A.5 Dynamic Local User Policy Troubleshooting

Unable to update the group membership of the user on the managed device

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: On the managed device, the group membership of the user is not updated according to the User Configurations settings of the Dynamic Local User policy.
Possible Cause: The DontUpdateGroupMemberships registry key is set to 1
Action: On the managed device for a 32-bit machine, set the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NWGINA\Dynamic Local User\DontUpdateGroupMemberships to 0.

On the managed device for a 64-bit machine, set the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Novell\NWGINA\Dynamic Local User\DontUpdateGroupMemberships to 0.

Dynamic Local User is unable to log on to the managed device

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If the password of the Dynamic Local User in the user source does not meet the password complexity requirements, the user fails to log on to the managed device.
Possible Cause: Password must meet complexity requirements is enabled in the password policy setting of the Group policy of the device (Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy).
Action: Do one of the following:
  • Ensure that the password specified for the user in the user source meets the password complexity requirements. For information on the password complexity requirements, double-click Password must meet complexity requirements in the password policy setting of the Group policy (Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy).

  • Disable the Password must meet complexity requirements setting on the managed device.

Subsequent to the first login, the DLU user is prompted to provide the credentials when he or she tries to log into the device again during the cache period specified in the policy

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If the Use the credential specified below and Enable Volatile User cache settings are configured in the Dynamic Local User policy, then subsequent to the first login, the DLU user is prompted to provide the credentials when he or she tries to log into the device again during the cache period specified in the policy.
Action: To enable the user to log into the device without being prompted on subsequent logins, ensure that the Manage existing user account option is enabled in the policy. This ensures that the ZENworks Agent manages the password on behalf of the user.

After logging out of a managed device that is disconnected from the network, a Dynamic Local User is unable to log in to the device again

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If a Dynamic Local User policy that has Use the credential specified below, > Manage existing user account, and Enable Volatile User Cache options enabled is assigned to a device and a user logs out of the device when the device is disconnected from the network, the user is unable to log in to the disconnected device again.
Action: Before the policy is assigned to the device or the device is disconnected from the network, perform the following steps on the managed device:
  1. (Recommended) Select the option Use User Source Password for logging in to the device.

    or

  2. Do the following:

    1. Open the Registry Editor.

    2. For a 32-bit machine, go to

      \HKLM\SOFTWARE\Novell\NWGINA\Dynamic Local User\.

      For a 64-bit machine, go to HKLM\SOFTWARE\Wow6432Node\Novell\NWGINA\Dynamic Local User\.

    3. Create a DWORD called EnableEDirPasswordForFA, and set the value to 1.

The DLU policy does not delete user profiles if the Roaming Profile policy is applied

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: User profiles created with a volatile DLU (Dynamic Local User) that has a Roaming Profile policy in effect are sometimes not deleted on user logoff.
Action: Set the DeleteRoamingCache registry key value. For details on setting the key value, see the Microsoft Support Web site.

For more information, see TID 7006386 in the Novell Support Knowledgebase.

The DLU-based login corrupts the user profile when logging in to different devices with a roaming profile

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: If the user profile is not deleted on every logout on each device, the roaming profile will not work in a stable state when attempting to log in to different devices.
Action: Use the DLU policy Volatile user option to set the local user profile to be removed each time the user logs out.

This requires the DLU Volatile User cache to be disabled. This can be done at: ZCC > Policies > [DLU Volatile User Policy] > Details > Volatile user > Enable Volatile User cache.

For more information, see TID 7010457 in the Novell Support Knowledge base.

The DLU policy allows excluded user to log in

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: When you assign a DLU policy with excluded users to a device and restart the device immediately after enforcing the DLU policy, it still allows an excluded user to log in.
Possible Cause: Random refresh is enabled.
Action: Disable Random refresh.

DLU with smart card uses PIN for Windows user account

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: The DLU policy with user source credentials and ZENworks smart card login uses the smart card PIN for the Windows Local user account. In this case password complexity may not meet for the Windows password.
Action: Configure Universal Password policy for the eDir user and create universal password for the user. This universal password will be used for the DLU account.

NOTE:The Password policy should allow the user running this utility to retrieve the user's universal password. For more information, see https://www.netiq.com/documentation/edirectory-9/edir_admin/data/b1j5uudh.html.

This universal password will be used for the DLU account.