Solved

WinXP Screensaver Unlock with NDS authentication ONLY.

Posted on 2004-08-18
23
640 Views
Last Modified: 2010-05-18
Hello,
    I have Novell Client 4.91 SP1 and WinXP SP1 installed on my workstations. The students login to windows with an NDS username and pass but they use a generic windows account called Student with no password to login to a system. We have the systems configured to go to password protected screensaver mode after 10 minutes of inactivity. The problem is that when the screensaver prompts them to log in again they can select the "From" box and change the authentication method to Windows. This allows them use log back into the station with the generic "Student" account and bypasses the NDS security. In this scenario if one student walks away, and another comes over they can circumvent NDS and login to windows and still be logged into NDS as the other student. How can change it so they can unlock the screensaver from NDS only. Any help greatly appreciated. Thanks, BH
0
Comment
Question by:BabyhueyHN
  • 10
  • 3
  • 3
  • +3
23 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 11835821
Well, my advice would be to not use generic accounts for the Windoze login. With ZENworks, use Dynamic Local Users. There's a long laundry list of good reasons to do this, starting with the issue you're seeing now.

If you're an educational institution, your pricing (if you don't already have ZENworks) is dirt-cheap. And its great for the educational setting. North Carolina State University (Raleigh, NC, USA - I'm not affiliated with them, I've just seen their ZENworks setup in action) uses ZEN to deliver applications and lock down desktops for over 20K students across its campus. I can't think of a reason NOT to use ZEN. If you can afford Redmond's rapacious licensing costs, ZEN is chump-change.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11835851
In addition to there being a long laundry list of reasons to use ZEN and DLUs for Windoze in a lab environment, there's a long list of reasons to NOT use a generic local user account, starting with the enormous security holes that adds to the already insecure Windoze environment.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 11841946
You might want to download the latest support pack and patches for the 4.9 client.  It is at SP2 and there are post-SP2 patches out there as well.  This *could* be a bug in the client.  You should be able to apply the SP and patches to one PC and test it to see if it helps.

I can see how having one local account for all students would ease management, so if there's a workaround that doesn't involve ZEN and DLU I'm guessing you'd prefer it.  If the fix for your issue involves a registry hack rather than a properties setting, I'd recommend using ZEN anyway to manage deployment of the hack.
0
 
LVL 10

Expert Comment

by:DSPoole
ID: 11844587
DON'T USE SCREEN SAVERS

Their password scheme is internal to the screen saver itself.  Remove the screen savers from the computers.  Teach the users about Ctrl-Alt-Del > Lock Workstation instead.  Then you can do what you want to do.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 11844923
I thought that if you have the Novell client installed, screen savers with the "password" checkbox checked will redirect to the Novell client's authentication scheme.
Does it only *look* like the Novell client login?  I have been wrong a couple of times this year already... ;-)
0
 
LVL 10

Expert Comment

by:DSPoole
ID: 11845163
We've got Win2K and screensavers on one or two machines.  When they go off and ask for a password, it's simply a password field and does not ask for a username (needed for NDS authentication if you were going to bypass the logged in user).
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 11845643
What I see is a big dialog box that says "Novell Client" at the top and says the workstation has been locked.  It defaults to NDS in a drop-down that gives you the option of selecting "Windows."  The user ID and password field are both available.  If you leave it NDS, it has the tree, context and server fields available, and if you take Windows it changes to a dialog that shows the local computer but presumably can be changed to a Windoze domain.  Pretty much the same thing as taking the lock computer option.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 11845664
I wonder if you can get around this Asker's issue by turning off the ability to select "workstation only" in the client properties...
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11845690
Dontja need Zen to do that?
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 11845787
Only if you want to do it the easy way...

I'm talking about the various "workstation only" options in the Advanced Login tab in the Novell client properties.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 35

Expert Comment

by:ShineOn
ID: 11845798
Anyway, I have no idea if it would work - it's just a thought, and I don't want to experiment on my workstation just now...
0
 
LVL 10

Expert Comment

by:DSPoole
ID: 11846081
hmmm.. wonder why you see a Novell client for passwords on screen savers and we don't...
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 11846308
Dunno.  Is that a Question? ;-)
0
 

Author Comment

by:BabyhueyHN
ID: 11855966
ShineOn, What you described is what I see on my screen. I will try the workstation only option to see if it solves it

DSPoole,  When I enable screensaver password, My XP SP1 machines goto the Novell Auth to get back into the machine. The workstation gets locked once the screensaver activates.

BH
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 13470213
BabyhueyHN, did this issue get resolved?

If so, please come back and let us know.
0
 

Author Comment

by:BabyhueyHN
ID: 13547065
This issue is still outstanding. I am going to have to implement ZEN and do Dynamic Local Users. BH
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 13547212
Keep in mind that you can't do DLU if you are not in a "workgroup" environment.  It messes things up if you have a Windoze domain.  You didn't mention, so I though I'd post a warning, just in case...
0
 

Author Comment

by:BabyhueyHN
ID: 13618816
Thanks. We don't use Domains. We only have workgroups set up.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 15825753
I think there's value to this.  Paq/refund?
0
 
LVL 20

Expert Comment

by:Venabili
ID: 15826241
Works for me :)
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 15863137
PAQed with points (500) refunded

DarthMod
Community Support Moderator
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now