Chapter 10

When Microsoft Windows NT Workstation became more popular for business workstations, it presented a challenge for NetWare. Each NT workstation had its own local security for end users, requiring a mandatory local logon to the local security database. Additionally, the NT workstation could belong to an NT domain and use domain security for end users, which requires a logon to an NT domain but provides a level of workstation management. NT Workstation was created to be a high-performance desktop operating system that can act as a peer server in a workgroup or member of an NT Domain. However, NT workstations are not built to accept another enterprise network security. Novell came out with Workstation Manager to add these and other benefits to NetWare through Novell Directory Services.

Workstation Manager does more than manage NT workstations. It has been extended, as a portion of the Z.E.N.works package, to manage Windows 95 workstations. Although not all aspects of NT workstation management are applicable to Windows 95, most are, and these capabilities are part of the current Z.E.N.works Workstation Manager component.

Workstation Manager adds the ability to NetWare to manage workstations through the use of Novell Directory Services (NDS). Although originally created in response to the need to manage NT workstations, Workstation Manager manages Windows 95 workstations, as well. Workstation Manager services are listed in Table 10-1.

Workstation Manager is integrated into Novell Directory Services. All aspects of managing workstations are available as objects in the NDS tree when using the NetWare Administrator. The objects that are used by Workstation Manager are policy package objects. The applicable objects are listed in Table 10-2.

The Workstation Manager installs as a service under NT. It is a network client service under Windows 95. After the Windows NT Workstation Manager service authenticates to NDS, it periodically polls NDS to update scheduled actions and any other changes that should be made to the workstation. The polling schedule can be between 1 and 60,000 minutes. The default is 10 minutes.

Workstation Manager is an option in the installation of the NetWare 5 client. In order to install Workstation Manager, the administrator simply runs the NetWare 5 client setup with the /W switch, or selects the Custom installation option and then selects Workstation Manager from the list of optional components (see Figure 10-1).

The installation switches and functions are given in Table 10-3.

In order to install Workstation Manager on multiple clients, the administrator may opt to use a login script installation method. The /ACU switch is the key to making this installation method work. The /ACU switch installs the updated client software if the existing client is older than the current version. This means that the login script does not need any logic for determining whether the workstation has already installed the client. A login script for installing the client might look like the following if the client files were on a server below PUBLIC in the respective operating system specific directories:

********************************************************
** LOGIN SCRIPT FOR INSTALLING NETWARE CLIENT 32 **
** including Workstation Manager - created October 3, 1998 **
********************************************************
; Mapping drives section
MAP ERRORS OFF
MAP DISPLAY OFF
MAP INS S16:=X:=SERVER/SYS:PUBLIC
IF %PLATFORM = "WINNT" THEN BEGIN
X:\PUBLIC\WINNT\I386\SETUPNW /W /ACU
END
IF %PLATFORM = "WIN95" THEN BEGIN
X:\PUBLIC\WIN95\SETUP /W /ACU
END
MAP DISPLAY ON
MAP

In order to begin using Workstation Manager, the NetWare Administrator needs to have policy packages created and associated to the appropriate users and workstations. The difference between a workstation policy package and a user policy package is that a user policy package will follow a roving user around the network. A workstation policy package, on the other hand, will be applied to the same workstation no matter which user logs in. Workstations must be imported into NDS as objects before the workstation policies become effective.

Policy packages can be created for different containers. And multiple policy packages can exist in the same container. This allows a network environment to use the existing network management structure already in place, whether that is a centralized or distributed administrative network.

In order to import workstations, the administrator must create a workstation import policy for workstations, both NT and Windows 95. This policy exists in the NT user policy package and the 95 user policy package. Figures 10-2 and 10-3 show the user policy package pages for Windows 95 and Windows NT.

To register workstations, the administrator follows these steps:

1. The administrator must enable NDS to allow workstation registration. That option is in the NetWare Administrator Tools menu.
2. Some method, usually through the login script, must execute Workstation Registration application – SYS:PUBLIC\WSREG32.EXE – on the workstations.
3. The administrator must import the workstation objects into NDS, again through an option within the NetWare Administrator Tools menu.
4. The workstations must continue to register with NDS in order to update their respective objects. If a login script method was used for the initial workstation registration, then it may be used thereafter.

When the workstation objects have been imported, the workstation policies must be associated to them. Instead of having to associate each individual workstation object with a workstation policy package, the administrator can associate the container object with the workstation policy package, as outlined in Exercise 10-1:

1. In the NetWare Administrator, navigate through the NDS tree to the container object that will contain the Workstation Policy Package.
2. Choose the Object menu and select Create.
3. From the Object Creation Dialog box, select Policy Package.
4. From the dialog box that appears, select Win95 Workstation Package from the top drop-down box, type a name in the next box, and check off the box for Define Additional Properties.
5. Click Create.
6. The policy package details will appear. Click the Associations button on the right pane.
7. Click the Add button.
8. In the right pane of the dialog that appears, browse for the context that contains the workstation objects.
9. Both container objects and workstation objects will appear in the left pane of the dialog. Select either the container for the workstation objects, if all of the workstations in that container will use this policy package, or select the individual workstation object. Click OK.
10. If a workstation object is already associated with a policy package, a message requesting policy replacement appears, as shown in Figure 10-4. Click Yes.

Workstation Manager includes a computer-based policy in the workstation policy package for either NT or 95 that manages the configuration of the Novell client. Any client parameters on the workstation that the administrator might adjust are available in the Novell client configuration policy (see Figure 10-5). Further, the policy uses the exact same dialog as is used at the client, so the interface is identical to what the administrator is familiar with.

The various client options will facilitate the selection of the tabs for the GUI login. In addition to configuring the NetWare client, the Novell client configuration policy facilitates configuration of:

• NetWare/IP
• IP Gateway
• IPX Compatibility Adapter
• Target Service Agent

Each of these components can be used in conjunction with the Novell client to provide full network connectivity and resource access. NetWare/IP, IP Gateway, and the IPX Compatibility Adapter are all protocol related, thus enabling full network connectivity. The Target Service Agent is the client portion of backup. It enables NetWare Servers to backup workstations onto the server’s archive system, which is usually a tape drive.

In order to change a component of the Novell client, the protocol components or the Target Service Agent, the administrator must select a component from the list and click the Configure button. This will bring up a dialog similar to the client selection depicted in Figure 10-6.

Each of the tabbed dialog pages is a network client configuration tab available locally at the workstation through the Network icon in the Control Panel. The administrator may make the selections in this dialog, and then allow NDS to apply the client configuration.

One of the most complicated network management functions is maintaining a functional and up-to-date inventory of hardware and software that exists on the network. Server hardware and software is not nearly as complex to maintain as workstations:

• Server upgrades affect many people when they are taken offline, so they occur less often.
• Only the administrator have the access to upgrade servers.
• There are typically fewer servers than workstations on a network.
• Workstations can be upgraded by anyone except when extreme restrictions and security measures have been taken.

The more workstations on a network, the more likely an inventory will be outdated quickly. If there is high-growth in the organization, the inventory will easily become difficult to manage manually from the moves, adds, and changes, as well as the new installations.

Novell’s Workstation Manager offers an automated workstation inventory to address these challenges. Creating a Workstation inventory policy within the workstation policy package enables the workstation inventory and governs the schedule for inventory updates (see Figure 10-7).

The workstation inventory itself is maintained within the workstation objects. To view a workstation’s current hardware and software, the administrator can open the Workstation Object Details; then select the Workstation Inventory button on the right-hand pane (see Figure 10-8).

• There is detailed information about the workstation available to an administrator when the View Advanced Information button is clicked (see Figure 10-9): Drives available on the workstation
• Buses, such as PCI or ISA
• Services or devices on the workstation
• Resources utilized, such as IRQ, I/O Port, DMA, or memory
• Display adapter information, including the display adapter BIOS and driver settings

User profiles are a feature of both Windows NT and Windows 95 that allows a network administrator to control the desktop settings for users of each workstation they log into on the network. System policies is another feature of both operating systems that enables centralized control of both user and computer configuration of the operating system. Both user profiles, or desktop settings, and system policies are part of the Workstation Manager NDS policies.

Desktop settings are managed through the user policy package in the desktop preferences policy. For Windows NT, desktop settings are stored in a user profile that can be set up to be "roaming." That is, instead of storing the settings on each workstation that the user logs into, the profile is stored a single time on a NetWare server or the user’s home directory. If storage space is an issue on individual workstations, the use of roaming profiles will minimize the impact of roaming users on a network. An administrator simply clicks on the Roaming Profile button of the NT Desktop Preferences to configure how the desktop settings are stored.

In the roaming profiles options, the administrator can enable roaming profiles and configure where they are stored on the network (see Figure 10-10). The storage options for profiles can be in the user’s home directory, or the profile can be stored on a NetWare server in another directory.

To set up a user profile or desktop settings, the administrator would configure a desktop preferences policy (see Figures 10-11 and 10-12) in the user policy package. All settings are downloaded to the user’s current workstation the next time that user logs into the network.

The desktop preferences policy has a Control Panel properties page that is similar to Windows Control Panel features. There are some differences, however.

For example, in the Accessibility Properties page for Accessibility Options, the three available option areas, StickyKeys, FilterKeys, and ToggleKeys, must be activated before the associated options can be configured. The administrator must check the box with the "use" for that option; then click Settings to configure them. In nearly all other aspects, the settings modified in this page are identical to the settings that can be modified when sitting at a workstation console and editing the same or similar Control Panel options. The desktop options are listed and defined in Table 10-4.

Both Windows NT and Windows 95 can be configured to look for a system policy file to control how the workstation works. With the NetWare client and Workstation Manager, they can be configured to look for a policy file, even with a different name than the default, NTCONFIG.POL for NT or CONFIG.POL for 95, on the network in a specified directory. This is done by enabling and configuring a workstation computer system policies policy where the Remote Update option is edited for a manual update, as shown in Figure 10-13.

To set up system policies, the administrator can enable either, or both, a user uolicy and a workstation policy. Computer system policies configure the items that are found in the HKEY_LOCAL_MACHINE hive of the Registry. User system policies configure items that are found in HKEY_CURRENT_USER hive of the Registry. These policies are applied each time a user logs into the network.

1. In the NetWare Administrator, navigate to the container where the Workstation Policy Package will reside.
2. Press the INSERT key.
3. Select Policy Package from the object creation dialog; then click OK.
4. From the drop-down box at the top of the dialog, select either a Win95 Workstation Package or a WinNT Workstation Package. In the next box, type a name for the policy package; check off the box to define additional properties, and click Create.
5. Check the box next to the Computer System Policies option; then click the Details button.
6. Click the Computer System Policies property page button.
7. In the window, click the + (plus sign) next to the options to expand the list; then select individual options to configure them. Some properties will be configurable directly below the window, others will need a dialog box. For example, click the + next to Network, then the + next to SNMP, then Check the box next to Communities, and click the Properties button below the window to display the dialog box. In the Communities dialog box, click the Add button, then type the name of the SNMP community in the box and click OK. Repeat until all the SNMP communities for the workstation that are in the box; then click OK.

Any application execution can be scheduled for workstations or for users. This is done in the user policy package or workstation policy package. The administrator just adds an action to the policy package.

1. In NetWare Administrator, navigate the NDS tree to the context with a Workstation or User Policy Package.
2. Double-click the policy package to display its details.
3. Click the Add Action button.
4. Type a name for the action in the dialog and click Create. Note that the action item appears in the window with a check box next to it.
5. Highlight the new action and click Details button.
6. Check the box for Ignore package default schedule; then click the Details button.
7. On the General tab, click the Impersonation dropdown box and select System; then click Apply
8. Click the Schedule tab and select the Event button, make sure the drop-down box displays User Login, and click Apply.
9. Click the Advanced tab and check off the box for Disable the Action after Completion. (This makes the action run only once.)
10. Click the Items tab, and click the Add button.
11. In the Item Properties dialog, place the name of the application in the Name box, the UNC (Universal Naming Convention) in the form of \\server\volume\path for the Working Directory box, and any switches in the Command Parameters box. Select Above Normal from the Priority drop-down box.
12. Click OK to close the dialog; then click Apply and Close to close the Action dialog.
13. Click OK to close the Action and then click OK to close the Policy Package and save all the changes.

Print management is a part of the Z.E.N.works Workstation Manager component. This is set up so that printers can be created for Windows 95 workstations, Windows NT workstations, and Windows NT users. There is currently no Windows 95 user printer.

The user printer for NT will follow the user around the network wherever they log in. The workstation printers will be available at those workstations regardless of the user logged in. In an environment where multiple users log in at a stationary workstation, the use of a computer-based printer makes printing transparent to the users. A printer can be moved, added, or changed on the network without the users being unable to print.

To create a printer, the administrator views the details of a workstation policy package and then checks off the Computer Printer option (see Figure 10-14). By clicking the Details button, the administrator can add and configure the printer for the user. The Add button allows the administrator to browse through the NDS tree for a Print Queue object. The New Driver button lets the administrator upgrade the printer driver with a few mouse clicks. When the administrator clicks the NetWare Settings, she can change the NetWare printing settings such as whether to notify the user when the print has completed or whether to include a banner with the print.

Those Windows NT users who require access to NetWare 5 servers would have traditionally required two user login Ids: one for NetWare and one for the NT workstation or domain. Workstation Manager and the NT client can simplify the login process by transparently extending the Windows NT login to include the execution of the NetWare login.

The WinNT User Package includes a dynamic local user policy. This policy governs whether a local NT workstation user is created after the user is authenticated to NDS. When the Enable Dynamic Local User is checked in this policy, then the workstation is checked to see if the user exists with the credentials (name, full name, and description) specified. If not, the user is created. If so, the user is authenticated.

The administrator can elect to use the NetWare credentials of any user existing in Novell Directory Services. This would create a matching user locally for any NetWare user that logged into the network. When using the NetWare credentials, the administrator can further elect to create a volatile user. The volatile user is removed from the workstation after logging out of the network.

The administrator can manage an existing NT account by checking the Manage Existing NT Account (if any) box. Workstation group assignments for the account are changed to those specified in the dynamic local user policy. If a volatile user is checked in addition to this option, the local account will be removed after the user logs out of the network, and from then on only the corresponding NDS User object will be able to access the workstation.

The dynamic local user policy can provide group membership to any default NT workstation user groups. Custom groups can be added to the list by clicking the Custom button (see Figure 10-15).

Workstation Manager was originally created to manage Windows NT workstations. It has been extended to Windows 95 workstations and incorporated within the Z.E.N.works package.

Workstation Manager enables workstation management through policies created for users and workstations. These policies can manage the users’ desktop settings, system policies, client configuration, workstation inventory, and printers. The policies can also schedule updates to workstation software and manage user synchronization between the Novell Directory Services (NDS) users and NT workstation local or domain users.

The installation of Workstation Manager is a function of installing Z.E.N.works on the server and installing the client on the workstations. In order to include Workstation Manager with the client installation, the administrator can create an unattended installation, using an /ACU command parameter, for the client and use the /W command parameter to include Workstation Manager. The Workstation Manager component runs as a service on Windows NT (available within the Services icon in Control Panel) and as a network service under Windows 95 (available within the Network icon in Control Panel).

Workstation Manager includes the ability to configure the client from within the NetWare Administrator, through a Novell client configuration policy in the Workstation Package. This can effectively configure any client option remotely that the administrator could configure locally. The changes are applied with the user login, but do not become active until the next time the client reboots.

Workstation Manager includes a workstation inventory capability that can poll the workstation for software and hardware configuration information. It is updated whenever the schedule is set to update.

Native Windows 95 and Windows NT system policies and desktop settings can be configured from within the NetWare Administrator using:

• Desktop Preferences policies in the User Package
• User System Policies in the User Package
• Computer System Policies in the Workstation Package

The administrator can schedule application upgrades, or any application execution, to occur on an NT or 95 workstation through the use of User or Workstation added Actions. Actions that are added to a user package will take place regardless of where the user logs in. Actions that are added to a workstation package will take place on that specific workstation regardless of which user is logged into the workstation.

The administrator can use printer policies to configure print queues for NT users, or for Windows 95 and Windows NT workstations. The policy includes the ability to update printer drivers for printers on the network.

Windows NT users exist locally on NT workstations and on NT domains. The Workstation Manager dynamic local user policy in the WinNT User Package enables synchronization of these accounts, or even the ability to use only the NDS user. Volatile users can be created that are removed immediately upon logout from the NT Workstation.

• Workstation Manager adds the ability to manage workstations to NetWare through the use of Novell Directory Services (NDS)
• The workstation manager installs as a service under NT. It is a network client service under Windows 95. After the Windows NT Workstation Manager service authenticates to NDS, it periodically polls NDS to update scheduled actions and any other changes that should be made to the workstation
• In order to begin using Workstation Manager, the NetWare Administrator needs to have policy packages created and associated to the appropriate users and workstations.
• Workstation Manager includes a computer-based policy in the workstation policy package for either NT or 95 that manages the configuration of the Novell Client. Any client parameters on the workstation that the administrator might adjust are available in the Novell Client Configuration policy.
• One of the most complicated network management functions is maintaining a functional and up-to-date inventory of hardware and software that exists on the network. Server hardware and software is not nearly as complex to maintain as that of workstations.
• User profiles are a feature of both Windows NT and Windows 95 that allows a network administrator to control the desktop settings for users of each workstation they log into on the network.
• Desktop settings are managed through the User Policy Package in the Desktop Preferences policy. For Windows NT, desktop settings are stored in a user profile that can be set up to be "roaming."
• Both Windows NT and Windows 95 can be configured to look for a system policy file to control how the workstation works. With the NetWare client and Workstation Manager, they can be configured to look for a policy file, even with a different name than the default - NTCONFIG.POL for NT or CONFIG.POL for 95 - on the network in a specified directory.
• Any application execution can be scheduled for workstations or for users. This is done in the User Policy Package or Workstation Policy Package.
• Print management is a part of the Z.E.N.works Workstation Manager component. This is set up so that printers can be created for Windows 95 Workstations, Windows NT Workstations or Windows NT Users.
• Those Windows NT users who require access to NetWare 5 servers would have traditionally required two user login Ids – one for NetWare and one for the NT workstation or domain. Workstation Manager and the NT client can simplify the login process by transparently extending the Windows NT login to include the execution of the NetWare login.