Novell Workstation Manager: Managing Windows NT Workstations Couldn't Be Easier
Articles and Tips:
01 Jan 1997
Windows NT Workstation offers some significant advantages over Windows95 and Windows 3.x: For example, Windows NT Workstation is designed to runhigh-end applications such as database and CAD applications. Windows NTWorkstation also provides desktop security that is not available in a Windows95 or Windows 3.x environment. For example, Windows NT Workstation providesfile-level security and allows you to restrict access to the desktop throughgroup assignments and user accounts.
In an IntranetWare environment, however, setting up security for multipleusers on multiple Windows NT workstations can increase your workload asa network administrator. Users can also be inconvenienced since they mustlog in to the Windows NT workstation and then log in to the network.
To solve these problems, Novell will soon release Novell WorkstationManager, which builds on the connectivity provided by IntranetWare Clientfor Windows NT and leverages the power of Novell Directory Services (NDS).Windows NT workstations can now be integrated into NDS, allowing them tofunction seamlessly in an IntranetWare environment.
This article explains how you can use Novell Workstation Manager to manageWindows NT workstations from a central location: You can create dynamicWindows NT accounts, manage login scripts and user profiles, customize users'login options, and use Novell's Automatic Client Upgrade (ACU) utility toautomatically upgrade software on Windows NT workstations.
HOW DOES NOVELL WORKSTATION MANAGER WORK?
To use Novell Workstation Manager, you must have an IntranetWare or NetWare4 server; Novell Workstation Manager does not work with NetWare 3 becauseit requires NDS. (IntranetWare Client for Windows NT allows you to authenticateto a NetWare 3 server, but the client's functionality will be limited.)
Novell Workstation Manager stores user and desktop configuration informationin NDS, allowing you to create and manage Windows NT user accounts withthe NetWare Administrator (NWADMIN) utility. When a user logs in to thenetwork, Novell Workstation Manager uses NDS information to grant the useraccess to Windows NT workstations.
Novell Workstation Manager provides this central administration throughtwo software components: Novell's Graphical Identification and Authentication(NWGINA) module and snap-in DLL files for the NWADMIN utility.
To enable Novell Workstation Manager, you must install NWGINA on allWindows NT workstations, and you must extend the NDS schema by installingsnap-in DLLs on each workstation from which you want to manage Windows NTworkstations. To extend the schema, you first open the REGEDIT.EXE file,which is the registry editor included with Windows NT Workstation. Afterthis application is open, access the HKEY_ CURRENT_USER/Software/NetWare/Parameters/NetWare Administrator/Snapin Object DLLs WINNT subdirectory.
The snap-in DLLs perform two functions: If you are running the NWADMINutility on a Windows NT, Windows 95, or Windows 3.x workstation for thefirst time, these DLLs extend the schema and enable you to use Novell WorkstationManager. After the schema has been extended, these DLLs allow you to viewthe NT Workstation object that has been added to the NDS schema. If yourun the NWADMIN utility from a workstation that is not running the DLLs,NT Workstation objects appear as question marks in the NWADMIN utility.
When a user logs in to an IntranetWare network from a Windows NT workstation,NWGINA collects the username and password as they are entered at the WindowsNT workstation and checks with NDS to verify that the user has a valid NDSaccount and has rights to use Windows NT workstations. If the user is authenticatedto NDS and has rights to use Windows NT workstations, NWGINA retrieves userinformation from NDS and uses this information to create a user accounton the workstation.
To create this user account, NWGINA must have administrative rights tothe Windows NT workstation. These rights allow NWGINA to dynamically createand delete users on the workstation, based on the information received fromNDS.
Because users may need different levels of access to a Windows NT workstation,you can use NDS User objects, Group objects, or Container objects to customizeusers' access. NT Workstation objects are associated with users rather thanspecific workstations. As a result, you can manage all Windows NT userswith one object or create multiple objects to meet the needs of differentusers.
To grant users access to an NT Workstation object, click that objectin the NWADMIN utility, and then click the Associations button in the object'sDetails page. From the Associations screen, you can select which objectsshould be associated with the NT Workstation object by clicking the Addbutton and browsing for objects. All objects associated with the NT Workstationobject receive the rights and restrictions configured for that object.
HOW DO YOU CONFIGURE NOVELL WORKSTATION MANAGER?
After you associate objects with an NT Workstation object, you can definespecific options for the object by clicking the Dynamic Local User buttonin the NT Workstation object's Details page. You must first decide if youwant NWGINA to create a user account on the Windows NT workstation. If youdo not select the Enable Dynamic Local User option, NWGINA will not createa user account. In this case, a user account must already exist on the WindowsNT workstation, or you must manually create a user account.
Then when a user logs in, NWGINA will try to find an existing user accounton the Windows NT workstation that matches the information specified inthe Windows NT tab of the NWGINA login interface. If the login informationmatches an existing user account, the user is authenticated to the workstation.If this information does not match, the user cannot access the Windows NTworkstation.
If you want NWGINA to create a user account on the Windows NT workstation,select the Enable Dynamic Local User option. Then when a user logs in, NWGINAgets the user's information from the NT Workstation object and checks localWindows NT user accounts to see if this user account has already been created.If the account exists locally, the user is granted access to workstationresources. If the user account does not exist, however, NWGINA creates theaccount on the workstation.
You can create a volatile or nonvolatile user account. If an accountis volatile, NWGINA deletes the account when the user logs out of the WindowsNT workstation. If several users share a workstation or if temporary employeesuse a workstation, you can use volatile accounts to reduce the number ofaccounts stored on the workstation. Volatile accounts also prevent usersfrom accessing the workstation when it is not connected to the network.
Nonvolatile user accounts, on the other hand, remain in the Windows NTworkstation's user database. As a result, nonvolatile accounts allow usersto access the workstation when it is not connected to the network. Accessrights are then handled by the workstation.
You can specify what information NWGINA will use to authenticate usersto the Windows NT workstation. If you select the Use NetWare Credentialsoption from the Dynamic Local User screen, NWGINA uses the username, fullname, description, and password that are used to authenticate the user toNDS.
If you do not want to use the NDS information, you must enter informationin the NT Username, Full Name, and Description boxes, which appear on theDynamic Local User screen. NWGINA will use this information for all userswho are associated with the NT Workstation object. A random password isalso generated for this object. Because the password is unavailable to users,this Windows NT user account cannot be used outside the NDS environment.
The final option in the Dynamic Local User screen is the WorkstationGroups option, which allows you to add users to Windows NT workstation groups.By default, dynamic local users will be added to the Users and the Administratorsgroups. You can add the user to any valid group on the Windows NT workstation.
Adding users to Windows NT groups obviously affects security on WindowsNT workstations. For example, if a user is added to the Administrators group,that user can create or modify accounts on the Windows NT workstation. Thisuser could create nonvolatile accounts or modify system settings and variableson the workstation. If you did not want to grant a user these rights, youcould restrict access by removing this user from the Administrators group.
If you use IntranetWare or NetWare 4 login scripts to configure users'networking environments, Novell Workstation Manager allows you to managethese login scripts for Windows NT workstations. To configure login scripts,click the Login Scripts button in the NT Workstation object's Details page.
First, you can decide if you want to use login scripts at all. If youdecide to use Windows NT user profiles and system policies instead of loginscripts, do not select the Enable Login Scripts option.
If you decide to use login scripts, however, you can take advantage ofseveral options, including controlling login script windows and creatingalternate login scripts. Novell Workstation Manager allows you to controlhow login script windows appear. You can choose the Open Login Script Windowoption or the Automatically Close Script Window option. Both options allowyou to view what is happening while the login script is running. If youwant to carefully review what is happening while the login script is running,you may not want to close this window automatically. Most users, however,will want this window to close automatically so they do not have to clickone more button during the login process.
The Alt. Login Script option allows you to define a login script specificallyfor the NT Workstation object. As a result, you can create a different loginscript for each type of workstation operating system used on your network.
User profiles are the most common way to control a Windows NT workstationenvironment, allowing Windows NT users to manage applications, change desktopsettings, configure menu options, and so on. If you want all desktops tohave a consistent look, you can create one profile for all users associatedwith the NT Workstation object and prevent them from changing this profile.You can also use different profiles for different groups of users.
User profiles can be stored on the network or on the Windows NT workstationitself. If you store user profiles on the network, users can access theirprofiles from any Windows NT workstation on the network. To store profileson the network, click the Profile/Policy button in the NT Workstation object'sDetails page, and then click the Enable Roaming Profile option.
You must specify the location of the profile directory on the network.Because the profile structure for Windows NT 3.5 differs from the profilestructure for Windows NT 4.0, you must enter a separate path for each operatingsystem if you are using both operating systems on your network. NWGINA willautomatically detect which version of the operating system is running onthe Windows NT workstation.
You can also use the Relative to Home Directory option, which tells NWGINAthat a user's profile is stored in his or her home directory as definedin NDS. This option allows you to associate multiple users with a singleNT Workstation object and permit each user to have a unique user profile.
At the bottom of the Profile/Policy window is an option for enablingWindows NT Workstation system policies. By default, NWGINA looks for theWindows NT policy file in the \\preferred server\ SYS\PUBLIC\WINNTdirectory. If you want to use another policy file, you can override thedefault setting by specifying a directory path in the appropriate field.
The NWGINA interface offers users several options when they log in. Tabslocated at the top of the NWGINA window display options such as NetWareConnections, Windows NT, Script Processing, Script Variables, and RAS login.Each tab allows a user to modify the login process.
If you want to prevent users from changing the login process that youhave defined, you can use the NWADMIN utility to remove these login tabs.In the NT Workstation object's Details page, click the Login Tabs button,and deselect (or select) Login Tabs.
Because Novell Workstation Manager controls Windows NT workstations throughNDS, you can change the Windows NT Welcome screen, which tells users topress<Ctrl<<Alt<<Del<to log in. You can simply clickthe Welcome Screen button in the NT Workstation object's Details page andsubstitute any bitmap file located on the network. You can also add a broadcastmessage to the existing bitmap file.
Automatic Client Upgrade
Novell Workstation Manager also increases the functionality of the ACUutility, which allows you to upgrade client software from a central location.This utility is available with all of Novell's new IntranetWare clients.Although the ACU utility works well on other workstation platforms, thisutility has provided limited functionality on Windows NT workstations inthe past. Windows 95, Windows 3.x, and DOS users can easily take advantageof the ACU utility because these environments are not secure. Users havecomplete control over local resources and can easily change configurations.
With Windows NT workstation, on the other hand, a user must have administrativerights to modify client software. Without Novell Workstation Manager, ifthe local user did not have administrative rights, another user with theserights would have to log in to the workstation so that the ACU utility couldupgrade client software. To work within these parameters, Novell WorkstationManager creates a temporary administrative user, thus allowing the ACU utilityto perform upgrades.
To perform an automatic client upgrade on a Windows NT workstation, youfirst create a login script command that tells the workstation the typeof upgrade and the location of the upgrade files. Next, you access the NTWorkstation object's Details page in the NWADMIN utility and click the EnableAutomatic Client Upgrade option. In the Alternate Login Script Locationfield, enter the network directory that contains the login script.
The next time the user logs in to the Windows NT workstation, NWGINAcreates a temporary administrative user who has the access rights requiredto complete the upgrade. To prevent the user logging in from obtaining theserights, NWGINA does not allow the user to perform any functions on the workstationduring the upgrade process. After the upgrade is completed, NWGINA deletesthe temporary administrative user and reboots the workstation. In this way,you can upgrade software and maintain the workstation's security withoutleaving your office.
If your company runs Windows NT workstation in an IntranetWare or NetWare4 environment, Novell Workstation Manager will ease your management burdenconsiderably. I was especially impressed with the ease of setup and thecreation of dynamic users. The profile management capabilities and ACU functionalityfurther add to the value of Novell Workstation Manager.
You can download IntranetWare Client for Windows NT from Novell's World-WideWeb (WWW) site (http://support.novell.com/home/client/winnt/whatsnew.htm). Novell Workstation Manager should be available for open beta testing inJanuary.
Doug Isom works for Novell, Inc. in Provo, Utah.
* Originally published in Novell Connection Magazine
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.