NetWare 5.1 Administration

Chapter 10: Managing Workstations in an NDS Environment with ZENworks

 

Objectives:

This very long chapter discusses distributing applications and managing workstations with the Application Launcher, a part of ZENworks. The objectives important to this chapter are listed on page 10-1:

  1. Identify ZENworks Design Guidelines
  2. Install the ZENworks 2.0 Starter Pack
  3. Define the Workstation Manager Component of ZENworks
  4. Determine Workstation Management Needs
  5. Configure the Search Policy in a Container Policy Package
  6. Register Workstations in NDS
  7. Import Workstation Objects into NDS
  8. Explain How Policies Are Applied in NDS
  9. Identify Policy Package Problems and Solutions
Concepts:

Page 10-2 begins the discussion of ZENworks (which stands for Zero Effort Networks). Think of it as zero effort for the user, in many cases, with very concentrated effort from the administrator.

ZENworks is a tool to help an administrator manage a network. ZENworks can distribute and manage applications, configure and manage workstations and Windows desktops, and remotely repair workstation problems.

Identify ZENworks Design Guidelines

A set of design guidelines are presented for using the tools within ZENworks:

  • Application and application folder objects - Application objects enable to you to manage application program through NDS. Application Folders are like containers for these objects. Use the Application Launcher and Application Explorer utilities to provide users with access to applications.
  • Users and user group objects - Until now, we have never called a "group" object a "user group". There is a principle in linguistics that says until you have two of something, your language doesn't need specific words for it. ZENworks now enables us to have two kinds of groups: one for users, and one for workstations. Users and user groups can be associated with application objects to efficiently provide users with access to applications. Regarding user group objects, some guidelines are offered:
    • Create the group object in the same container as the associated application. This relates to a general rule: keep resources that users need close to those users.
    • Limit the number of group members to 1,500.
    • Never span group membership across a WAN.
    • If possible, keep the users in the group in the same partition, to minimize network traffic. (A partition is a subsection of the NDS database. It is broken into partitions for easier maintenance and stability.)
    • Do not make users members of more than 64 groups. (Remember, that they already belong to [Root] and [Public].)
  • Workstation and workstation group objects - Workstation groups are simply group objects for workstations, not for users. A Tree does not include workstation objects until they are imported into the Tree. Once this is done, ZENworks (and other tools) can be used to manage them. Be aware that importing the workstations significantly increases the number of objects in your Tree.
  • Policy package objects - A policy package is an NDS object that holds policies. Policies are rules that apply to other objects and help manage them. Seven kinds of policy packages are listed:
    • Container Package
    • Win31 User Package
    • Win31 Workstation Package
    • Win95-98 User Package
    • Win95-98 Workstation Package
    • WinNT User Package
    • WinNT Workstation Package

Policy Packages are not intuitive at this point. Note that the seven kinds of policy packages fall into three types. Begin with the three types to get a handle on it:

  • Container policy packages - can only associate with containers.
  • User policy packages - specific ones for Windows 3.1, 95/98, and NT. They can associate with containers, users, or user groups.
  • Workstation policy packages - specific ones for Windows 3.1, 95/98, and NT. They can associate with containers, workstations, or workstation groups.

This does not make much sense yet, because you have not seen what a package can do yet. Have patience, enlightenment is coming. Follow this link for background information from Microsoft on System Policies in Office XP.

You should not create policy packages that are not needed on your network. If, for example, you do not have any Windows 3.1x workstations, you will not need either kind of package that relates to them.

Three guidelines are offered regarding creation and placement of policy packages:

  1. Packages are meant to relate to other objects in the Tree. Create container packages at the highest level of the NDS tree that relates to the containers the policy will apply to.
  2. Create user and workstation policy package objects close to the objects of the users or workstations that will access them, preferably in the same container.
  3. If you create a single-purpose container for workstations, place workstation policy package objects in this container.
Install the ZENworks 2.0 Starter Pack

Two versions of the product are described: the Starter Pack, which comes with NetWare 5, and the full version, available separately. You should be aware of the features of each:

  • the Starter Pack includes the Application Launcher and desktop management software
  • the Full version includes the above, and three more features: hardware inventory, Help Requester, and Remote Control software.

Before installing ZENworks on a server or a workstation, make sure that the minimum hardware requirements are met.

  • Workstation: 5MB of space on the hard drive, 16 MB of RAM, and a 25 MHz Pentium or better.
  • NetWare 4.11 or 4.2 Server: 175 MB of space on the hard drive, 64 MB of RAM (with 7 MB available). If installing on a NetWare 4.11 server, you must install Support Pack 6 (or later).
  • NetWare 5 Server: 175 MB of space on the hard drive, 128MB of RAM (with 7 MB available)

The server hard drive space requirements assume that you are copying the client software to the server. The space requirement shrinks to 40 MB if you do not. You should be aware that the general hard drive space requirement for a NetWare server is 756 MB. Adding the 175 MB for the ZENworks software raises this to 931 MB.

To manage ZENworks, you will use NetWare Administrator. ConsoleOne will not work with it yet. As you have been advised in other chapters, you should use NWADMN32.EXE, not earlier versions of NetWare Administrator.

ZENworks is more functional with Windows 95 or later workstations. This is related to the Windows Registry. Windows 3.1 had a Registry, but it was not the same. Workstations must connect to NDS to use ZENworks: bindery connections will not work.

As usual, you must have Supervisor object rights to [Root] in order to install ZENworks. Users will automatically be assigned Read and Compare rights to all properties of Application objects you associate them to. They will also automatically be assigned Read and File Scan NFS rights to directories that the Application object refer to.

The text presents a multiple step procedure for installing ZENworks on your system. Note, in this procedure, that you can instructed to choose to install three specific components: Application Management, Workstation Management, and the proper version of NetWare Administrator.

Define the Workstation Manager Component of ZENworks

As its name suggests, Workstation Manager is a ZENworks component to provide central administration of workstations. The server component is installed by default with ZENworks, and the client component is included in ZENworks compliant Novell Client software.

The Workstation Manager component on a a workstation actually logs in to NDS, as the workstation. It communicates with the Workstation Manager on the server, which sends policy-based information to the workstation. The allows management of the workstation even when the user is not logged in, as long as the computer is turned on.

NetWare Administrator must have a snap-in module installed to use Workstation Manager. A snap-in is the term Novell uses for an update to NetWare Administrator that add new functions. This snap-in enables NetWare Administrator to manage three kinds of objects considered to be workstation management objects:

  • workstations
  • workstation groups
  • policy packages

Workstation Manager's features are described in some detail. You should be familiar with the following:

  • Scheduled Updates - updates can be pushed to workstations at specific times, based on the needs of your network.
  • NDS Storage for Policies - storing policies in NDS eliminates the need to copy the files to all servers. They become available to all servers through NDS.
  • Dynamic Printer Configuration - you can associate a printer, a print queue, and a printer driver with workstations or with users. This results in an automatic download of the driver and an automatic configuration of the workstation when the user logs in.
  • Novell Client Configuration - settings for the client, such as context and preferred Tree, can be pushed to the workstation based on the user.
  • Workstation Profile Management - desktop settings, access to controls, and user interface options can be configured for users or workstations.

The text repeat the idea the there are three types of policies:

  • Container policy packages - can only associate with containers. They are used to manage WAN and LAN traffic created by policy downloads. A container package can only contain one kind of policy: a search policy. The idea is that it tells the system how far up the Tree it is allowed to search for other policies that might affect the objects in a container.
  • User policy packages - specific ones for Windows 3.1, 95/98, and NT. They can associate with containers, users, or user groups. This enables you to set up rules for users regardless of the workstation they use.
  • Workstation policy packages - specific ones for Windows 3.1, 95/98, and NT. They can associate with containers, workstations, or workstation groups. This allows you to set up rules for workstations, regardless of the user who logs in on them.

Some policies are unique to the kind of package they can occur in, while others are more generic. For instance, a Workstation Import policy can be placed in any user package, so that a workstation object for the user's workstation can be created once the user logs in.

Determine Workstation Management Needs

Page 10-18 discusses User Policy Packages. This sort of package is available in the three Windows platforms described because you will wish to establish different rules and services for users of each type of Windows. These packages still must be associated with NDS objects to take effect, as noted above, but their policies will affect computers used by particular users, groups of users, and users in associated containers. This allows us to establish rules and services for users, even if they use several different workstations.

A general guideline is given for deciding on how to manage with policies: determine whether the action you need to take should affect all users/workstations, groups of users/workstations, or specific users/workstations.

The steps to follow, in general, are to create the packages you need, create the policies the packages will use, then associate the packages with containers, users, workstations, or appropriate groups.

Page 10-21 discusses the idea of creating a specific user policy package for administrators. In the illustration, it is clear that one user policy package (a restrictive one) is being associated with the container that the administrator is in. To remove the restrictions from the administrator, while leaving them in place for other users, a different user policy package is associated directly with the administrator's user object. This overrides the policy package associated with the container.

Configure the Search Policy in a Container Policy Package

When a user logs in to the system, is is important to search the user object for policy package associations, to search group objects that the user belongs to, and to search containers that relate to the user and the groups.

To control this, you create a Search Policy in a Container Policy Package. The policy is configurable, as discussed in the text.

  • Search Level - allows you to limit the levels the system will search in the tree for an associated policy package. Four options are available:
    • [Root] - default setting; Workstation Manager goes to the [Root] of the Tree.
    • Object Container - Workstation Manager goes up to the container where the imported workstation object exists.
    • Partition - Workstation Manager goes up to the partition root where the imported workstation object exists. (A partition root is the highest container in the portion of the NDS database holding the object.)
    • Selected Container - allows you to browse and select a starting point for the search:
      • 0 = Limits the search to the current level
      • 1 = Limits the search to one level above the current level
      • -1 = Limits the search up to but not including the current level
  • Search Order - You can set rules for how the system searches for associated policy packages. The default search order is
    • Object
    • Group
    • Container
    The items can be moved up or down the list, to change this order.
Register Workstations in NDS

To create workstation objects, the workstations themselves must register with NDS, then the workstation can be imported. Information is sent from a workstation on login, and saved in the Registration page (property) of the container the user logs in to. A list of workstations is kept in this property, and you import workstations from this list when you create a workstation object. In order for workstations to register, you must take two actions (pages 10-25, 10-26):

  • create a user policy package for each workstation platform (3.1 User, 95-98 User, NT User)
  • configure a Workstation Import policy

Users need rights to their containers in order to register workstations. Specifically, they need the Write permission to the WM: Registered Workstation property of the container. Normally, WSRIGHTS.EXE grants this automatically for all existing containers when you install ZENworks. Containers created after ZENworks is installed will need to have this right granted manually. Also, any container on an NT server must have the right granted manually before ZENworks in installed.

Three methods can be used to register workstations. All involve the use of the proper Registration Agent program:

  • WSREG32.EXE for Windows 95 and NT workstations (32 bit)
  • WSREG16.EXE for Windows 3.1x workstations (16 bit)
  • WSREG32.DLL (for Windows workstations that only use the Desktop Management component of ZENworks. This does not seem to be discussed in your text.)

You must know the conditions under which you should use each method:

  • ZENworks Scheduler - use this if you have installed all ZENworks components and the workstations are either Windows 95/98 or NT. This means that the registration can be done automatically on login, but requires that all ZENworks components are installed, and only works for 32 bit versions of Windows workstations.
  • Application Launcher - use this if you have not installed the Desktop Management component of ZENworks, but have installed Application Launcher. Make the appropriate Registration Agent available to users in Application Launcher by association in NetWare Administrator.
  • Login Script - use this if neither Desktop Management nor Application Launcher are installed. You put lines in login scripts like those on page 10-31.

    IF "%PLATFORM"="WNT" THEN BEGIN
    WRITE "Register Windows NT Workstation"
    #WSREG32.EXE
    END
    IF "%PLATFORM"="W98" THEN BEGIN
    WRITE "Register Windows 98 Workstation"
    #WSREG32.EXE
    END

    The lines call the appropriate registration agent. Note that the examples use the # character to execute the agent externally, not concurrently. This tells Windows to go run that program, and not to continue anything else until it is done.
Import Workstation Objects into NDS

Importing workstations is discussed on page 10-34. Notice that there are two reasons to import workstations. The first reason is to create an object for the workstation in the Tree. The second reason is to update network address information in existing workstation objects.

The process for importing workstations is explained on pages 10-35 through 10-37. You should review this material.

Explain How Policies Are Applied in NDS

The text makes a point that users and workstations can be directly affected by policy packages by specific association, or they can be indirectly affected if their containers are associated with policy packages.

The order of precedence is like that we have come to associate with rights in the Tree: a package association with a container can be overridden by an association with a group object. Association with either a container or a group object can be overridden by specific association with a user or workstation object. Between user and workstation, associations with users take precedence.

However, if no policies are actually enabled in a package with precedence, the next level of precedence with enabled policies comes into effect.

The book explains that policies "down the Tree" take precedence. It may be easier to think about this another way: policies more closely associated with the leaf take precedence.

A policy may be in one of three states:

  • In the GUI interface, an empty checkbox means disabled. Such a policy is not applied.
  • A gray checkbox means ignore. This means to apply whatever is already in the Registry.
  • A checked checkbox means enabled. This means to apply the policy.
Identify Policy Package Problems and Solutions

A series of troubleshooting steps are presented for policies that should apply but do not.

  1. Check the association between a physical workstation and its NDS object. The workstation should reference the NDS object in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Workstation Manager\Identification.
  2. Check whether the right kind of policy package exists
  3. Make sure the policy package is associated with the container, user, or workstation.
  4. Make sure the policy you want to apply is enabled.
  5. Although the Workstation Manager client software should have been installed automatically on the workstation, verify that it has been installed. It should show as a component under the Network icon in Control Panel on the workstation.
  6. The NDS Tree must be listed as a "trusted tree". You must use Regedit to verify that it is. The Registry key for this is HKEY_LOCAL_MACHINE\SOFTWARE\NOVELL\Workstation Manager\Identification.
  7. A policy may not apply if its timestamp is newer than that of the same policy on the workstation. You can force this to apply for policies in User packages (but not for Workstation packages) by enabling “Always update workstation during NDS Authentication” in the Desktop Preferences policy.