BabyhueyHN
asked on
WinXP Screensaver Unlock with NDS authentication ONLY.
Hello,
I have Novell Client 4.91 SP1 and WinXP SP1 installed on my workstations. The students login to windows with an NDS username and pass but they use a generic windows account called Student with no password to login to a system. We have the systems configured to go to password protected screensaver mode after 10 minutes of inactivity. The problem is that when the screensaver prompts them to log in again they can select the "From" box and change the authentication method to Windows. This allows them use log back into the station with the generic "Student" account and bypasses the NDS security. In this scenario if one student walks away, and another comes over they can circumvent NDS and login to windows and still be logged into NDS as the other student. How can change it so they can unlock the screensaver from NDS only. Any help greatly appreciated. Thanks, BH
I have Novell Client 4.91 SP1 and WinXP SP1 installed on my workstations. The students login to windows with an NDS username and pass but they use a generic windows account called Student with no password to login to a system. We have the systems configured to go to password protected screensaver mode after 10 minutes of inactivity. The problem is that when the screensaver prompts them to log in again they can select the "From" box and change the authentication method to Windows. This allows them use log back into the station with the generic "Student" account and bypasses the NDS security. In this scenario if one student walks away, and another comes over they can circumvent NDS and login to windows and still be logged into NDS as the other student. How can change it so they can unlock the screensaver from NDS only. Any help greatly appreciated. Thanks, BH
In addition to there being a long laundry list of reasons to use ZEN and DLUs for Windoze in a lab environment, there's a long list of reasons to NOT use a generic local user account, starting with the enormous security holes that adds to the already insecure Windoze environment.
You might want to download the latest support pack and patches for the 4.9 client. It is at SP2 and there are post-SP2 patches out there as well. This *could* be a bug in the client. You should be able to apply the SP and patches to one PC and test it to see if it helps.
I can see how having one local account for all students would ease management, so if there's a workaround that doesn't involve ZEN and DLU I'm guessing you'd prefer it. If the fix for your issue involves a registry hack rather than a properties setting, I'd recommend using ZEN anyway to manage deployment of the hack.
I can see how having one local account for all students would ease management, so if there's a workaround that doesn't involve ZEN and DLU I'm guessing you'd prefer it. If the fix for your issue involves a registry hack rather than a properties setting, I'd recommend using ZEN anyway to manage deployment of the hack.
DON'T USE SCREEN SAVERS
Their password scheme is internal to the screen saver itself. Remove the screen savers from the computers. Teach the users about Ctrl-Alt-Del > Lock Workstation instead. Then you can do what you want to do.
Their password scheme is internal to the screen saver itself. Remove the screen savers from the computers. Teach the users about Ctrl-Alt-Del > Lock Workstation instead. Then you can do what you want to do.
I thought that if you have the Novell client installed, screen savers with the "password" checkbox checked will redirect to the Novell client's authentication scheme.
Does it only *look* like the Novell client login? I have been wrong a couple of times this year already... ;-)
Does it only *look* like the Novell client login? I have been wrong a couple of times this year already... ;-)
We've got Win2K and screensavers on one or two machines. When they go off and ask for a password, it's simply a password field and does not ask for a username (needed for NDS authentication if you were going to bypass the logged in user).
What I see is a big dialog box that says "Novell Client" at the top and says the workstation has been locked. It defaults to NDS in a drop-down that gives you the option of selecting "Windows." The user ID and password field are both available. If you leave it NDS, it has the tree, context and server fields available, and if you take Windows it changes to a dialog that shows the local computer but presumably can be changed to a Windoze domain. Pretty much the same thing as taking the lock computer option.
I wonder if you can get around this Asker's issue by turning off the ability to select "workstation only" in the client properties...
Dontja need Zen to do that?
Only if you want to do it the easy way...
I'm talking about the various "workstation only" options in the Advanced Login tab in the Novell client properties.
I'm talking about the various "workstation only" options in the Advanced Login tab in the Novell client properties.
Anyway, I have no idea if it would work - it's just a thought, and I don't want to experiment on my workstation just now...
hmmm.. wonder why you see a Novell client for passwords on screen savers and we don't...
Dunno. Is that a Question? ;-)
ASKER
ShineOn, What you described is what I see on my screen. I will try the workstation only option to see if it solves it
DSPoole, When I enable screensaver password, My XP SP1 machines goto the Novell Auth to get back into the machine. The workstation gets locked once the screensaver activates.
BH
DSPoole, When I enable screensaver password, My XP SP1 machines goto the Novell Auth to get back into the machine. The workstation gets locked once the screensaver activates.
BH
BabyhueyHN, did this issue get resolved?
If so, please come back and let us know.
If so, please come back and let us know.
ASKER
This issue is still outstanding. I am going to have to implement ZEN and do Dynamic Local Users. BH
Keep in mind that you can't do DLU if you are not in a "workgroup" environment. It messes things up if you have a Windoze domain. You didn't mention, so I though I'd post a warning, just in case...
ASKER
Thanks. We don't use Domains. We only have workgroups set up.
I think there's value to this. Paq/refund?
Works for me :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you're an educational institution, your pricing (if you don't already have ZENworks) is dirt-cheap. And its great for the educational setting. North Carolina State University (Raleigh, NC, USA - I'm not affiliated with them, I've just seen their ZENworks setup in action) uses ZEN to deliver applications and lock down desktops for over 20K students across its campus. I can't think of a reason NOT to use ZEN. If you can afford Redmond's rapacious licensing costs, ZEN is chump-change.