zenworks login prompt on password change

My zenworks server is running 11.1a, MS AD directory is configured as the user sources and some bundles are assigned to AD user/user groups. On Win7 workstations, user get through the domain logon and get all these user NAL icons appear on the Desktop. When their password expire and change their password, an extra zcm password dialog box pop-up and ask for password.

I knew there is a registry key DisablePassiveLoginPrompt to suppress the zcm prompt but found that the user is not logged in to zcm when the user password is changed on expire and no user nal icons would show up. It is not possible for me to re-assign all these user associated icon to workstations.

Password change policy is common practice in large firm, anyone encounters similar problem? Is there any setting I'm missing. I tested upgrade to 11.2 but problem still there.
  • If the password has expired, the ZCM LDAP Logon is not able to work.

    However, Most companies use a setting such as this:
    http://technet.microsoft.com/en-us/library/cc783344(v=WS.10).aspx

    I know I've used that in my domains since about 1995.


    On 6/25/2012 10:26 PM, aywwong wrote:
    >
    > My zenworks server is running 11.1a, MS AD directory is configured as
    > the user sources and some bundles are assigned to AD user/user groups.
    > On Win7 workstations, user get through the domain logon and get all
    > these user NAL icons appear on the Desktop. When their password expire
    > and change their password, an extra zcm password dialog box pop-up and
    > ask for password.
    >
    > I knew there is a registry key DisablePassiveLoginPrompt to suppress
    > the zcm prompt but found that the user is not logged in to zcm when the
    > user password is changed on expire and no user nal icons would show up.
    > It is not possible for me to re-assign all these user associated icon to
    > workstations.
    >
    > Password change policy is common practice in large firm, anyone
    > encounters similar problem? Is there any setting I'm missing. I tested
    > upgrade to 11.2 but problem still there.
    >
    >



    --
    Craig Wilson - MCNE, MCSE, CCNA
    Novell Knowledge Partner

    Novell does not officially monitor these forums.

    Suggestions/Opinions/Statements made by me are solely my own.
    These thoughts may not be shared by either Novell or any rational human.
  • Using the AD Group Policy works fine when AD is the primary directory and you are not using Novell Client. In our environment is eDirectory is primary source for login credentials with IDM syncing credentials to AD. Password policies are configured in eDirectory, while AD has password policy set to be minimal (no expire, etc) Our Win 7 computers are members of the AD domain, but the XP machines are not. So when user logs in , Novell Client may or may not prompt for expired/change password, Zenworks then prompts for change password too ...which really confuses the users. ZCM SHOULD NOT PROMPT TO CHANGE PASSWORD. That is the job of the NETWORK CLIENT (either Novell Client OR MS Client).

    Any suggestions ?
  • Hi Patrickcs,
    we have the same problem in our environment. Did you found a solution for this?

    Greetings, WeeZel
  • CRAIGDWILSON;2203664 wrote:
    If the password has expired, the ZCM LDAP Logon is not able to work.

    However, Most companies use a setting such as this:
    http://technet.microsoft.com/en-us/library/cc783344(v=WS.10).aspx

    I know I've used that in my domains since about 1995.


    On 6/25/2012 10:26 PM, aywwong wrote:
    >
    > My zenworks server is running 11.1a, MS AD directory is configured as
    > the user sources and some bundles are assigned to AD user/user groups.
    > On Win7 workstations, user get through the domain logon and get all
    > these user NAL icons appear on the Desktop. When their password expire
    > and change their password, an extra zcm password dialog box pop-up and
    > ask for password.
    >
    > I knew there is a registry key DisablePassiveLoginPrompt to suppress
    > the zcm prompt but found that the user is not logged in to zcm when the
    > user password is changed on expire and no user nal icons would show up.
    > It is not possible for me to re-assign all these user associated icon to
    > workstations.
    >
    > Password change policy is common practice in large firm, anyone
    > encounters similar problem? Is there any setting I'm missing. I tested
    > upgrade to 11.2 but problem still there.
    >
    >



    --
    Craig Wilson - MCNE, MCSE, CCNA
    Novell Knowledge Partner

    Novell does not officially monitor these forums.

    Suggestions/Opinions/Statements made by me are solely my own.
    These thoughts may not be shared by either Novell or any rational human.


    It should work, IF you allow grace logins in eDirectory. At least it *mostly* works for us here. eDir sync via IDM to AD. All workstations are members of the domain. Novell Client is also installed.

    Unfortunately the issue we see a *lot* is that AFTER changing the password and rebooting, the ZCM agent refuses to accept the new password for some reason. But it's random.
  • Could be slow password replication.
    Seen more often with AD than eDir, but you may want to setup an Auth Sat
    that points to the same replica a users password change would occur first.

    > It should work, IF you allow grace logins in eDirectory. At least it
    > *mostly* works for us here. eDir sync via IDM to AD. All workstations
    > are members of the domain. Novell Client is also installed.
    >
    > Unfortunately the issue we see a *lot* is that AFTER changing the
    > password and rebooting, the ZCM agent refuses to accept the new password
    > for some reason. But it's random.
    >
    >



    --
    Going to Brainshare 2014?
    http://www.brainshare.com
    Use Registration Code "nvlcwilson" for $300 off!


    Craig Wilson - MCNE, MCSE, CCNA
    Novell Technical Support Engineer

    Novell does not officially monitor these forums.

    Suggestions/Opinions/Statements made by me are solely my own.
    These thoughts may not be shared by either Novell or any rational human.
  • On 10/20/2014 4:34 PM, CRAIGDWILSON wrote:
    > Could be slow password replication.
    > Seen more often with AD than eDir, but you may want to setup an Auth Sat
    > that points to the same replica a users password change would occur first.
    >
    >> It should work, IF you allow grace logins in eDirectory. At least it
    >> *mostly* works for us here. eDir sync via IDM to AD. All workstations
    >> are members of the domain. Novell Client is also installed.
    >>
    >> Unfortunately the issue we see a *lot* is that AFTER changing the
    >> password and rebooting, the ZCM agent refuses to accept the new password
    >> for some reason. But it's random.
    >>
    >>

    >
    >

    Hi

    We have experienced this problem for a long time. Our AD domain
    controllers are all centralized in one datacenter, where I've verified
    that password replication completes within a few seconds, max a minute.

    A zac cc will normally fix it, which seems to me to mean that the ZAA is
    caching the AD password.

    About to start rolling out the 11.3.1FTF client, it's on my list of
    things to test for...

  • Hmm...we have grace logins enabled in our edir however we have the ZCM password change prompt at login, if the password is expired. The edir is our primary directory service, so we dont want to manage the password changes through the AD. Our IDM is also syncing in a one way configuration. A password change on the AD would not have an effect to the edir user.

    The main problem that we have is, that the ZCM prompt comes first and right after this the novell client prompt comes up. We would prefer to have only the novell client prompt during a login with an expired password.
    I tried already to change the network provider sequence in the advanced settings from the windows network connections, but this did not help. Does anybody know how i can get the novell client gets loaded prior the ZCM?
  • WeeZel;2337474 wrote:
    Hmm...we have grace logins enabled in our edir however we have the ZCM password change prompt at login, if the password is expired. The edir is our primary directory service, so we dont want to manage the password changes through the AD. Our IDM is also syncing in a one way configuration. A password change on the AD would not have an effect to the edir user.

    The main problem that we have is, that the ZCM prompt comes first and right after this the novell client prompt comes up. We would prefer to have only the novell client prompt during a login with an expired password.
    I tried already to change the network provider sequence in the advanced settings from the windows network connections, but this did not help. Does anybody know how i can get the novell client gets loaded prior the ZCM?


    Weird, ours doesn't do that.
    All our Windows 7 machines are in our AD Domain. We have IDM that syncs eDir to AD (password syncs are only from eDir to AD).
    The NOvell client login screen always comes up first, the user logs in and THEN the ZAA login happens, then you get into the workstation. THEN you are prompted to change your password (we have grace logins as well). You change your eDir password and that's it.

    Occasionally though, the next morning, the ZAA pops up with the authentication box and you have to enter your OLD password.

    It was my understanding that if the Novell Client was on the pc first, and then the ZAA installed, that you'd always get the Novell client login first and then pass thru to the ZAA client/agent.

    Not sure why you're getting the ZAA first (maybe it was installed before the client?)
    --Kevin
  • Oh, i forgot to tell that our machines are on Windows 2008R2 and we are using Citrix XenApp 6.5 on them. The problem occurs during a XenApp login or/also during an RDP login...
    But the rest of the configuration is the same as in your environment. The 2008R2 machines are member of the AD and the IDM syncs only from eDir to AD.

    The Novell Client was installed first and after that the ZCM Agent.
    I configured the Novell Client to use "passive mode login" as described in TID: 7004709 to ensure that Windows uses the AD Login method as primary and to get XenApp to work correctly.
    Could this configuration generate the behaviour that we are experiencing?
  • WeeZel;2337819 wrote:
    Oh, i forgot to tell that our machines are on Windows 2008R2 and we are using Citrix XenApp 6.5 on them. The problem occurs during a XenApp login or/also during an RDP login...
    But the rest of the configuration is the same as in your environment. The 2008R2 machines are member of the AD and the IDM syncs only from eDir to AD.

    The Novell Client was installed first and after that the ZCM Agent.
    I configured the Novell Client to use "passive mode login" as described in TID: 7004709 to ensure that Windows uses the AD Login method as primary and to get XenApp to work correctly.
    Could this configuration generate the behaviour that we are experiencing?


    I would recommend an SR for this issue.
    I'm not sure it is the EXACT issue being tracked, but in your SR reference Bug#891782, which deals with a 2nd password change prompt with ZCM and the Novell Client installed..
    Please Post the SR# here for me to follow.