DLU Administrators changing to users
We are running Zenworks 7 on Windows XP machines in our college and have some Staff with Laptops, and others that just log into shared desktops in staffrooms. Heres what we have setup:
A DLU of 'remote desktop users' and 'power users' for staff that is assigned to a User package for all staff.
Group policies assigned to the desktops so that restrictions (and folder redirections) are in place for staff. They are assigned to the desktop rather than the user account so that on the laptops the folder redirection and the restrictions don't occur
Now we want the laptop users to have administrator access on their laptops but be a power user on the desktops. After some research and asking questions, we did the following:
Placed all laptop objects in their own OU in the tree.
Made the DLU users be power users and remote desktop users. We then assigned login Restrictions in that DLU and excluded the laptop OU object. On the laptop itself we then created an administrator account, set the Novell login to use their username as the windows login username and then it would work. On the desktops they would be Power users and on the laptops they would be adminstrators
We have found however, that for some reason the user accounts on the laptops are reverting back to being Power Users and Remote Desktop Users. We can change them back manually to administrators but randomly they will just revert back to being power users. Does anybody have any suggestions as to what I can try to stop this happening?
Thanks in advance
A DLU of 'remote desktop users' and 'power users' for staff that is assigned to a User package for all staff.
Group policies assigned to the desktops so that restrictions (and folder redirections) are in place for staff. They are assigned to the desktop rather than the user account so that on the laptops the folder redirection and the restrictions don't occur
Now we want the laptop users to have administrator access on their laptops but be a power user on the desktops. After some research and asking questions, we did the following:
Placed all laptop objects in their own OU in the tree.
Made the DLU users be power users and remote desktop users. We then assigned login Restrictions in that DLU and excluded the laptop OU object. On the laptop itself we then created an administrator account, set the Novell login to use their username as the windows login username and then it would work. On the desktops they would be Power users and on the laptops they would be adminstrators
We have found however, that for some reason the user accounts on the laptops are reverting back to being Power Users and Remote Desktop Users. We can change them back manually to administrators but randomly they will just revert back to being power users. Does anybody have any suggestions as to what I can try to stop this happening?
Thanks in advance
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If they've got the DLU policy, when they log in to a computer that has the workstation manager enabled, the DLU policy will run. As alextoft said, it's a user policy.
I think one alternative is to manually create a local user account on the laptop that is a member of local administrators group, and change the DLU policy so that existing user profiles are not managed, or do as alextoft said - turn of the DLU process in the laptop's workstation manager.
Either way, all other workstation manager-based services will still work, but the manually-created local user account won't be affected by the DLU policy.
I think one alternative is to manually create a local user account on the laptop that is a member of local administrators group, and change the DLU policy so that existing user profiles are not managed, or do as alextoft said - turn of the DLU process in the laptop's workstation manager.
Either way, all other workstation manager-based services will still work, but the manually-created local user account won't be affected by the DLU policy.
ASKER
Cool thanks for that - Im just still confused as to why they would even include the option to exclude workstations if its still going to manage it anyway. Im guessing the exclusion is there so that it won't create one - but rather just use existing ones.
Thats why we thought it would work anyway as when we tested it indeed doesn't create the account.. you have to manually specify a windows login to get in.
Anyway we are now testing the disabling of the DLU and will come back and accept solutions soon
thanks
Thats why we thought it would work anyway as when we tested it indeed doesn't create the account.. you have to manually specify a windows login to get in.
Anyway we are now testing the disabling of the DLU and will come back and accept solutions soon
thanks
ASKER
Sorry I was reading it wrong - its not excluded workstations - its login restrictions set by workstation in the DLU settings.. same thing in the end I guess
ASKER
Thanks for that - works well!
ASKER
Thanks for that - so does this mean that regardless of whether the laptop is in the excluded list the DLU will still change a user account thats existing, but just not create it if its not there?