Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

DLU ignored

12 views
Skip to first unread message

Dale Bentley

unread,
Feb 9, 2007, 9:38:55 PM2/9/07
to
Hi,
 
We're using NW 6sp5, ZFD6.5sp2 & nwclient 4.91sp3. We have a Windows Terminal 2003 server setup, Novell Client, Zen Agent and have created a User Policy to run DLU for our users.
 
DLU is being ignored in this policy for the server but all other items in that policy are accepted.
 
No additional copies of zenpol32.dll exist on the HDD. c:\program files\novell\zenworks is in the path. The registry is set to the correct tree and DLUAllowed is on. I have enabled debug and here is a copy of what is returned.
 
Can anyone see why DLU is not run and how I can fix this?
 
Cheers,
Dale.
 
WMRUNDLL.LOG:
-----------------------------------------------------------
-- DEBUG LOG FILE -- C:\Program Files\Novell\ZENworks\DebugLogs\WMRUNDLL.log
-----------------------------------------------------------
02/10/2007 13:21:49 [508-574] [13:21:49] Event ID is 4002000
02/10/2007 13:21:49 [508-574] [13:21:49] Loading Helper DLL C:\Program Files\Novell\ZENworks\ZENWSREG.DLL
02/10/2007 13:21:49 [508-574] [13:21:49] Calling the Initialization function with flags 0x4002002
02/10/2007 13:21:49 [508-574] [13:21:49] Returned from calling the Initialization function
02/10/2007 13:21:49 [508-574] [13:21:49]    Conn Ref: 0x0  WorkstationObject DN:  CN=TB-SQL00:18:FE:7E:05:12.OU=Workstations.O=Zen  UserObjectDN:  CN=admin.O=TB
02/10/2007 13:21:49 [508-574] [13:21:49] Calling the system helper ex function
02/10/2007 13:21:49 [508-574] [13:21:49] Helper DLL returned
02/10/2007 13:21:49 [508-574] [13:21:49] Free'd the helper DLL
02/10/2007 13:21:49 [508-574] [13:21:49] WMRunDLL exiting...  ccode 0
ZENPOL.LOG:
e - attrName = zenpolPolicy attrType = zenUserPackage
02/10/2007 13:21:45 FindPackage - context->szFullDN = admin.TB
02/10/2007 13:21:45 FindPackage - context->szTreeName = TAXBIZ
02/10/2007 13:21:45 FindPackage - context->dwConnType = 2
02/10/2007 13:21:45 Attempting to get cached attribute: DN<admin.Tomcat-Roles.TB> Attr<zenpolPolicy>
02/10/2007 13:21:45 FindPackage ***** ZPGetObjectAttribute ***** NO DATA
02/10/2007 13:21:45 FindPackage - objectName  = manager.Tomcat-Roles.TB
02/10/2007 13:21:45 FindPackage - attrName = zenpolPolicy attrType = zenUserPackage
02/10/2007 13:21:45 FindPackage - context->szFullDN = admin.TB
02/10/2007 13:21:45 FindPackage - context->szTreeName = TAXBIZ
02/10/2007 13:21:45 FindPackage - context->dwConnType = 2
02/10/2007 13:21:45 Attempting to get cached attribute: DN<manager.Tomcat-Roles.TB> Attr<zenpolPolicy>
02/10/2007 13:21:45 FindPackage ***** ZPGetObjectAttribute ***** NO DATA
02/10/2007 13:21:45 ENTER SearchContainersList ##############################
02/10/2007 13:21:45 SearchContainersList -- searchLevels = 0
02/10/2007 13:21:45 SearchContainersList -- levels = 2
02/10/2007 13:21:45 SearchContainersList -- levelsToSearch = 2
02/10/2007 13:21:45 FindPackage - objectName  = TB
02/10/2007 13:21:45 FindPackage - attrName = zenpolPolicy attrType = zenUserPackage
02/10/2007 13:21:45 FindPackage - context->szFullDN = admin.TB
02/10/2007 13:21:45 FindPackage - context->szTreeName = TAXBIZ
02/10/2007 13:21:45 FindPackage - context->dwConnType = 2
02/10/2007 13:21:45 Attempting to get cached attribute: DN<TB> Attr<zenpolPolicy>
02/10/2007 13:21:45 FindPackage ***** ZPGetObjectAttribute ***** NO DATA
02/10/2007 13:21:45 EXIT SearchContainersList ##############################
02/10/2007 13:21:45 EXIT  ZENGetPolicyDNList
02/10/2007 13:21:45 EXIT  ZENGetPolicyDN
02/10/2007 13:21:45 ZENGetPolicyDN Failed:  103
 
 
 
 

archieZA

unread,
Feb 14, 2007, 4:39:42 PM2/14/07
to

Hi,

I didnt bother reading through your debug files. I came across the
same thing the other day. My problem was that the policy i created was
for WinNT/2k/XP. Make sure that you drop down the tab and select
Terminal Server policies either 2k or XP and create a DLU policie in
there.

Let me know how it goes


+-------------------------------------------------------------------+
|Filename: Capture.jpg |
|Download: http://www.ndsengineers.com/attachment.php?attachmentid=30|
+-------------------------------------------------------------------+

--
archieZA

Dale Bentley

unread,
Feb 14, 2007, 10:41:14 PM2/14/07
to
Hi,
 
Yes the policy is for Terminal server 2000 or 2003 and yet it does not apply.
 
The debug information must be able to be interpreted by someone who could shed light on why it does not apply. Strangely quiet on the suggestion front from anyone else. Has anyone had a similar that they can suggest what could be the workaround?
 
Cheers,
Dale.

>>> archieZA<archieZ...@no-mx.nds_engineer.com> 15/02/2007 8:39 am >>>
Hi,

I didnt bother reading through your debug files.  I came across thesame thing the other day.  My problem was that the policy i created wasfor WinNT/2k/XP.  Make sure that you drop down the tab and selectTerminal Server policies either 2k or XP and create a DLU policie inthere. 

Let me know how it goes+-------------------------------------------------------------------+|Filename: Capture.jpg                                              ||Download: http://www.ndsengineers.com/attachment.php?attachmentid=30|+-------------------------------------------------------------------+-- archieZA


Gaby Bauer

unread,
Feb 18, 2007, 8:18:45 AM2/18/07
to
Do you have set password restriction policies set on the Terminal Server?
Perhaps these settings prevent creating users with the dlu policy.


>>> On 2007-02-15 at 04:41, in message <45D4710B.F...@nospam.com>,
Dale


Bentley<da...@nospam.com> wrote:
> Hi,
>
> Yes the policy is for Terminal server 2000 or 2003 and yet it does not
> apply.
>
> The debug information must be able to be interpreted by someone who
> could shed light on why it does not apply. Strangely quiet on the
> suggestion front from anyone else. Has anyone had a similar that they can

> suggest what could be the workaround?
>
> Cheers,
> Dale.
>
>>>> archieZA<archieZ...@no-mx.nds_engineer.com> 15/02/2007 8:39 am
>>>
> Hi,
>
> I didnt bother reading through your debug files. I came across thesame
> thing the other day. My problem was that the policy i created wasfor
> WinNT/2k/XP. Make sure that you drop down the tab and selectTerminal
> Server policies either 2k or XP and create a DLU policie inthere.
>
> Let me know how it
goes+-------------------------------------------------------------------+|Fi
lename: Capture.jpg

Rolf Lidvall

unread,
Feb 19, 2007, 4:33:19 AM2/19/07
to
> I have not changed any of the password restrictions on that server and
> checking thru them now I cannot see anything that would affect DLU
currently.

The issue you could get with Windows password restrictions and DLU
is that you can not have a Windows password policy that is more
restrictive than the eDirectory password policy. If the Windows
policy is more restrictive, then the DLU account will not be created.

Regards
Rolf Lidvall
Swedish Radio (Ltd)


Dale Bentley

unread,
Feb 19, 2007, 12:25:09 AM2/19/07
to
Gaby,
 
This is a stock standard Windows 2003 Server setup purely for Terminal Services use. I have not changed any of the password restrictions on that server and checking thru them now I cannot see anything that would affect DLU currently.
 
I was hoping someone could interpret the log I attached and tell me where it is failing. I am stumped.
 
Cheers,
Dale.

>>> Gaby Bauer<n...@spam.com> 19/02/2007 12:18 am >>>

Dale Bentley

unread,
Feb 19, 2007, 2:39:12 PM2/19/07
to
Rolf,
 
Anything related to password restrictions on the 2003 server is not enabled so I don't think anything can be more restrictive. Despite that DLU does not function.
 
Any further troubleshooting tips to track it down?
 
Cheers,
Dale.

>>> Rolf Lidvall<rolf.l...@sr.se> 19/02/2007 8:33 pm >>>

Rolf Lidvall

unread,
Feb 21, 2007, 4:38:32 AM2/21/07
to
Sorry, no. I have no experience with TS environments but I can
believe that there could be other Local Security Settings (if this is not
an AD member) than password policys that could affect DLU creation.
I have read through your posts and AFAICS it seems that you have checked
all common issues regarding DLU.
To get correct interpretation of Zen logs I think you need to open a SR,
there is no public available info of codes or anything, so if there is
nothing
really obvious you'd need an engineer to get something out of it.

Dale Bentley

unread,
Feb 21, 2007, 3:16:08 PM2/21/07
to
Rolf,
 
I was living in hope someone out there could interpret the Zen Debug Log I posted. I have seen other post these and get pretty decent responses to what might be going on.
 
Anyone out there with those skills except the Novell Team and raising a SR.
 
Cheers,
Dale.

>>> Rolf Lidvall<rolf.l...@sr.se> 21/02/2007 8:38 pm >>>

archieZA

unread,
Feb 21, 2007, 5:39:37 PM2/21/07
to

Just thought i would throw something in. Have you installed the ZEN
management agent on the server correctly? Are you running the most
current version? If so, is the service running? Are there any
firewall or Data Execution Prevention rules that are possibly blocking
it on the 2k3 server? It always makes sense to start from the
beginning in a situation like this. If you can, try building a virtual
machine on VMWare and installing 2k3 server on it and playing with that
rather than your live server. It might not be your ZEN policy or ZEN
server but rather your workstation manager service.


--
archieZA

Dale Bentley

unread,
Feb 23, 2007, 2:01:33 AM2/23/07
to
Hi,
 
As per my original email: "DLU is being ignored in this policy for the server but all other items in that policy are accepted."
 
So Zen Agent is running fine but DLU policy is the only one ignored. I am at a loss to know what else to try.
 
Cheers,
Dale.

>>> archieZA<archieZ...@no-mx.nds_engineer.com> 22/02/2007 9:39 am >>>
Just thought i would throw something in.  Have you installed the ZENmanagement agent on the server correctly?  Are you running the mostcurrent version?  If so, is the service running?  Are there anyfirewall or Data Execution Prevention rules that are possibly blockingit on the 2k3 server?  It always makes sense to start from thebeginning in a situation like this.  If you can, try building a virtualmachine on VMWare and installing 2k3 server on it and playing with thatrather than your live server.  It might not be your ZEN policy or ZENserver but rather your workstation manager service.-- archieZA


danny_...@interep.com

unread,
Mar 1, 2007, 7:42:40 PM3/1/07
to
I don't have an answer for you but I am having a similar problem which
may help you identify the cause of your problem. I have the same setup
and my DLU account is being created. However, when I log in to citrix
with an alias account, the DLU account is not created.

For example, in my New York container, I have user account objects that
have no problem logging into Citrix and creating the DLU account. Also
in my New York container, I have alias user accounts that point to user
accounts in other partitioned containers. When a user tries to log into
Citrix with an alias user account the DLU account is not created on the
Citrix server.

The Citrix Server (MPS3.0) is located on the same subnet as the Novell
server (6.5sp5), Zenworks 6.5sp2 server and Edirectory server. The alias
user accounts in the New York Container point to user accounts located in
partitioned containers where the master replica for the container exist
on different subnets. (don't know if that makes a difference)

This being said, are the novell accounts being used to login referencing
alias user objects?

Dale Bentley

unread,
Mar 2, 2007, 4:08:24 PM3/2/07
to
Danny,
 
The Novell accounts we are using are not alias user objects. Just one NetWare server with Windows 2003 SBS in same subnet.
 
What version of Windows OS is your Citrix Server running? And what version of NetWare Client is installed - we are 4.91 SP3.
 
Kindest regards,
Dale

>>> <danny_...@interep.com> 2/03/2007 11:42 am >>>

danny_...@interep.com

unread,
Mar 5, 2007, 6:25:24 PM3/5/07
to
We are running Windows server 2003 sp1 with the Novell client 4.91 sp2
and zenworks 6.5sp2.

You may have already tried this, but check CTX737605

Dale Bentley

unread,
Mar 7, 2007, 4:32:29 AM3/7/07
to
Danny,
 
Now good to me .. we have only a Terminal Services server and Citrix Metafame is not installed
 
Cheers,
Dale.

>>> <danny_...@interep.com> 6/03/2007 10:25 am >>>

danny_...@interep.com

unread,
Mar 13, 2007, 2:10:56 PM3/13/07
to
I finaly solved the problem I was having, maybe my resolution may help
you as well.

Like I said before, we have several containers with users who log into
Citrix. Only the NY user accounts were working with the DLU account
being automatically created. No alias' accounts were getting thier
respective DLU account.

In the Container Package (for each container), there is a Search Policy
which I had misconfigured. I stumbled accross this when I checked the
Zenworks Effective Policies on the user accounts. The results of
Effective Policies on a user account should include the DLU Policy. If
not, then the DLU will not be created. I adjusted the Search policy (by
setting it to "Associated Container" and "Search Level" 0) and verified
that the container associated User Package had the proper settings to
create the DLU and it worked.

Hope this helps.

0 new messages