User source change \ Passive Login

Hi all,

We're moving fully away from eDirectory to a native AD environment and have a little scenario that I wanted to sanity-check while we're mid-migration...

On our existing Windows 7 workstations we have ZCM 11 SP3 Agent along with OEM Client. There's a bunch of existing Bundle assignments that will take some time to migrate and there seems little point in doing so as we've built a fresh ZCM 2017 installation for our Windows 10 machines.

I've noticed the following behaviour on a test Windows 7 machine, which seems to be an ideal workaround to the full User Source migration detailed at https://www.netiq.com/support/kb/doc.php?id=7017934


  • I change the registry key HKEY_LOCAL_MACHINE Key path SOFTWARE\Novell\Authentication\NCCredProvider\ComputerOnlyLogonDefault to 1
  • this effectively disables OES login and performs "Computer Only" domain login instead
  • OES Client shows no connections (as expected)
  • ZCM Agent shows the equivalent user in the eDir tree as logged in
  • however the user can't have been authenticated in eDirectory by the client as no OES login has been performed

My theory is that the ZCM Agent is just seeing an authenticated username via the Passive Mode Login and is mapping it to the equivalent user in eDir. This means that I get the best of both worlds in that we don't lose Bundle assignments but can lose the OES Login (and therefore maintenance of the eDir tree to some extent)

As a halfway house between Windows 7 \ ZCM 11 \ eDir and our fresh Windows 10 \ ZCM 2017 \ AD setup this looks like it'll do the trick but it seems to have happened by accident rather than design. Is it expected behaviour or just a fluke on my test machine and not something I can rely on at a larger scale?
  • That would be by design......
    The ZCM Logon is not tied to the OES Client Logon or any NCP connections.

    --

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • CRAIGDWILSON;2483020 wrote:
    That would be by design......
    The ZCM Logon is not tied to the OES Client Logon or any NCP connections.


    That sounds good for what we want, so just to confirm this should work...


    • a user called Fred exists in both eDir and AD
    • ZCM is configured to use eDir as its user source
    • the machine is domained and set to Computer Only logon
    • ZCM Agent sees Fred is logged in and maps his Bundles etc. to the eDir user source user called Fred, despite the user having logged into AD on the client itself
  • Yes...........

    If you configure Your Zone to Support with both the eDir and AD Usersouce, it gets more complicated.....but the ZCM Logon is not tied to either the NCP logon nor the Windows Workstation Domain Logon.......(Unless Kerberos is Configured in lieu of LDAP Password authentication.)

    --

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks