How to Enable Auditing in Novell Environment

If you also have Zenworks in your Novell environment it is very well possible that you do have Group policies configured.

What makes you think that Novell has something to do with the resetting of the policy?

Can you check that there isn't anything like DeepFreeze or SteadyState installed?

What version of Netware?

As deroode mentions about ZENworks, can you confirm that the ZENworks management agent might be installed (look in Control Panel | Add/Remove programs)?  If so its possibly a Policy Package with a Windows Group Policy is running on workstation reboot?

Novell doesn't put stuff back at default unless there is some sort of policy setup by someone via ConsoleOne and ZENworks or via Active Directory Users/Computers and Group policy editor and pushed to the workstation.

Novell auditing is more about changes to files/folders on the server or changes to eDirectory objects than it is about watching changes to workstations.

As deroode also mentions do you have DeepFreeze or some other program that caches changes while the box is running and then restores the box back to the default following reboot???

Scott

Thank you for responding... please check back tomorrow when I can check the network for complete answers to your questions.

I know there is Zenworks running and there is NO deepfreeze or other similar program installed (running). Thank goodness!  We use Console One for computer management - but as I mentioned I am a novice and know enough to get my job done.

The reason why I think it is Novell reverting the back is that turning the auditing on works on machines that do not have Novell installed on them.  

So if group policies were set up (prior to me) where would I find them to change them?  It may be a "default" policy setting that we haven't figured out how to manipulate.  

Here is what I needed to do - which works in our non-Novell systems... turn auditing on (like mentioned in my question) to determine what machine name is sending a remote shutdown to another machine.  The audit log shows this information in non-Novell machines.  

I REALLY appreciate any help you can give me.  And I'll respond again tomorrow when I know the versions, etc. that you had asked for.

On your user and workstations objects there is a Zenworks tab. Under this tab is the section "Effective Policies". Select that one, for User objects select the right OS, and click the Effective Policies button. That should show one or more Windows Group Policy objects assigned to your users or workstations.

Group policies in a ZEN environment are implemented as Local policies on the workstation, due to restrictions that are in place on the Group policy mechanism.

Select a Group policy object, click Package Properties, and check out where your group policies are stored, you can also edit them (of course)

BTW Remote shutdown is only possible if a user has administrative rights to a remote computer. If you want to prevent remote shutdown (is this a student environment?) you should do something about that. No policies or auditing will prevent an administrator of messing with a computer, deleting audit logs, changing policies etc.

Deroode - thanks for the response - I'm much closer, but need to go a step further.

The version of Console One is 1.3.6h. The version for our clients is 4.91 SP5.

I went to a workstation object > Zenworks Tab > Effective Policies.  Nothing appeared in the window, so I went to the Effective Policies button.  There were about 14 items on the list, two of them were for Windows Group Policy, the policy package is the same (workstation policy), but the association points to zenpcs.xxx.xxx and the other to xxx.xxx.

I clicked on the Package Properties for both and they are the same. Four workstation policies are listed: Novell iPrint, Remote Control, Workstation Imaging, and Zenworks Desktop Management Agent.  The only one enabled with a check mark is Remote Control.

So where do I go from here?

Regarding your BTW comment: Unfortunately, in our school system (yes, student environment) all users are using the same local windows user with admin rights.  They authenticate to Novell with their own user ID.  So, yes, they do have rights to remote to another computer.  Because it is a student environment, we can "redirect" the behavior if we can identify which machine is initiating the shutdown - based on log in times.  The student body knows they aren't supposed to do this and to help them make the right decisions, the Run command and Command Prompt have been removed from menus.  A couple of students are testing their boundaries.

In the Policy packages that are assigned to the workstations, can you also check under the "Policies" tab. Since the Effective policies on the workstation object indicate that Group Policies are active they should be in the policy package. Under Policies select the XP OS  or the NT-2000-XP OS. There you'll find your policies.

Also it might be possible (though unlikely) that policies are distributed with an application object. Look for any application objects that copy files to C:\windows\system32\Grouppolicy.

Ah ha - I am so close I can smell it (with your generous help of course!)

A Windows Group Policy is being run on system startup.

I found that the policy was created under an NT platform but is not able to be edited until migrated to the XP platform. That is why folks kept running into roadblocks when trying to edit it. Okay... I'm going to work on this a bit more, but may need your help again later today or tomorrow morning.