Site hosted by Angelfire.com: Build your free website today!

Return to Table of Contents

Chapter 8

Remote Management of Workstations (NEBO)

Certification Objectives *

Z.E.N.works Features *

Installing Z.E.N.works *

From the Classroom *

The Policy-Profile Relationship *

Certification Objectives

Network administrators have long been asking for management utilities that make network management easier. Networks have gotten larger, and computing needs have become more complex with changes in technology. Novell has created Z.E.N.works, or Zero Effort Networks, in response to this business requirement.

Introduction to the Z.E.N.works Desktop Management Utilities

Z.E.N.works is a utility set that automates installing and managing network clients. Z.E.N.works is a time saver for administrators, reducing the cost of ownership for enterprise networked workstations. For example, when a change needs to be replicated to 10,000 client workstations that would take the administrator10 minutes at each workstation, it would take several months to perform. An automating utility such as Z.E.N.works can push many types of workstation changes to the desktop without the administrator personally visiting each desk.

Z.E.N.works Features

The main purpose of Z.E.N.works is to reduce the cost involved with managing workstations on a network. There are several interrelated processes that it uses to achieve this purpose:

Z.E.N.works is enabled for Novell Directory Services; in fact, much of it is integrated within NDS and managed using the NetWare Administrator. This adds a level of security to remote control features and software management and distribution.

NDS provides a framework of hierarchical relationships for network resources. Users are granted access to resources through their explicit rights and those granted from group memberships, security equivalence, and inheritance. Z.E.N.works builds on this relationship framework, adding:

Z.E.N.works adds workstation objects to NDS, and depends on them for features such as remote control. The workstation object is independent of the user who logs in at it. The workstation object can assist with:

Installing Z.E.N.works

Z.E.N.works is included with NetWare 5 on the NetWare 5 installation CD. The version of Z.E.N.works that comes with the NetWare 5 CD is the Z.E.N.works Starter Kit, a cut-down version of the fully featured Z.E.N.works, which is a separate purchase item in the current market release version. The Z.E.N.works client is located in the directory D:\PRODUCTS\ZENWORKS, if D: is the letter indicating the CD-ROM drive.

Exercise 8-1: Installing Z.E.N.works

  1. Place the NetWare 5 installation CD in the CD-ROM drive.
  2. Choose Start | Run, type D:\PRODUCTS\ZENWORKS\SETUP.EXE, and press ENTER (Or replace D: with the drive letter that the CD-ROM drive uses.)
  3. The initial screen warns you to close all programs that may be running from the SYS:PUBLIC directory, and any Windows programs as well. Verify that these programs are closed, and click Next.
  4. Click Yes to accept the license agreement.
  5. There are three setup types presented next, as shown in Figure 8-1: Typical, Compact, and Custom. Select Custom and click Next.

    Figure 1: Z.E.N. works setup options
  6. The next screen shows the options that can be installed. Accept the default options, as displayed in Figure 8-2.

    Figure 2: ZE.N.works installation options

    On the Job: To get the latest network client that is installed with NetWare 5, use the option during Z.E.N.works installation to copy clients to the network.
  7. The next screen shows the NetWare operating system options that Z.E.N.works can install (see Figure 8-3). Again, accept the defaults.

    Figure 3: NetWare operating system options
  8. After this, Z.E.N.works prompts for the servers to install. These are listed in the format TREE/SERVER, so that Z.E.N.works can be installed to different NDS trees in a multi-tree environment. Select the server to install and click Next.
  9. Select the appropriate language and click Next.
  10. Click Next at the summary dialog and files will start copying.
  11. After files have stopped copying, Z.E.N.works presents a screen like the one in Figure 8-4 requesting the context in which to grant users the appropriate rights. Accept the default and click OK.

    Figure 4: Z.E.N.works NDS granted rights
  12. Next, the dialog acknowledging that rights were assigned pops up; click OK.
  13. On the final screen, accept the default check boxes and click Finish.

This installation process extends the schema of the selected NDS tree with the Z.E.N.works objects, and adds the functionality to it. All the required files are copied to the selected server.

Remote Control Access Utilities (NEBO)

When choosing a remote control management package, consider three issues:

Because Z.E.N.works uses NDS, it is secured through login authentication. Remote control works only if the user has been granted appropriate object rights to the workstation object. This answers the security issue.

Regarding the issue of bandwidth, there is no excess traffic causing bandwidth problems because a remote control agent is not required to constantly advertise. Instead, the IP and IPX addresses of the workstation are stored in NDS. When remote control is initiated, it uses this information instead. Z.E.N.works is fairly easy to use. It uses the NetWare Administrator as the single point for network management. In order to execute remote control, the authorized user simply navigates the NDS tree to the appropriate workstation object, accesses the workstation object details, and clicks on Remote Control.

Creating Workstation Objects

Workstation objects are required for Z.E.N.works to perform workstation management and remote control. The workstation objects are created automatically after the following steps are executed:

  1. Users are granted the Write right to the WM:Registered Workstation attribute of the parent container object for the workstation. This can be executed during Z.E.N.works installation (see Exercise 8-1, step 11). It can also be executed from within the NetWare Administrator:
    1. Choose the Tools menu.
    2. Select the Workstation Utilities to view the pop-up submenu.
    3. Choose the Prepare Workstation Registration utility shown in Figure 8-5.
  2. Alternatively, an administrator can execute the WSRIGHTS.EXE application from SYS:PUBLIC.

    Figure 5: Prepare Workstation Registration
  3. Workstations register with NDS. This is done with the Workstation Registration program executed at the workstation. The executable is WSREG32.EXE for Windows 95/98 or NT workstations, WSREG16.EXE for Windows 3.1x, and it can be pushed to workstations through a login script. The Workstation Registration application will also appear in the NetWare Application Launcher (NAL) window (see Figure 8-6). NAL is executed from the SYS:PUBLIC directory. The NAL executable is NAL.EXE. The registration creates a workstation entry in the container object’s Workstation Registration page where the user’s User object exists.

    Figure 6: Workstation Registration application in NAL
  4. Workstations are imported into NDS as objects. The workstation import policy must be created and associated with the affected users. This is done by creating a policy package for users, then editing the details of the workstation import policy (see Figure 8-7). The details include the name format that the workstations will have when they are finally imported into NDS.

    Figure 7: Workstation import policy in user policy package
  5. The administrator must import the workstations (see Figure 8-8) using NetWare Administrator. Select the Tools menu and the Import Workstations option.

    Figure 8: Importing workstations
  6. Automatic imports can be scheduled using the application launcher. An application object can be created to launch theWSIMPORT.EXE file. If SYS:PUBLIC was mapped to drive F:, and the context was OU.OU.O, the command line would be:

    F:\PUBLIC\WSIMPORT.EXE "OU.OU.O" /s-

    The /s- switch includes all the subcontainers for the context.

  7. The import process adds a Distinguished Name to the workstation entry in the container object; then adds that workstation object to the NDS tree. Each workstation name is in the same format that the Workstation import policy dictates. This workstation import policy is the one created for the user policy package associated with the user who first ran the workstation registration package.
  8. After the workstation entry has been imported to a workstation object in NDS, the workstation registration program must be run a second time. This time, the workstation registration program finds the object’s Distinguished Name and stores it locally on the workstation. Finally, it updates the workstation object so that the registration time, network address, last server, and last user are captured, and this information is captured each time the workstation runs the registration program.
  9. Verification that the workstation registration is successful. This is done by viewing the C:\WSREG32.LOG on Windows 95/98 or Windows NT, and the C:\WSREG16.LOG on DOS or Windows 3.1x. It is created on each workstation that has been registered. Figure 8-9 shows an example of this verification message.

Figure 9: WSREG32.LOG verification message
Heather has installed Z.E.N.works to a server located in .OU=ACCT.OU=LON.O=MA. When she was prompted for the container, she selected that server’s container; then completed the installation. When Heather added the WSREG32.EXE file to the login script, her end users in the .OU=ENG.OU=LON.O=MA container complained that they were receiving errors during login. Why? Heather did not run the WSRIGHTS.EXE file or the Prepare Workstation Registration utility from NetWare Administrator on the .ENG.LON.MA context.

Using Login Scripts to Register Workstations in Novell Directory Services

The workstation must register to capture the following information:

This demonstrates the need to run the registration program every time a user logs into the network. NetWare 5 offers the ability to run the registration program from a login script to automate this process.

The logic of the login script must recognize the type of workstation operating system and run the correct registration program. The registration programs are:

The registration program is run from the SYS:PUBLIC directory of a server that has been installed with Z.E.N.works. It works in conjunction with the WSREG32.DLL file in the windows\system32 directory (or windows\system directory).

The following login script commands will apply this logic:

*********************************

*Workstation Registration Login Script *
*********************************
MAP DISPLAY OFF
MAP ERRORS OFF
MAP F:=SERVER\SYS:PUBLIC
IF "%PLATFORM"="W95" THEN BEGIN
#F:\PUBLIC\WSREG32.EXE
END
IF "%PLATFORM"="WNT" THEN BEGIN
#F:\PUBLIC\WSREG32.EXE
END
IF "%PLATFORM"="WIN" THEN BEGIN
#F:\PUBLIC\WSREG16.EXE
END
IF "%PLATFORM"="DOS" THEN BEGIN
#F:\PUBLIC\WSREG16.EXE

END

Configuring Workstations for Remote Control Access

In order to control a workstation remotely, the administrator must enable the Remote Control Agent on the workstation. Table 8-1 lists the Remote Control Agents for each platform.

Operating System

Agent Type

Launch Method

Windows 3.1 Application
SYS:PUBLIC\WUSER.EXE		 NetWare Application Launcher
Scheduled action
Login script
Manually run
Windows 95 Application
SYS:PUBLIC\WUSER.EXE		 NetWare Application Launcher
Scheduled action
Login script
Run manually
Windows 98 Application
SYS:PUBLIC\WUSER.EXE		 NetWare Application Launcher
Scheduled action
Login script
Run manually
Windows NT 4.0 Service
SYS:PUBLIC\NTSTACFG.EXE		 Installed on the workstation and run automatically as an NT service

Table 1: Remote Control Agents

In addition to these launch methods, installing the new client for NetWare 5 that is included with Z.E.N.works will copy the Remote Control Agent (see Figure 8-10) to the workstation, add it to the startup folder, and run it automatically for Windows 95.

Exam Watch: The NTASCFG.EXE file is the installation file for the Novell WUser Service in NT. It can be found in the NT Control Panel Services icon, and runs at the operating system initialization.

For full-screen DOS windows to be remote-controlled on Windows 3.1 and Windows 95 workstations, the administrator must install a driver in addition to the standard Remote Control Agent. If the Remote Control Agent is initialized using NAL, then the driver enabling full-screen DOS window remote control is installed automatically. The difficulty occurs if the NAL application is not used.

Figure 10: Remote Control Agent

When initializing the Remote Control Agent from another method, login script or manual, the following steps will enable full-screen DOS window remote control:

  1. Copy SYS:PUBLIC\VUSER.386 and SYS:PUBLIC\VUSER98.386 to the Windows system directory on the workstation.
  2. Choose Start | Run and type NOTEPAD C:\WINDOWS\SYSTEM.INI. Locate the [386Enh] section and add the following line (substitute the appropriate windows system directory path, if different): device=c:\windows\system\vuser.386

For Windows NT, the Remote Control Agent is not explicitly run. It is a service that is installed and runs whenever Windows NT runs. As a service, the NT Workstation can be remotely controlled as soon as the service initializes. The Remote Control Agent installation program is SYS:PUBLIC\NTSACFG.EXE. This program registers the Novell WUser Agent service in Windows NT, and can subsequently be found in the Start | Settings | Control Panel | Services icon.

The other portion of enabling remote control is the creation and application of a remote control policy. This is done within the NDS User Policy Package associated with the users and types of workstations that they use.

Exercise 8-2 Remote Control Policy

  1. If drive F: is not mapped to volume SYS:, then right-click the Network Neighborhood icon, select Novell Map Network Drive, select drive F: under Device, and type \\SERVERNAME\SYS in the Path area; then click Map.
  2. Choose Start | Run and type F:\PUBLIC\NAL.
  3. In the Application Launcher Window, select NWAdmin32 and double-click it to launch the NetWare Administrator.
  4. Navigate the tree to the desired context and highlight the Organizational Unit.
  5. Choose the Object menu and select Create. Alternatively, press the INSERT key.
  6. From the object creation dialog box, select Policy Package (this is a new object added to the schema with the installation of Z.E.N.works).
  7. The next dialog box prompts you to select the type of policy package to create (see Figure 8-11). Select a User Policy Package: either Win31, Win95, or WinNT. Make sure to check the box to Define Additional Properties.

    Figure 11: User Policy Package creation

  8. Click the Create button.
  9. The details for a User Policy Package will appear, as shown in Figure 8-12.

    Figure 12: User Policy Package details
  10. Check the Remote Control Policy dialog box; then click the Details button. The dialog box shown in Figure 8-13 will appear.

    Figure 8-13: Remote Control Policy details
  11. If the default details are acceptable, simply click Cancel. Otherwise, check or uncheck the boxes until the correct remote control features are selected; then click OK.
  12. You will be returned to the User Policy Package details window. Select the Associations button.
  13. Click the Add button and add the appropriate users to be associated with this User Policy Package.
  14. Click OK.
  15. The workstation remote control policy must also be created and associated with a workstation in order to enable remote control. To create the workstation policy, choose the Object menu and select Create.
  16. From the object creation dialog, select policy package (see Figure 8-14), and then select the appropriate type of workstation package: Win31, Win95, or WinNT. Make sure to check off the box to define additional properties and click Create.

    Figure 14: Workstation Policy Package for remote control
  17. Check the box for the Remote Control Policy. Click the Details and enable the correct remote control policy for that workstation. Note that these details are identical to those in the User package remote control policy. Also, these policies do not need to be identical to the user remote control policies. NDS will automatically select the most restrictive policies and enable them. So, if a user remote control policy requires notification, but a workstation remote control policy does not, the user will be notified to adhere to security.
  18. After applying the remote control policy details, click OK. You will be returned to the workstation policy package details. Click the Associations button. Add the workstations that are associated to the users selected for the previous user policy package. Click OK to save the changes.
  19. To use remote control on one of the associated user’s workstations, double-click the workstation and click the Remote Control button to bring up the Remote Control Property page, shown in Figure 8-15. (Note: this is another extension to the schema that Z.E.N.works brings to NDS.)
  20. Click the Remote Control button to initiate remote control of the workstation.

Figure 15: Using remote control on a workstation

Using the Help Request Application to Log Workstation Problems

When users have a problem, they usually contact a member of the Help Desk staff or a network administrator. To assist in users’ requests for help, Z.E.N.works includes the Help Requester. This application contains the workstation information that an administrator might need for logging the help request. It also contains the contact information for the administrator, so that messages and phone calls are directed to the correct administrator for a specific group of users.

Before you can launch the Help Requester an appropriate Help Desk Policy must be created for users in an NDS User Policy Package. The Help Desk Policy details are shown in Figure 8-16.

Figure 16: Help Desk Policy details

The configuration properties for the Help Desk Policy enable the electronic messaging component of the Help Desk Request. The Trouble ticket delivery mode has two options: Groupwise 5.0, which is a Novell messaging and groupware application, and MAPI, which is a standard messaging component. A large number of e-mail systems use MAPI: Lotus Notes, Microsoft Exchange Server, older versions of GroupWise, and Outlook Express client for Internet Mail, to name just a few. The information page, illustrated in Figure 8-17, shows the contact information for the administrator, and this e-mail address is automatically used for the messages sent from the Help Requester application.

Figure 17: Help Desk information page

From the Help Requester application, the user can click on Call or Mail buttons to request help (see Figure 8-18). The Call button will display a dialog box with the contact information for the Administrator. This information is pulled directly from the Help Desk Policy. Since there can be multiple Help Desk Policies assigned to different administrators, each group of users associated with a Help Desk Policy can be administered by a different person.

Figure 18: The Users’ Call for Help dialog box

The Mail button will prompt an electronic message to be sent to the administrator’s e-mail address. The user’s e-mail address is automatically entered by the system. Next, the subject line is selected from a drop-down menu of the subject lines that the administrator added to the Help Desk Policy (see Figure 8-19). This practice automatically organizes the help requests according to the administrator’s needs. Finally, there is space for the user to type a message.

Both the call and the e-mail address will automatically include the user and workstation information pulled from NDS. This allows the user to have the appropriate information to give the person at the Help Desk, which expedites the help request process.

Figure 19: User’s mail dialog box for help with predetermined subject lines

The Help Requester maintains a list of previously logged help requests, as shown in Figure 8-20. The end user can double-click on the line of a previous request and view the information that was logged for that request.

Figure 20: Previous help requests are maintained by the Help Requester

Synchronizing a Workstation with Its NDS Object

Z.E.N.works brings a Workstation Inventory Policy to NDS. This policy polls the workstation for information and stores it within the workstation object, which integrates it with the workstation import policy. Once a workstation has been imported into NDS, each time the Workstation Registration program runs, the workstation will provide NDS with updated Workstation Inventory information. This synchronization between the workstation and NDS objects is accomplished by the Workstation Registration application.

To enable the Workstation Inventory Policy, open the Workstation Policy package. Check the box next to the Workstation Inventory Policy. To change the schedule for the inventory event, click the schedule button and select the times and days to run. Click the Associations page button and add the NDS container for the workstations in order to finalize the policy package to run the inventory.

From the Classroom

The Policy-Profile Relationship

When administering a network that contains Windows 95 and Windows NT Workstation clients, the terms, "policies" and "profiles", come up often, along with a question or dilemma over which to use. Understanding what each does will make the choice easier. In the simplest terms, profiles determine what a user sees on computer’s desktop; shortcuts to executables, "Start Menu" shortcuts, wallpaper and other items. A profile, or the desktop’s "appearance" can be modified while the user’s session is in effect, although whether that same desktop appears when the same user’s next session starts, depends on whether the administrator enabled the profile as mandatory or roaming. Nevertheless, the user is able to change the desktop’s appearance, pretty much at will, during a given session. A policy can be thought of as the parameters, or limits put on a user, or a specific machine, how the registry settings can be changed, including a currently loaded profile. Think of profiles as changes made to the registry and policies as restrictions placed on a user’s or machine’s ability to access and use the tools (Control Panel) used to modify the system registry. Z.E.N.works offers the administrator another tool to manage and administer policies via NDS.

By Dan Cheung, CNI, MCNE, MCT

Certification Summary

Z.E.N.works enables centralized administration of workstations and their users. This includes the ability to manage and distribute software, manage desktops, remote control workstations, and enable help desk support for end users.

Z.E.N.works Starter Kit is included with NetWare 5 andcan be installed from the NetWare 5 CD-ROM. When Z.E.N.works is installed, it is installed from a workstation onto a server. It extends the schema of NDS and adds new objects,which are the policy packages and the workstation objects through which Z.E.N.works manages the network.

One of the biggest benefits of Z.E.N.works is the ability to remote control workstations. Using remote control with Z.E.N.works is very secure due to the use of NDS secured objects. A user must be granted access to a workstation object in the NDS tree in order to take remote control of the workstation. Z.E.N.works also avoids excess bandwidth consumption through remote control. Instead of using an advertising protocol on the network for the remote control agent, Z.E.N.works relies on the workstation object’s network address for locating the workstation.

In order to take remote control of a workstation, it first must be created as a workstation object in NDS, which is a five-step process:

  1. The users must be granted access to the registered objects. This is done through the NetWare Administrator using the Prepare Workstation Registration option. Or the WSRIGHTS.EXE executable can be run from SYS:PUBLIC.
  2. The workstations must then register with NDS. This is done through the Workstation Registration application available in NAL, or it can be run from the WSREG32.EXE or WSREG16.EXE files run from SYS:PUBLIC.
  3. The workstations must then be imported into NDS using the NetWare Administrator to create a Workstation Import Policy and associate it to users, then running the Tools | Import Workstations utility. The import can be done using the WSIMPORT.EXE file in SYS:PUBLIC.
  4. The workstations must then register with NDS a second time, and continue to run each time the workstation logs in. This can be done through a login script, utilizing a line such as IF %PLATFORM = "WIN95" THEN WSREG32.EXE END to run the command. Or, it can be launched from NAL, or manually executed.
  5. To be successful, the workstation import must be verified. Each workstation has a log written to the root of C: called WSREG32.LOG or WSREG16.LOG, which are text files viewable in Notepad.

To configure a workstation for remote control, both NDS and the workstation must be involved. In NDS, the remote control policy must be created for both a workstation and for a user policy package. Then each of the workstation policies and the user policy must be associated to the respective workstations and users. The security restrictions are such that if a security restriction is higher on either the workstation or the User object in NDS, then the higher level of security is applied to the remote control.

The second part of enabling remote control is to run the Remote Control Agent on the workstation. For NT Workstations, this is a service called NTASCFG.EXE. For Windows 3.x and Windows 95/98, the application is WUSER.EXE.

To remotely control a workstation, locate the workstation object in NDS and view its details. Click the Remote Control page button and then click the Remote Control button.

Z.E.N.works includes a Help Requester application that allows users to contact the appropriate administrators for help. This is enabled using a Help Desk policy. The Help Requester application is installed as an object in NDS and appears in the NetWare application launcher window. The Help Requester can initiate an e-mail to the administrator with preconfigured subjects, or it can give the end user the information needed to access the administrator via phone.

The workstation must be synchronized with its NDS object in order for the Z.E.N.works remote control policy to work. The workstation inventory policy also requires synchronization. This synchronization is established by the WSREG32.EXE or WSREG16.EXE executables, and it can be launched from the NAL window.

Two-Minute Drill