[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Defaulting authentication out of Workstation Lock

Posted on 2006-07-13
2
Medium Priority
?
594 Views
Last Modified: 2008-02-26
OK this is a bit of an odd one. We are a shop that runs Netware/2000AD. Primarily we rely on Netware for things like password security policies and such; the AD is just there mainly to make workstation management easier and some basic Group Policy stuff.

One of the GP's we do have is an automatic screen saver lock after 15 minutes, which the users hate of course, but we are a medical school so HIPAA is scaring the crap out of everyone. One problem we are seeing, however, involves password expirations.

A scenario: A user logs in at 8am in the morning. Their password is set to expire today, but by chance the expiration date and time is not until 10am this morning, so when they log in they are not yet prompted to change their password. Throughout the day their screen locks a number of times, forcing them to re-authenticate with their NDS credentials when they want back in, each time decrementing their Grace Logins. If this happens enough times during the day, they eventually get locked out, and have to call the Help Desk. Of course techs don't always immediately recognize what the true problem here is, and given what we know about users it's not hard to imagine how this sometimes becomes a big mess.

Now, the Novell client by default prompts for the NDS credentials when you want to unlock the PC, but what we're wondering is if there is a way to get the client to automatically prompt for the Windows credentials instead. We have identity management which auto-pushes NDS password changes to the AD, so they are always the same. However, we don't actively enforce password ages on the AD side (relying on NDS to get them changed regularly), so if users were always unlocking their PC's using Windows credentials, in theory they wouldn't be continually burning their grace logins on the NDS password, and in cases where a password expires after a user has already logged in on a particular day, they just get prompted to change the next day when they login.

Obviously this isn't a situation that comes up very often, but it does happen. Of course users could simply select Windows authentication instead of Novell, but training them to do this, and expecting them to always remember to do so, doesn't seem feasible. A quick browse through the Novell client properties does not turn up anything that looks promising, and some initial Google's did not turn up anything either. Wondering if anyone has dealt with anything like this before?
0
Comment
Question by:mvogts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 35

Accepted Solution

by:
ShineOn earned 2000 total points
ID: 17104715
So the problem is that they're not notified that their password has expired if they use the password to unlock the screensaver, but it still logs as a grace login, but if they use their Windoze credentials (which are kept in sync with their eDirectory credentials I assume) they unlock and are still connected, so they don't take up any grace logins?

Just curious, as a medical school concerned with hipaa, why not use Novell's SecureLogin product instead of Windoze GPO?  I'd think it would be a more secure, hipaa-compliant way to do it... plus it could also be set to force an orderly, safe  logoff/shutdown process after being idle / locked for whatever additional time period you set, closing the programs for you and everything...  Way more compliant.

Anyway.

There is a registry tweak available with reasonably-current versions of the Novell Client called "simple unlock" that will force the unlock dialog to only allow one way or the other instead of giving the option box.  If you create the following key/value:

[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login]
"Simple Unlock"=dword:00000000

it will behave as it does normally (zero is same as default.)  To force eDirectory or Bindery only, set the dword value to 00000001, if you want Windoze auth only, set it to 00000002.

Here's a TID that explains it better: http://support.novell.com/cgi-bin/search/searchtid.cgi?10059068.htm
0
 

Author Comment

by:mvogts
ID: 17107719
Yes, you essentially nailed it. I don't have time right at the moment to test out your suggestion there but it looks promising, going to go ahead and award the points. Thanks a bunch.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WooCommerce is becoming the most powerful e-commerce plugin for Wordpress. And why not. The platform comprises of numerous core plugins that may come in handy, powerful options to make your website development task much easier.
If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question