I've setup a Windows 2003sp1 terminal server (application mode) as part of a remote access solution. Since we use Novell for our file/print servers and windows client authentication, I've setup Zenworks for Desktops 6.5 on the W2K3 terminal server to create volatile dynamic local users. This way we don't have to manage the accounts on the TS separately from those already in eDirectory. Because the terminal server isn't part of an AD domain, I'm using local policies to assist in locking down users. The user policies are being pushed out to the users via Zenworks.
I'm using Console One on the W2K3 server to create the user policies. Here's where I run into troubles. If I make any changes to the user policy under "User Configuration | Windows Settings | Internet Explorer Maintenance" the policy won't completely apply when the user logs in via TS. For example, not all start menu and task bar settings get applied. If I restore to the previous policy and login again as the same user, everything works just fine. The only difference between the two policies being the changes made to the user policy under "Internet Explorer Maintenance".
The policies are stored locally on the W2K3 TS, so I don't think it's a problem with slow link detection. However, just to be sure, I've disabled slow link detection via the machine and user policies and I have also forced all policies to apply even if they haven't changed via the settings under "Computer Configuration | Administrative Templates | System | Group Policy". I'm not sure if these settings apply when Zenworks is pushing the user policy however.
I've also discovered that if I reboot the W2K3 TS, the first time I log in as the user via TS, the policy applies completely, even with the changes made under "Internet Explorer Maintenance". On subsequent logins via TS, the policy fails to apply completely. After that, it never applies completely until I reboot the W2K3 TS server.
So, even though I'm using volatile (i.e. deleted upon logout from the W2K3 TS) dynamic local users, it appears that something is getting cached somewhere that prevents the policy from being completely applied on subsequent logins. I've searched the registry for the username after logout and found several entries. Even after deleting those entries from the registry, the policy still won't apply completely on subsequent logins.
Since the policies apply successfully on the first login after a reboot, I'm thinking that's probably the best place to start looking. I haven't been successful in finding the differences between the first and subsequent logins however.
Any suggestions?
I'm fairly new to W2K3, TS, and ZfD 6.5, so the more details the better.
Thanks!
