ZDM Policies

From CoolSolutionsWiki

Find out how to configure policies in Novell ZENworks 7 Desktop Management

Contents

Introduction

Who should read this HOWTO?

If you plan to save your time and strength you should think about reading this HOWTO. This HOWTO helps you to configure policies in Novell ZENworks 7 Desktop Management (Desktop Management). I don't go into detail about the various features of policies, or what each option means, but I do cover the basics that you need to know to get it configured.

Policies and Policy Packages

A policy is a set of rules that defines how workstations, users, and servers can be configured and controlled, including application availability and access, file access, and appearance and contents of individual desktops. Policies are contained within policy packages, where they are also administered and customized. A policy package is a Novell eDirectory object containing one or more individual policies. The policy package groups policies according to function, making it easier to administer them. It also provides the means for the administrator to change policy settings and to determine how they affect other eDirectory objects. The Policy Packages are:

  • Container Package is an eDirectory object that contains a collection of policies relating to containers. This policy package can be associated only with container objects.
  • Server Package is an eDirectory object that contains a collection of policies relating to servers. This policy package can be associated only with servers, server groups, and container objects.
  • Service Location Package is an eDirectory object that contains a collection of policies relating to services. This policy package can be associated only with container objects.
  • User Package is an eDirectory object that contains a collection of policies relating to users. This policy package can be associated only with users, user groups, and container objects.
  • Workstation Package is an eDirectory object that contains a collection of policies relating to workstations. This policy package can be associated only with workstations, workstation groups, and container objects.

By way of example of User and Container Packages I'll show how to use policies in Desktop Management. Desktop Management provides policies that are applied to various individual computer platforms, to a combination of platforms, and to a General platform, which lets you configure policies that are applied to all platforms. In User Package policies are subdivided into such platforms: General, Windows 9x, Windows NT-2000-XP, Windows NT, Windows 2000, Windows XP, Windows 2000-2003 Terminal Server, Windows 2000 Terminal Server and Windows 2003 Terminal Server. Some of them need comments:

  • General. Policies set on this page apply to all platforms unless you configure the same policy on a specific platform page. Policies set on a specific platform page override policies set on the General page.
  • Windows 9x. Although Microsoft no longer supports Windows 95, existing Windows 95/98 policies from a previous installation of Desktop Management that are associated with Windows 95 machines or users will continue to function. Desktop Management does not allow you to create new policies for Windows 95 machines or users.
  • Windows NT-2000-XP and Windows 2000-2003 Terminal Server. Use this page if you do not want to treat Windows NT/2000/XP and Windows 2000-2003 Terminal Server as separate platforms.

The Container Package contains only the Search policy. The Search policy is used to limit how far up the tree Desktop Management searches for the effective policies. The Search policy locates the policy packages that are associated with containers. To make a Search policy effective, you associate it with a container. Unless specified differently in a Search policy, when Desktop Management starts searching for an object's associated policy packages, it starts at the object and works its way up the tree. If Desktop Management does not have any Search policies defined, it walks the tree until it finds the root object. This can cause unnecessary network traffic. Therefore, plan to use Search policies wherever needed.

Configuring policies

Prerequisites

This section presents a real-world example of implementing Windows XP Group Policies in large company division. This solution helped IT department meet a special set of requirements. Suppose you have:

  • Windows XP workstation with Desktop Management agent installed.
  • Middle Tier and Desktop Management Servers, based on Novell Netware 6.5 with user accounts and imported workstations.
  • Administrator's workstation with Novell Client 4.9.1. SP2 and Novell ConsoleOne 1.3.6e installed.

Creating Container Package and User Package

  1. Authorize through Novell Client in eDirectory and launch Novell ConsoleOne.
  2. Create a new container called "policy_packages". To do this right-click mouse in chosen container, click New, click New Organizational Unit, give the unit name, click ОК.
  3. Right-click the new unit, click New, click Policy Package. Choose Container Package, click Next, give the package a short name "search_policy", click Next.
  4. Select Create another policy package check box, then click Finish. Choose User Package, click Next. Give the package a short name "user_policies", click Next, click Finish.

Configuring Container Package

  1. In ConsoleOne, right-click the search_policy, then click Properties.
  2. Select the check box under the Enabled column for the Search policy. This both selects and enables the policy.
  3. Click Properties to display the Search Level Page. Using the drop-down list, select the level to search up to:
    • [Root]: Searches from the object to the root of the tree.
    • Object Container: Searches to the parent container of the Server, User, or Workstation object.
    • Associated Container: Searches to the associated container that this Search policy is associated with.
    • Selected Container: Searches from the object to the selected container.
  4. To determine the searching limits in either direction, specify a number in the Search Level box:
    • 0 – limits the search to the selected level. This is the default setting.
    • 1 – limits the search to one level above the selected level.
    • -1 – limits the search to one level below the selected level.
  5. Click the Search Order tab. Specify the policy searching order using the arrow keys, the Add button, and the Remove button if necessary.
  6. Click the Refresh Interval tab. Specify the frequency for how often (in days & hours) the server should refresh its policies. Click OK.
  7. The policy you configured and enabled is not in effect until you associate its policy package. Click the Associations tab, then click Add. Browse for and select the container object for association to the Search policy. Click OK when finished.

Searching Limits Determination


Configuring User Package

  1. In ConsoleOne , right-click the user_policies, then click Properties.
  2. Click the down-arrow on the Policies tab, then select the desired platform, in our case Windows XP. You can see five policies here:
    • Dynamic Local User (DLU) is a user object that is temporarily or permanently created in the workstation’s Security Access Manager database. If your environment has several users who log on to a shared workstation or Terminal Server, you can configure and enable the DLU policy. After you have configured and enabled this policy, Desktop Management dynamically creates user accounts on the local workstation or Terminal Server while the user is logging in to the system.
    • Novell iPrint Policy lets you configure a Novell iPrint client that can be placed on workstations. Using the Novell iPrint client, users can use the Internet to print to iPrint printers just like any other printer, regardless of the printer physical location.
    • Remote Control Policy enables the administrator to specify security settings for various remote management sessions. By default, this policy is available from all platform pages provided by Desktop Management.
    • Windows Desktop Preferences allows you to enable roaming profiles and apply desktop settings.
    • Windows Group Policy. You can specify and edit group policies for Windows 2000/XP workstations and for Windows 2000/2003 Terminal Servers.
  3. Select the check box under the Enabled column for the Windows Group policy. This both selects and enables the policy.
  4. Click Properties to display the Windows Group Policies page.
  5. Specify the network location for new or existing group policies. Make sure that users have sufficient rights to access this network location.
  6. (Conditional) If you want to import group policies from Active Directory, click Import Policy.
  7. (Conditional) If you want to edit existing group policies, click Edit Policies. When you click the Edit Policies button, the Microsoft Management Console editor is launched, where you can edit a User Package policy.
  8. (Optional) Select the Group Policies remain in effect on user logout check box to indicate that the pushed group policies remain in effect on the local Windows desktop after the user logs out. The limitation with this approach is that any user who logs in locally (workstation only) receives the Group policy settings of the last person who logged in to the network on that workstation.
  9. (Optional) Select the Cache User Configuration check box. Selecting the Cache User Configuration check box causes the user configuration settings of each user’s effective Windows Group policies to be stored in each user's local profile. Novell does not recommend using both the Group policies remain in effect on user logout settings and the Cache User Configuration settings in an environment in which the user Group policies are pushed to different users on common workstations.
  10. In the Applied Settings Types group box, enable the desired options. These options allow Windows user, computer, and security settings to be pushed with a User or Workstation policy. User Configuration Option Activation
    • User Configuration: Select to push settings under User Configuration with the Windows Group policy.
    • Computer Configuration: Select to push settings under Computer Configuration (except Security Settings) with the Windows Group policy.
    • Security Settings: Select to push Windows security settings with the Windows Group policy.
      Selecting these options applies all security settings under Computer Configuration > Windows Settings > Security Settings. Only the User Configuration settings under Applied Settings Types apply to Terminal Servers. The Computer Configuration and Security Settings options are not available for Terminal Servers.
  11. Click the Policy Schedule tab to select a schedule type: Event, Daily, Weekly, Monthly and Yearly. You can click Advanced Settings to set additional settings such as Completion, Fault, Impersonation, Priority, and Time Limit.
  12. Click OK to save the policy.
  13. The policies you configured and enabled are not in effect until you associate their policy package. Click the Associations tab, then click Add.
  14. Browse for and select the container, group, user, or workstation object for associating the package, then click OK.

Conclusion

This HOWTO has shown how to configure policies in Desktop Management. While your project may not have the same constraints as the example described in this HOWTO, I hope some of the ideas presented here will help you use the powerful features of Desktop Management to ease your everyday routine.

Resources

  • Novell ZENworks 7 Desktop Management Installation Guide, 2007
  • Novell ZENworks 7 Desktop Management Administration Guide, 2006
  • Randy Bander Managing Windows 2000 Group Policies with ZENworks for Desktops 3. – Novell Article, 2002