How to Enable Auditing in Novell Environment

Posted on 2010-11-09
Last Modified: 2012-05-10
I would like to enable auditing on selected XP Pro computers. Every time I reboot, it seems like Novell writes over the changes.  How can I enable the Audit Policy and have it stay OR is there another way to turn this feature on?

I wanted to do this: start>run>secpol.msc>Local Settings>Audit Policy

Then navigate to shutdown.exe>Rt Click>Properties>Security>Advanced>Auditing, and go from there....

Reboot takes forever as it resets the policies back to a "default".  I am a novice at Novell. We do not use Group Policies or Active Directory.
Question by:cssunetadmin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 19

Expert Comment

ID: 34100043
If you also have Zenworks in your Novell environment it is very well possible that you do have Group policies configured.

What makes you think that Novell has something to do with the resetting of the policy?

Can you check that there isn't anything like DeepFreeze or SteadyState installed?
LVL 30

Expert Comment

ID: 34101211
What version of Netware?
LVL 18

Expert Comment

ID: 34102421
As deroode mentions about ZENworks, can you confirm that the ZENworks management agent might be installed (look in Control Panel | Add/Remove programs)?  If so its possibly a Policy Package with a Windows Group Policy is running on workstation reboot?

Novell doesn't put stuff back at default unless there is some sort of policy setup by someone via ConsoleOne and ZENworks or via Active Directory Users/Computers and Group policy editor and pushed to the workstation.

Novell auditing is more about changes to files/folders on the server or changes to eDirectory objects than it is about watching changes to workstations.

As deroode also mentions do you have DeepFreeze or some other program that caches changes while the box is running and then restores the box back to the default following reboot???


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 34107696
Thank you for responding... please check back tomorrow when I can check the network for complete answers to your questions.

I know there is Zenworks running and there is NO deepfreeze or other similar program installed (running). Thank goodness!  We use Console One for computer management - but as I mentioned I am a novice and know enough to get my job done.

The reason why I think it is Novell reverting the back is that turning the auditing on works on machines that do not have Novell installed on them.  

So if group policies were set up (prior to me) where would I find them to change them?  It may be a "default" policy setting that we haven't figured out how to manipulate.  

Here is what I needed to do - which works in our non-Novell systems... turn auditing on (like mentioned in my question) to determine what machine name is sending a remote shutdown to another machine.  The audit log shows this information in non-Novell machines.  

I REALLY appreciate any help you can give me.  And I'll respond again tomorrow when I know the versions, etc. that you had asked for.
LVL 19

Expert Comment

ID: 34109734
On your user and workstations objects there is a Zenworks tab. Under this tab is the section "Effective Policies". Select that one, for User objects select the right OS, and click the Effective Policies button. That should show one or more Windows Group Policy objects assigned to your users or workstations.

Group policies in a ZEN environment are implemented as Local policies on the workstation, due to restrictions that are in place on the Group policy mechanism.

Select a Group policy object, click Package Properties, and check out where your group policies are stored, you can also edit them (of course)

BTW Remote shutdown is only possible if a user has administrative rights to a remote computer. If you want to prevent remote shutdown (is this a student environment?) you should do something about that. No policies or auditing will prevent an administrator of messing with a computer, deleting audit logs, changing policies etc.

Author Comment

ID: 34110999
Deroode - thanks for the response - I'm much closer, but need to go a step further.

The version of Console One is 1.3.6h. The version for our clients is 4.91 SP5.

I went to a workstation object > Zenworks Tab > Effective Policies.  Nothing appeared in the window, so I went to the Effective Policies button.  There were about 14 items on the list, two of them were for Windows Group Policy, the policy package is the same (workstation policy), but the association points to and the other to

I clicked on the Package Properties for both and they are the same. Four workstation policies are listed: Novell iPrint, Remote Control, Workstation Imaging, and Zenworks Desktop Management Agent.  The only one enabled with a check mark is Remote Control.

So where do I go from here?

Regarding your BTW comment: Unfortunately, in our school system (yes, student environment) all users are using the same local windows user with admin rights.  They authenticate to Novell with their own user ID.  So, yes, they do have rights to remote to another computer.  Because it is a student environment, we can "redirect" the behavior if we can identify which machine is initiating the shutdown - based on log in times.  The student body knows they aren't supposed to do this and to help them make the right decisions, the Run command and Command Prompt have been removed from menus.  A couple of students are testing their boundaries.
LVL 19

Expert Comment

ID: 34111192
In the Policy packages that are assigned to the workstations, can you also check under the "Policies" tab. Since the Effective policies on the workstation object indicate that Group Policies are active they should be in the policy package. Under Policies select the XP OS  or the NT-2000-XP OS. There you'll find your policies.

Also it might be possible (though unlikely) that policies are distributed with an application object. Look for any application objects that copy files to C:\windows\system32\Grouppolicy.

Author Comment

ID: 34112087
Ah ha - I am so close I can smell it (with your generous help of course!)

A Windows Group Policy is being run on system startup.

I found that the policy was created under an NT platform but is not able to be edited until migrated to the XP platform. That is why folks kept running into roadblocks when trying to edit it. Okay... I'm going to work on this a bit more, but may need your help again later today or tomorrow morning.  
LVL 19

Accepted Solution

deroode earned 500 total points
ID: 34118524
You can of course also delete the NT policy and create a new one.  The policy package details will tell you where the policy files are stored. The policy files themselves are a group of directories (adm, user, machine) with a gpt.ini file. In the ADM directory there's .adm files, in the User and Machine directories there are Registry.pol files.

You can use notepad to get an idea of what is configured in the policy.

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disclosure: Use this tutorial only when no other options helps to get Windows XP running without any problems and you don't want to format the drive. The back up of the data is the responsible of the user, however there is a description of how t…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question