution.

Thanks

Marvin.

Marvin Huffaker MCNE, CNE
Marvin Huffaker Consulting

http://www.redjuju.com

LawnBoy · Mar 5, 2004

Terry712 said:
"as for bcrosby - all our test users are dead singers - makes it easy"

That's great. I'd tried using dead Kennedys once, there just aren't enough of 'em...

SuperDaveDCF · Apr 8, 2004

Must be specific to ZFD 4. I have volatile user unchecked in my ZFD 3.2 and when my mobile users go mobile, they just check workstation only and put in the password.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

DLU - Warm Fuzzies

marvhuffaker

MIS

terry712

Technical User

marvhuffaker

MIS

terry712

Technical User

marvhuffaker

MIS

lerdalt

MIS

marvhuffaker

MIS

Provogeek

MIS

marvhuffaker

MIS

LawnBoy

MIS

SuperDaveDCF

MIS

Similar threads

Part and Inventory Search

Sponsor