Solved

WinXP Screensaver Unlock with NDS authentication ONLY.

Posted on 2004-08-18
23
644 Views
Last Modified: 2010-05-18
Hello,
    I have Novell Client 4.91 SP1 and WinXP SP1 installed on my workstations. The students login to windows with an NDS username and pass but they use a generic windows account called Student with no password to login to a system. We have the systems configured to go to password protected screensaver mode after 10 minutes of inactivity. The problem is that when the screensaver prompts them to log in again they can select the "From" box and change the authentication method to Windows. This allows them use log back into the station with the generic "Student" account and bypasses the NDS security. In this scenario if one student walks away, and another comes over they can circumvent NDS and login to windows and still be logged into NDS as the other student. How can change it so they can unlock the screensaver from NDS only. Any help greatly appreciated. Thanks, BH
0
Comment
Question by:BabyhueyHN
  • 10
  • 3
  • 3
  • +3
23 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 11835821
Well, my advice would be to not use generic accounts for the Windoze login. With ZENworks, use Dynamic Local Users. There's a long laundry list of good reasons to do this, starting with the issue you're seeing now.

If you're an educational institution, your pricing (if you don't already have ZENworks) is dirt-cheap. And its great for the educational setting. North Carolina State University (Raleigh, NC, USA - I'm not affiliated with them, I've just seen their ZENworks setup in action) uses ZEN to deliver applications and lock down desktops for over 20K students across its campus. I can't think of a reason NOT to use ZEN. If you can afford Redmond's rapacious licensing costs, ZEN is chump-change.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11835851
In addition to there being a long laundry list of reasons to use ZEN and DLUs for Windoze in a lab environment, there's a long list of reasons to NOT use a generic local user account, starting with the enormous security holes that adds to the already insecure Windoze environment.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 11841946
You might want to download the latest support pack and patches for the 4.9 client.  It is at SP2 and there are post-SP2 patches out there as well.  This *could* be a bug in the client.  You should be able to apply the SP and patches to one PC and test it to see if it helps.

I can see how having one local account for all students would ease management, so if there's a workaround that doesn't involve ZEN and DLU I'm guessing you'd prefer it.  If the fix for your issue involves a registry hack rather than a properties setting, I'd recommend using ZEN anyway to manage deployment of the hack.
0
 
LVL 10

Expert Comment

by:DSPoole
ID: 11844587
DON'T USE SCREEN SAVERS

Their password scheme is internal to the screen saver itself.  Remove the screen savers from the computers.  Teach the users about Ctrl-Alt-Del > Lock Workstation instead.  Then you can do what you want to do.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 11844923
I thought that if you have the Novell client installed, screen savers with the "password" checkbox checked will redirect to the Novell client's authentication scheme.
Does it only *look* like the Novell client login?  I have been wrong a couple of times this year already... ;-)
0
 
LVL 10

Expert Comment

by:DSPoole
ID: 11845163
We've got Win2K and screensavers on one or two machines.  When they go off and ask for a password, it's simply a password field and does not ask for a username (needed for NDS authentication if you were going to bypass the logged in user).
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 11845643
What I see is a big dialog box that says "Novell Client" at the top and says the workstation has been locked.  It defaults to NDS in a drop-down that gives you the option of selecting "Windows."  The user ID and password field are both available.  If you leave it NDS, it has the tree, context and server fields available, and if you take Windows it changes to a dialog that shows the local computer but presumably can be changed to a Windoze domain.  Pretty much the same thing as taking the lock computer option.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 11845664
I wonder if you can get around this Asker's issue by turning off the ability to select "workstation only" in the client properties...
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11845690
Dontja need Zen to do that?
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 11845787
Only if you want to do it the easy way...

I'm talking about the various "workstation only" options in the Advanced Login tab in the Novell client properties.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 35

Expert Comment

by:ShineOn
ID: 11845798
Anyway, I have no idea if it would work - it's just a thought, and I don't want to experiment on my workstation just now...
0
 
LVL 10

Expert Comment

by:DSPoole
ID: 11846081
hmmm.. wonder why you see a Novell client for passwords on screen savers and we don't...
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 11846308
Dunno.  Is that a Question? ;-)
0
 

Author Comment

by:BabyhueyHN
ID: 11855966
ShineOn, What you described is what I see on my screen. I will try the workstation only option to see if it solves it

DSPoole,  When I enable screensaver password, My XP SP1 machines goto the Novell Auth to get back into the machine. The workstation gets locked once the screensaver activates.

BH
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 13470213
BabyhueyHN, did this issue get resolved?

If so, please come back and let us know.
0
 

Author Comment

by:BabyhueyHN
ID: 13547065
This issue is still outstanding. I am going to have to implement ZEN and do Dynamic Local Users. BH
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 13547212
Keep in mind that you can't do DLU if you are not in a "workgroup" environment.  It messes things up if you have a Windoze domain.  You didn't mention, so I though I'd post a warning, just in case...
0
 

Author Comment

by:BabyhueyHN
ID: 13618816
Thanks. We don't use Domains. We only have workgroups set up.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 15825753
I think there's value to this.  Paq/refund?
0
 
LVL 20

Expert Comment

by:Venabili
ID: 15826241
Works for me :)
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 15863137
PAQed with points (500) refunded

DarthMod
Community Support Moderator
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
When we talk about DevOps toolchains, I sometimes wonder how many people really get what we’re talking about. I don’t know if it’s just semantics or tone or something else, but sometimes I think it just sounds like buzzword sausage. So it’s always …
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now