[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Zen 6.5 & Group Policy for Novell SendMsg

Posted on 2006-03-24
23
Medium Priority
?
833 Views
Last Modified: 2008-01-09
Greetings:

Question:  We are in a K-12 school system and have to restrict the use of SendMessage nwsndmsg.exe from running on the student stations.  We have decided after much reading that the best way to acomplish this is by using Zen and pushing a group policy using the workstation object...  We found the artical at http://www.novell.com/coolsolutions/feature/3118.html that had a bit at the bottom of thr page about using the group policy to restrict this use.  I have been unable to find WHERE this is located.  I have looked up and down in gpedit.msc for a Novell listing will no luck.  I have also used consoleone to see if it was listed under the workstation policy package as well.  No luck...

I need to know where I need to set the restricting of sendmsg in the form of a policy I can push out...

Also, the answer has to be related to a policy not any of the following...

1: Do not wish to "disable it in the client" (kids know how to turn it on)
2: Do not wish to "hide the "N" icon
3: Do not wish to change the registry by using a login script.

Any takers?!

Thanx

Az

0
Comment
Question by:Azurden
  • 8
  • 5
  • 4
  • +2
20 Comments
 
LVL 19

Accepted Solution

by:
billmercer earned 200 total points
ID: 16282620
With ZenWorks 6.5, in ConsoleOne, go to the Workstation package.
Look under Policies for NT-2000-XP, you should see NT-Client Configuration.
Enable it, and click Properties
Under the Novell Client Configuration tab, choose the Advanced Menu Settings option.
There's an entry called Enable Send Message, this should do what you want.
If you have an older Zenworks version, the names may be different.
0
 
LVL 19

Expert Comment

by:billmercer
ID: 16282671
Just FYI, I don't think nwsndmsg.exe itself actually provides the send message functionality. I think it's just a wrapper to call the built-in function in the client, because disabling that executable doesn't prevent the client send message function from working.
 
0
 

Author Comment

by:Azurden
ID: 16282711
Bill:

When I go to the Policies for NT-2000-XP I do not see an "NT Client Config"...  Here is what is listed...

Computer Extensible Policies
Novell iPrint Policy
Remote COntrol Policy
Windows Group Policy
Workstation Inventory Policy
ZENworks Desktop Managment Agent Policy

Any ideas how to add the NT Client Config?

Thanks

Az
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 19

Expert Comment

by:billmercer
ID: 16282742
If you click the ADD button, does it show up as an option to add that policy?

Have you got the right ConsoleOne snapins for your Zenworks version installed?

0
 
LVL 19

Expert Comment

by:billmercer
ID: 16282751
Also, what Zenworks and ConsoleOne versions are you using?
0
 

Author Comment

by:Azurden
ID: 16282913
1.3.6 C-One
ZFD 6.5

Not sure how to add additional snapins...  It does not show as a policy that can be added...

Az
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 16283075
Isn't there a special .adm file for the Novell client that someone put together themselves, available for download from coolsolutions?
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 16283089
Is that 1.3.6c or 1.3.6d or 1.3.6e?  
0
 

Author Comment

by:Azurden
ID: 16283114
Sorry...

1.3.6d
0
 
LVL 19

Expert Comment

by:billmercer
ID: 16283197
You probably need to upgrade your ConsoleOne to  1.36e. Not sure that will fix this specific issue,
but you should do it anyway, for other reasons.
You can download the latest Zenworks C1 snapins here...
http://download.novell.com/Download?buildid=Hw2EmnjzWbE~ 
0
 
LVL 19

Expert Comment

by:billmercer
ID: 16283376
Whoops, I boobooed...
The link above is for the Server plugins. You want the Desktop plugins, here...
http://download.novell.com/Download?buildid=2TUe019Z3zI~

Here's the link to the latest ConsoleOne itself.
http://download.novell.com/Download?buildid=CVTLiFIagE4~ 

Upgrade ConsoleOne first, then install the snapins.
0
 

Author Comment

by:Azurden
ID: 16310188
Ok, I installed the new C1 and the plugins...  Still no options for NT-Client...  Also, it does not show even to be added...

Ideas?

Az
0
 
LVL 19

Expert Comment

by:billmercer
ID: 16310851
Well, ya learn something every day.
This is apparently something that was removed from later versions of ZenWorks. At one point ZenWorks required the Novell Client be installed on workstations, so there had to be a way to configure it, but with ZfD4, the client requirement was removed.
http://www.novell.com/documentation/zenworks65/index.html?page=/documentation/zenworks65/dminstall/data/br0uov3.html

It looks like the solution is to create your own extensible policy based on the custom ADM files ShineOn mentioned earlier.  

ShineOn>Isn't there a special .adm file for the Novell client that someone put together themselves

Yep, here it is.
http://www.novell.com/coolsolutions/tools/14348.html 

0
 

Expert Comment

by:treyanderson
ID: 16333374
I believe that extensible policy functionality and .ADM files in specific have been short circuited by the almighty Microsoft with XP.  In my district we have been forced to make the change in the client itself, and then mitigate the risk of that change by preventing access to the network icons using group policy.  With the lack of .ADM template files that may be the only real solution left.  If you come up with another I would be very interested in seeing it.
0
 
LVL 35

Assisted Solution

by:ShineOn
ShineOn earned 200 total points
ID: 16334340
I'd go the route of creating a ZEN app that pushes the registry changes - set it to always make the setting changes, and always run, running as secure system user, at login event.  Disable access to regedit via ZEN group policy.  That way, even if they figger out a way to un-tweak it without using regedit, next time they log in, it's back to blocked.  

At least, using a ZEN app, you don't have to allow the user rights/permissions to run regedt or any other registry-modifying programs from the login script.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 16334365
The use of custom .adm files hasn't really been short-circuited with XP - they just made it suck for anyone that doesn't bend over and take AD where the sun don't shine.

You can still do custom .adm files, but they will make a real registry change instead of a temporary, policy-generated registry change.
0
 
LVL 19

Expert Comment

by:billmercer
ID: 16343456
>I'd go the route of creating a ZEN app that pushes the registry changes - set it to always make
>the setting changes, and always run, running as secure system user, at login event.
Toward this end, here's the actual registry key that needs to be changed:
    HKLM\SOFTWARE\Novell\Network Provider\Menu Items\Enable Send Message Dialog
Change the value from yes to no.
0
 
LVL 1

Assisted Solution

by:Sebastien47136
Sebastien47136 earned 200 total points
ID: 16348451
Hi Az,

I'm at another K-12 school, and have been working with this. I'm interested to know if there is any particular reason that students need access to the "N" icon, which is where most of our students lauch it from. You can even create a different policy for teachers that leaves the "N" on if needed.

Through the ZENWorks Windows Group Policy you can prevent access to the command prompt, restrict their access to the C drive, and hide the notification area. (The trick is hiding the notification area which basically turns off the system tray.) gpedit.msc -> User Configuration -> Start Menu and Task Bar -> Hide Notification Tray.

For desktops that's not been a problem for us, laptops are another story as the user has no clue when their battery is about to die.

Just a thought.

P



0
 
LVL 35

Expert Comment

by:ShineOn
ID: 16355407
If you're using ZEN, don't launch gpedit.msc.  Let ConsoleOne launch it for you, when you configure the GP for the policy package you're working on.  The instance of gpedit.msc ZEN launches for you will not result in you screwing up your own local group policy settings.
0
 
LVL 1

Expert Comment

by:Sebastien47136
ID: 16355969
Point. I should have made that clear. Doh!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If anyone asked you to network diagram of the internet, it was drawn in the form of a fluffy cloud which further became known as cloud computing. Popularly cloud computing is defined as workloads that run over the internet in a commercial provider’s…
Most folks would know the basics of how Dropbox works, so that’s not the purpose of this article. Security is what it’s all about, so here I’ll share how I choose to secure my Dropbox Account and the Data it contains.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question