Wikis - Page

Using ZCM Bundles to speed the login for students at shared computers

0 Likes
ZENworks in the Schools Contest
Submitted by: Markus Wehr

Solution: Novell login with a generic mandatory Windows user


Environment: Windows 7 x64, Novell Client, iPrint, ZCM 11.1

Introduction


Novell Client provides a very cool setting: AutoAdminQueryNDS.

What does it do? You setup a Windows user for AutoLogon and Novell Client will query NDS before logging on the user.

What we need



  1. Generic Windows user

  • Mandatory Profile for this user

  • Shared Computer Configuration


The result


Advantages are:

Fastest logon times. We use folder redirection (Desktop, MyDocuments, Favorites) to the mapped HomeDir. Still the time to ready desktop is 5sec. and <10sec. from logon to ready opened browser.

The logon process is very reliable. I have never seen a hanging Logon-Screen after successful Novell login.

The setup is ideal for general use PCs where students logon/logoff frequently like Stand-Up printing stations.

Disadvantages:

No possibility for fine granular desktop access control as with DLU.

Applications will use the generic username.

How to setup


We could put A and B together and deploy a master image with the generic Windows user. Here I describe a complete process including deployment of the generic windows user via ZCM Bundle.

Use ZCM Bundle(s) and Policies to deploy the generic Windows user, mandatory profile, computer settings to the workstations.

In the process you setup a generic Windows user that will be shared amongst all workstation users. You can use space and uppercase in the username without problem.

I name it "Lab User". The user will get a clue that data will not persist if she for example browses the folder "C:\Users\Lab User\Downloads".

A: The generic Windows user


Prerequisite: http://technet.microsoft.com/en-us/sysinternals/bb963905.aspx

Bundle-Action Run Script:
set pwpw=%random%%random%
net accounts /maxpwage:UNLIMITED
net user "Lab User" %pwpw% /add
net user "Lab User" /passwordchg:no /expires:never /profilepath:${WinDisk}\Users\m.man
${WinDir}\Temp\Autologon.exe "Lab User" %computername% %pwpw% -accepteula

B: The mandatory profile


Step 1: Use Sysprep/CopyProfile to create a default Profile (http://support.microsoft.com/kb/973289)

Step 2: Use the System Applet to copy the default profile to "C:\Users\m.V2" and give permissions to everyone.

Step 3: Create the user "Lab User" and assign profile path "C:\Users\m". A mandatory profile loads fast and will load even faster if the username matches the username used at creation time.

Step 4: Logon "Lab User" and if you like further customize the profile. It is necessary to start IE9 once. Consider to disable IE proxy auto detection (WPAD).

Deploy the Mandatory profile

Logoff "Lab User". Rename C:\Users\m.V2\ntuser.dat to C:\Users\m.V2\ntuser.man

Bundle-Action "Install Directory":

Upload the Directory C:\Users\m.V2

Destination Directory: ${WinDisk}\Users\m.man.V2

Since attributes gets lost use a script to restore them:

Run Script Action:
echo off
for /R "c:\users\m.man.v2\" %%G in (desktop.in?) DO (CALL :desktopini "%%~dpG")
attrib C:\users\m.man.v2 R H S
GOTO :eof
:desktopini
set dpath=%~dp1
attrib "%dpath:~0,-1%" R
attrib "%dpath�sktop.ini" A H S
GOTO :eof

C: Shared computer configuration


Some of these settings are typical in a LAB environment. However when using the generic user it is necessary to:

  1. Not try to delete the user profile after logout. The profile "C:\Users\Lab User " must stay in place and will be overwritten reliable at the next logon.

  • Disable Search indexing (sc config WSearch start= disabled). The search indexer stores sensitive data outside the user profile.

  • Remove NTFS create rightsA Local File Rights Policy can do the job. Alternatively use a Bundle Launch Action with icacls.exe. You should treat at least these locations:

    1. Tasks folder(e.g. Bundle Launch Action: icacls.exe ${WinSysDir}\Tasks /remove *S-1-5-11)

  • "%SystemDrive%\$Recycle.Bin"

  • "%SystemDrive%\Users\Public"

  • "%SystemDrive%\"




Enable/Disable the generic user


Finally we enable the generic user with these registry settings:

HKLM\Software\Novell \Login\AutoAdminQueryNDS =1
HKLM\Software\Novell\ZCM\ZenLgn\DisablePassiveModeLogin=1
HKLM\Software\Novell\Workstation Manager\DLUAllowed=0

Toggle these settings to switch back to DLU.

Appendix


Since ZCM user logon is not needed and to take full advantage of the lightweight logon process I disable ZCM Agent Logon (HKLM\Software\Novell\ZCM\ZenLgn\DisablePassiveModeLogin=1).

Machine assigned Bundles and Bundle Links are still working without user ZCM Logon - however user variables are not available.

iPrint works fine.

We have an old VBA application that needs the following patch:

Copy the current users context from: HKLM\SOFTWARE\Novell\Login\History\Contexts\1

to: HKCU\Software\Novell\LIBRARY\TREE_NAME_______________________

I use a Bundle with "run script action" for this one.

Mandatory Profile

The "Lab User" will have a different SID on each Machine. To make Group Policies work it is necessary to prepare the ntuser.man:

  1. Open the ntuser.man in regedit.exe (load hive "myprofile")

  • Set permissions to full for Authenticated Users onHKEY_USERS\myprofile\Software\Policies
    HKEY_USERS\myprofile\Software\Microsoft\Windows\CurrentVersion\Group Policy
    HKEY_USERS\myprofile\Software\Microsoft\Windows\CurrentVersion\Policies

  • Close ntuser.man


It is convenient to use a separate Bundle to deploy a modified ntuser.man to workstations.

It is possible to replace "Administrator" with %username% or "Lab User" in the mandatory Profile. Verify how your applications work with:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Consider to use this policy:

Computer: Software\Microsoft\Windows\CurrentVersion\Policies\System\RunLogonScriptSync=1

This still works: http://www.novell.com/coolsolutions/tools/14324.html

Consider to disable ActiveSetup stubpaths

HKLM\SOFTWARE\Wow6432Node\ Microsoft\Active Setup\Installed Components\
{89820200-ECBD-11cf-8B85-00AA005B4340}

and

>{60B49E34-C7CC-11D0-8953-00A0C90347FF}

also under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

Use Bundle-Action Registry Edit to deploy empty stubpaths.

Labels:

How To-Best Practice
Comment List
Related
Recommended