Hanntho
asked on
Novell zenworks windows XP, AD login order and auto login problem
We're in the process og removing novell login from our computers and going over to a windows only network. Since we're satisfied with use zenworks actively for remote control and application control, we want to continue using it. We now want Zenworks to login automatically, whilst the users login to AD.
We removed Novell and set Zenworks to login automatically with some registry alterations, the problem is that with roaming profiles the user is logged into windows automatically too. This is because the Zenworks login happens before windows login. Uninstalling zenworks logging in and reinstalling helps, but it sometimes has to be done more than once.
Anyone got a smart way of changing the order of Zenworks and Windows login order, so we don't need to uninstall x number of times on all our PC's.
We removed Novell and set Zenworks to login automatically with some registry alterations, the problem is that with roaming profiles the user is logged into windows automatically too. This is because the Zenworks login happens before windows login. Uninstalling zenworks logging in and reinstalling helps, but it sometimes has to be done more than once.
Anyone got a smart way of changing the order of Zenworks and Windows login order, so we don't need to uninstall x number of times on all our PC's.
ShineOn
It would be immensely helpful if you would let us know what version of ZENworks you have.
ASKER
The zenworks version is 6.5, so is the Novell version we're uninstalling. XP with sp3
The ZEN workstation agent by design will load pre-desktop, which is where the workstation-associated policies and application pre-distribution takes place.
First off, a bit of unsolicited advice that may or may not be relevant to your problem: If you are using AD group policy you must disable the group policy support of the ZEN agent. See this TID for how to disable ZEN group policy support:
http://support.novell.com/docs/Tids/Solutions/10099524.html
As to your issue:
You may already have read the docs and verified your new setup follows the guidelines, but here's a link to the Zen 6.5 documentation section on running ZEN in a Windows/AD environment:
http://www.novell.com/documentation/zenworks65/index.html?page=/documentation/zenworks65/dminstall/data/aliq069.html
Since you're going from a mixed NetWare/Windows environment to a Windows environment, there may be leftovers from the mixed-platform setup giving you grief. If any of the components in your setup aren't configured per the documentation, check to verify it doesn't adversely affect operations - like giving you frustrations with double logins.
Since ZEN 6.5 requires eDirectory, you do need to consider using DirXML to sync AD and eDirectory. If they're not synchronized, that may be a reason for your extraneous login activity problem. Ideally, it will be transparent (single sign-on, so to speak.) Even though the agent will want to authenticate to eDirectory pre-login, it should only be authenticating as the workstation, in the background, and not asking for a user login/password before the NWGINA login.
In theory.
However, in reading your original question again, I notice that you are doing some form of auto login, and are using roaming profiles, which are also automatically logging in - which is a head-scratcher for me. How do you use a roaming profile and auto-login if, by definition, roaming profiles get loaded when you log in, and why? And, why auto-login the ZEN agent if the user is logging in? The ZEN agent should take the user you use to log in to Windows, unless I'm mistaken.
Another question arises from that - are the roaming profiles ZEN profiles or AD profiles? If they're ZEN profiles and you are also using AD GPO, be sure to read the first TID I posted.
First off, a bit of unsolicited advice that may or may not be relevant to your problem: If you are using AD group policy you must disable the group policy support of the ZEN agent. See this TID for how to disable ZEN group policy support:
http://support.novell.com/docs/Tids/Solutions/10099524.html
As to your issue:
You may already have read the docs and verified your new setup follows the guidelines, but here's a link to the Zen 6.5 documentation section on running ZEN in a Windows/AD environment:
http://www.novell.com/documentation/zenworks65/index.html?page=/documentation/zenworks65/dminstall/data/aliq069.html
Since you're going from a mixed NetWare/Windows environment to a Windows environment, there may be leftovers from the mixed-platform setup giving you grief. If any of the components in your setup aren't configured per the documentation, check to verify it doesn't adversely affect operations - like giving you frustrations with double logins.
Since ZEN 6.5 requires eDirectory, you do need to consider using DirXML to sync AD and eDirectory. If they're not synchronized, that may be a reason for your extraneous login activity problem. Ideally, it will be transparent (single sign-on, so to speak.) Even though the agent will want to authenticate to eDirectory pre-login, it should only be authenticating as the workstation, in the background, and not asking for a user login/password before the NWGINA login.
In theory.
However, in reading your original question again, I notice that you are doing some form of auto login, and are using roaming profiles, which are also automatically logging in - which is a head-scratcher for me. How do you use a roaming profile and auto-login if, by definition, roaming profiles get loaded when you log in, and why? And, why auto-login the ZEN agent if the user is logging in? The ZEN agent should take the user you use to log in to Windows, unless I'm mistaken.
Another question arises from that - are the roaming profiles ZEN profiles or AD profiles? If they're ZEN profiles and you are also using AD GPO, be sure to read the first TID I posted.
ASKER
Looks like I overcomplicated the question... We've pretty much got the profile stuff sorted, and over to only AD, but we need Zenworks to login automatically so we can control machines without users having to be present.
When we put the userinfo in Novell\Login\... in the registry, with Zenworks login first, it passes the login details to Win/AD and the user isn't prompted to authenticate.
I've tried altering GinaDLL value in winlogon to msgina.dll, which gives the Windows login, but then Zenworks doesn't login automatically at all, and eventually prompts for login from the desktop.
Uninstall and reinstall somehow rectifies this (eventually), but I can't see how. I can't reinstall Zenworks x number of times on all our PC's, it'll take forever with remote control and rebooting etc.
When we put the userinfo in Novell\Login\... in the registry, with Zenworks login first, it passes the login details to Win/AD and the user isn't prompted to authenticate.
I've tried altering GinaDLL value in winlogon to msgina.dll, which gives the Windows login, but then Zenworks doesn't login automatically at all, and eventually prompts for login from the desktop.
Uninstall and reinstall somehow rectifies this (eventually), but I can't see how. I can't reinstall Zenworks x number of times on all our PC's, it'll take forever with remote control and rebooting etc.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi again, Get the overwhelmed at work bit. Thanks for your help, you got me thinking around the problem in a sensible way. Found out that our users don't really need their zen login info so we change the zen passwords and the auto-login gives the right username, but without logging in to Win/AD.
It appears that there needs to be a login for zenworks to re-import the maskin again after removal of the Novell client and we need it to give the users the right applications/shortcuts for their locations.
For some reason, we didn't need to specify the middle tier referanse before, but were required to after uninstalling Novell, again a registry entry to Zenworks\MiddleTierAddress
Thanks again, you deserve the points for helping others when you yourself are snowed under!
It appears that there needs to be a login for zenworks to re-import the maskin again after removal of the Novell client and we need it to give the users the right applications/shortcuts for their locations.
For some reason, we didn't need to specify the middle tier referanse before, but were required to after uninstalling Novell, again a registry entry to Zenworks\MiddleTierAddress
Thanks again, you deserve the points for helping others when you yourself are snowed under!