We help IT Professionals succeed at work.

Zen 6.5 & Group Policy for Novell SendMsg

Azurden
Azurden asked
on
Medium Priority
877 Views
Last Modified: 2008-01-09
Greetings:

Question:  We are in a K-12 school system and have to restrict the use of SendMessage nwsndmsg.exe from running on the student stations.  We have decided after much reading that the best way to acomplish this is by using Zen and pushing a group policy using the workstation object...  We found the artical at http://www.novell.com/coolsolutions/feature/3118.html that had a bit at the bottom of thr page about using the group policy to restrict this use.  I have been unable to find WHERE this is located.  I have looked up and down in gpedit.msc for a Novell listing will no luck.  I have also used consoleone to see if it was listed under the workstation policy package as well.  No luck...

I need to know where I need to set the restricting of sendmsg in the form of a policy I can push out...

Also, the answer has to be related to a policy not any of the following...

1: Do not wish to "disable it in the client" (kids know how to turn it on)
2: Do not wish to "hide the "N" icon
3: Do not wish to change the registry by using a login script.

Any takers?!

Thanx

Az

Comment
Watch Question

With ZenWorks 6.5, in ConsoleOne, go to the Workstation package.
Look under Policies for NT-2000-XP, you should see NT-Client Configuration.
Enable it, and click Properties
Under the Novell Client Configuration tab, choose the Advanced Menu Settings option.
There's an entry called Enable Send Message, this should do what you want.
If you have an older Zenworks version, the names may be different.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Just FYI, I don't think nwsndmsg.exe itself actually provides the send message functionality. I think it's just a wrapper to call the built-in function in the client, because disabling that executable doesn't prevent the client send message function from working.
 

Author

Commented:
Bill:

When I go to the Policies for NT-2000-XP I do not see an "NT Client Config"...  Here is what is listed...

Computer Extensible Policies
Novell iPrint Policy
Remote COntrol Policy
Windows Group Policy
Workstation Inventory Policy
ZENworks Desktop Managment Agent Policy

Any ideas how to add the NT Client Config?

Thanks

Az
If you click the ADD button, does it show up as an option to add that policy?

Have you got the right ConsoleOne snapins for your Zenworks version installed?

Also, what Zenworks and ConsoleOne versions are you using?

Author

Commented:
1.3.6 C-One
ZFD 6.5

Not sure how to add additional snapins...  It does not show as a policy that can be added...

Az
CERTIFIED EXPERT

Commented:
Isn't there a special .adm file for the Novell client that someone put together themselves, available for download from coolsolutions?
CERTIFIED EXPERT

Commented:
Is that 1.3.6c or 1.3.6d or 1.3.6e?  

Author

Commented:
Sorry...

1.3.6d
You probably need to upgrade your ConsoleOne to  1.36e. Not sure that will fix this specific issue,
but you should do it anyway, for other reasons.
You can download the latest Zenworks C1 snapins here...
http://download.novell.com/Download?buildid=Hw2EmnjzWbE~ 
Whoops, I boobooed...
The link above is for the Server plugins. You want the Desktop plugins, here...
http://download.novell.com/Download?buildid=2TUe019Z3zI~

Here's the link to the latest ConsoleOne itself.
http://download.novell.com/Download?buildid=CVTLiFIagE4~ 

Upgrade ConsoleOne first, then install the snapins.

Author

Commented:
Ok, I installed the new C1 and the plugins...  Still no options for NT-Client...  Also, it does not show even to be added...

Ideas?

Az
Well, ya learn something every day.
This is apparently something that was removed from later versions of ZenWorks. At one point ZenWorks required the Novell Client be installed on workstations, so there had to be a way to configure it, but with ZfD4, the client requirement was removed.
http://www.novell.com/documentation/zenworks65/index.html?page=/documentation/zenworks65/dminstall/data/br0uov3.html

It looks like the solution is to create your own extensible policy based on the custom ADM files ShineOn mentioned earlier.  

ShineOn>Isn't there a special .adm file for the Novell client that someone put together themselves

Yep, here it is.
http://www.novell.com/coolsolutions/tools/14348.html 

I believe that extensible policy functionality and .ADM files in specific have been short circuited by the almighty Microsoft with XP.  In my district we have been forced to make the change in the client itself, and then mitigate the risk of that change by preventing access to the network icons using group policy.  With the lack of .ADM template files that may be the only real solution left.  If you come up with another I would be very interested in seeing it.
CERTIFIED EXPERT
Commented:
I'd go the route of creating a ZEN app that pushes the registry changes - set it to always make the setting changes, and always run, running as secure system user, at login event.  Disable access to regedit via ZEN group policy.  That way, even if they figger out a way to un-tweak it without using regedit, next time they log in, it's back to blocked.  

At least, using a ZEN app, you don't have to allow the user rights/permissions to run regedt or any other registry-modifying programs from the login script.
CERTIFIED EXPERT

Commented:
The use of custom .adm files hasn't really been short-circuited with XP - they just made it suck for anyone that doesn't bend over and take AD where the sun don't shine.

You can still do custom .adm files, but they will make a real registry change instead of a temporary, policy-generated registry change.
>I'd go the route of creating a ZEN app that pushes the registry changes - set it to always make
>the setting changes, and always run, running as secure system user, at login event.
Toward this end, here's the actual registry key that needs to be changed:
    HKLM\SOFTWARE\Novell\Network Provider\Menu Items\Enable Send Message Dialog
Change the value from yes to no.
Hi Az,

I'm at another K-12 school, and have been working with this. I'm interested to know if there is any particular reason that students need access to the "N" icon, which is where most of our students lauch it from. You can even create a different policy for teachers that leaves the "N" on if needed.

Through the ZENWorks Windows Group Policy you can prevent access to the command prompt, restrict their access to the C drive, and hide the notification area. (The trick is hiding the notification area which basically turns off the system tray.) gpedit.msc -> User Configuration -> Start Menu and Task Bar -> Hide Notification Tray.

For desktops that's not been a problem for us, laptops are another story as the user has no clue when their battery is about to die.

Just a thought.

P



CERTIFIED EXPERT

Commented:
If you're using ZEN, don't launch gpedit.msc.  Let ConsoleOne launch it for you, when you configure the GP for the policy package you're working on.  The instance of gpedit.msc ZEN launches for you will not result in you screwing up your own local group policy settings.
Point. I should have made that clear. Doh!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.