Defaulting authentication out of Workstation Lock
Posted on 2006-07-13
OK this is a bit of an odd one. We are a shop that runs Netware/2000AD. Primarily we rely on Netware for things like password security policies and such; the AD is just there mainly to make workstation management easier and some basic Group Policy stuff.
One of the GP's we do have is an automatic screen saver lock after 15 minutes, which the users hate of course, but we are a medical school so HIPAA is scaring the crap out of everyone. One problem we are seeing, however, involves password expirations.
A scenario: A user logs in at 8am in the morning. Their password is set to expire today, but by chance the expiration date and time is not until 10am this morning, so when they log in they are not yet prompted to change their password. Throughout the day their screen locks a number of times, forcing them to re-authenticate with their NDS credentials when they want back in, each time decrementing their Grace Logins. If this happens enough times during the day, they eventually get locked out, and have to call the Help Desk. Of course techs don't always immediately recognize what the true problem here is, and given what we know about users it's not hard to imagine how this sometimes becomes a big mess.
Now, the Novell client by default prompts for the NDS credentials when you want to unlock the PC, but what we're wondering is if there is a way to get the client to automatically prompt for the Windows credentials instead. We have identity management which auto-pushes NDS password changes to the AD, so they are always the same. However, we don't actively enforce password ages on the AD side (relying on NDS to get them changed regularly), so if users were always unlocking their PC's using Windows credentials, in theory they wouldn't be continually burning their grace logins on the NDS password, and in cases where a password expires after a user has already logged in on a particular day, they just get prompted to change the next day when they login.
Obviously this isn't a situation that comes up very often, but it does happen. Of course users could simply select Windows authentication instead of Novell, but training them to do this, and expecting them to always remember to do so, doesn't seem feasible. A quick browse through the Novell client properties does not turn up anything that looks promising, and some initial Google's did not turn up anything either. Wondering if anyone has dealt with anything like this before?