1 / 25

Managing Computer Labs with ZENworks for Desktops

Managing Computer Labs with ZENworks for Desktops . Kristi Wall University of Georgia kew@uga.edu. What is ZENworks for Desktops?. ZENworks for Desktops is Novell’s full featured desktop management system Directory enabled desktop management system – utilizes Novell’s eDirectory

eavan
Download Presentation

Managing Computer Labs with ZENworks for Desktops

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing Computer Labs with ZENworks for Desktops Kristi Wall University of Georgia kew@uga.edu

  2. What is ZENworks for Desktops? • ZENworks for Desktops is Novell’s full featured desktop management system • Directory enabled desktop management system – utilizes Novell’s eDirectory • Offers both desktop management and application management capabilities

  3. What does ZENworks for Desktops give me? • Workstation Imaging – image one or many workstations at a time • Application management, distribution and repair – on and off the network • Desktop Management Policies – secure workstations, manage user’s experiences and remotely manage users and workstations • Inventory – collect software and hardware info

  4. What do I need to run ZFD? • Runs on either NetWare or Windows • eDirectory is required • Current version (ZFD 4) does not require the traditional Novell client • Modular agents necessary to provide various ZFD functions • ZFD functions outside a firewall

  5. Our Focus Today… • Lab deployment and maintenance strategies • Locking down workstations with desktop policies – how do you handle exceptions? • Restricting applications • Directory design considerations • UGA’s MyID lab authentication

  6. Interesting Imaging Aspects • ZFD imaging is based on a Linux kernel • Three ways to initiate an imaging session • Linux partition on the workstation, Imaging media (CD or diskettes), PXE (Preboot Services) • File level imaging solution – take advantage of add on imaging • ZENworks Image Safe Data – safely store workstation specific information

  7. New Lab Deployment • Multicast from workstation or server • New machines dynamically retrieve IP, Windows Networking and DNS info • Image selection can be based on hardware rules you define • Use add on images for machines with different software requirements

  8. Lab Upgrades or Maintenance • Flag machine(s) for automatic imaging operations when necessary • After an image is restored the Image Safe Data overwrites values stored in the image • Netbios Name • IP information (DHCP or static) • Workgroup membership • eDirectory workstation object information, if any • Randomizes the SID • Scheduled Wake-on-LAN services

  9. Using ZFD for Workstation Security • Control user authentication and access • Use ZFD policies to control what user’s can do • Policies applied to workstations will apply to all users who use that workstation • Policies applied to users will apply wherever that user logs in • Using workstation and user policies give a combined security effect

  10. User Authentication and Access • How do user’s authenticate? • Don’t use single account for lab logins • Dynamic Local User policy for NT/2K/XP • Designate local group membership • Can be tied to specific workstations • Volatile or nonvolatile local user accounts • Use NTFS, if possible, to enhance ZFD’s security policies • Change default group security settings!

  11. What rights do users need? • For Application Launcher to work properly, the logged-in user requires the following rights: • Full Control access to the NAL cache directory (typically, C:\NALCACHE). • Full Control access to the user's TEMP directory (typically, C:\DOCUMENTS AND SETTINGS\username\LOCAL SETTINGS\TEMP). • Read\Write rights to the HKEY_CURRENT_USER\ Software\NetWare\NAL\.1.0 registry key. • Read rights to the HKEY_LOCAL_MACHINE\Software\NetWare\NAL\1.0 registry key • Read rights to the HKEY_LOCAL_MACHINE\Software\Novell\ZENworks registry key. • In addition, the System user requires full access to all areas of the workstation. By default, this access is granted to the System user as a member of the Administrators group. Do not limit the default rights given to the Administrators group.

  12. ZFD Desktop Management Policies • Extensible Policies still available – POLEDIT anyone? • Win98/NT/2K/XP • Import custom ADM files • Group Policies provide more control • Win2K/XP • Same as Group Policies in AD • Settings stored in eDirectory and applied when necessary

  13. Interesting GP Aspects • By default User based group policies don’t remain in effect after a user logs out. • User, Computer and Security group policy settings can be applied to a user or workstation. • Policy’s can be scheduled to be applied at a certain time (event or time) • Workstation group policies have loopback support • Replace mode (don’t apply user’s settings) • Merge mode (apply workstation’s settings last – last policy applied wins)

  14. Common Group Policy Settings for Labs • Configure Windows Components • Internet Explorer • NetMeeting • Task Scheduler • Windows Installer • Remove Options from Windows Explorer • Control Desktop environment • Remove access to Control Panels • Remove System Settings and Apps

  15. Locking down Windows Explorer • Remove dangerous options from Explorer • Map/Disconnect Network Drive • Folder Options from Tools Menu (view file types, active desktop) • Context Menus (shortcut menus when you right click an item) • Hardware tab • Search button • Request alternate credentials for installs

  16. Controlling Drive Access • Prevent or hide access to drives • Designate which drives are available (or not) to users. • Can prevent access completely • Causes some warnings when opening Explorer and dialog boxes within applications • Recommended: Hide drives and handle security through NTFS file rights

  17. Controlling the Desktop • Start Menu and Taskbar control • Remove Settings (no control panel, printer) • Remove Run from Start Menu • Desktop control • Hide Icons on Desktop (all or some) • Control Active Desktop (enable, disable, prohibit changes)

  18. Control System Settings & Apps • Don’t display Welcome screen at logon • Disable REGEDIT • Disable Command Prompt • Allow command prompt script processing? • Run or don’t run specified Windows apps or • prevents users from running programs that are started by the Windows Explorer process • Consider Rogue Process Management • Disable Autoplay

  19. What about Admin access? • If you use extensible policies • FIRST create a reversed policy that reverses the policies you will create for regular users. • Associate that to YOU and other admins • If you use group policies • Create a reversal gp for yourself (just in case) • Be careful with Workstation Loopback Support • Arrange search policy to always find and apply user’s policies last

  20. Restricting Applications • Novell Application Launcher (NAL) can be run as the shell for more security • Rogue Process Management • Application Launcher watches processes run on the workstation • Terminates and/or ignores processes not launched through Application Launcher • Can log rouge processes too • Allows exceptions

  21. eDirectory Design Guidelines • Tree wide ZFD policies can be provided by one server. • You may want more ZFD servers depending on your network design. • Policies applied to different areas of the tree can be located together. • The search policy checks to find associations of policies and applications, not the objects themselves.

  22. UGA’s MyID lab authentication • EITS run labs authenticate to UGA’s central MyID service • Windows 2000 lab utilizing Dynamic Local User policy • DLU is only user policy applied to MyIDs • Only allowed DLU access to specified workstations in tree

  23. Limitations & Problems • Don’t allow additional user policies • Recommend using Group Policies applied to workstation objects • Remember group policies containing user settings can be applied to workstations • Search policy only searches for policies and applications applied to the MyID container (only central EITS settings) • Departmental applications associated to lab workstation objects

  24. Possible Futures • Extend MyID information to contain departmental and possibly class information • Synchronize MyID data to hierarchical eDirectory tree • Allow department policy and application associated to MyIDs – merge two tree ZFD settings on user login • Applications and policies can be applied to users with appropriate departmental affiliation and class load

  25. ZFD Resources • This presentation will be posted off the UGA ZENworks web pages www.eits.uga.edu/lans/novell/zenworks • Official ZFD documentation www.novell.com/lg/zdpr/index • ZFD Coolsolutions www.novell.com/coolsolutions/zenworks • ZEN Email List ZEN@listserv.uga.edu

More Related