------------------------------------------------------------------- USERMGM2.DOC -- 19971105 -- Email thread on NetWare User Management ------------------------------------------------------------------- Feel free to add or edit this document and then email it back to faq@jelyon.com Date: Thu, 9 Jan 1997 09:59:02 -0500 From: William Ott Subject: Re: Managewise Listserv >Is there a Managewise mail list out there? MWISE-L@BROWNVM.BROWN.EDU ------------------------------ Date: Tue, 14 Jan 1997 15:14:03 -0700 From: Tim Madden Subject: Lanalyzer Station Names-Solved I'd been having problems with some of my Lanalyzer Station Names not appearing in the Station Monitor. Here's the solution: Scenario: NW 4.1 NDS with several nested containers with associated users. Win95/Client 32 or DOS/VLM clients Run "Collect Station Names" Many Station Names are entered into NAMES_ET.CSV, but only some show up in Station Monitor or Station Details windows. Solution: I have several users who login from several stations simultaneously. Collect Station Names reports the user's full name, including context, up to the field limit of 20 characters. Upon finding a second occurance of a user, Lanalyzer attaches a "~2" to the user's name/context, but it does so at the 21st and 22nd characters, thus invalidating it's own database. While the file is being processed for display, once the invalid record in the NAMES_ET.CSV file is reached, the rest of the file is ignored. --------- From ???@??? Wed Jan 15 08:19:13 1997 Date: Tue, 14 Jan 1997 15:41:04 -0600 From: Joe Doupnik Subject: Re: Lanalyzer Station Names-Solved Give that man a prize! That's the kind of digging we hope to see more often. It's a relief and pleasure to see problems identified so well. The person mainly responsible for LZFW has, unfortunately, left the company for greener pastures this fall. The workaround clearly is hire shorter personnel and prune the shrubbery. In practice, just don't login to other servers to snoop names. Joe D. ------------------------------ Date: Mon, 10 Feb 1997 19:41:12 -0600 From: Darwin Collins To: netw4-l@ecnet.net Subject: Re: Rights to Reset Passwords >Does anyone know an easy way to give rights to reset passwords on NW 4.1 >to a Helpdesk group? Give the group rights to the password property and >let them run SETPASS? We have a large NW 4.1 network and would like to >turn this over to our helpdesk instead of tying up Administrator.. Myself, have never found one that eliminated the admin having to do ACL modifications per user. There was a utility at Novell's consulting CD, but, it is not on their site anymore. This is my 'biased' answer. I wrote a 'freeware' utility to do this about 1+ years ago. The latest version is on the site below. (n4pa13.zip) The front-end is a Windows-based client that the helpdesk staff use to inquire/reset accounts. The back-end is a NLM that runs on a single 4.1x server. Basically, the helpdesk staff have normal access. The .NLM logs in as admin-equal. The real 'admin' setup a .CFG file for the NLM to specify settings and where to put the logs. IMHO, there is no maintence needed. Lately, I was told that the client piece won't work with MS NDS. Well, I never planned it this way, but, since MS NDS doesn't handle NDS well, I guess, I shouldn't be surprised. Once, I get some time, I see if I can resolve it. Currently, I am trying to make win95 logins easier for the users. ------------------------------ Date: Wed, 12 Feb 1997 06:09:38 -0500 From: Bob Brown Subject: Re: Erased file report? >>>Does anyone know of a utility to report on erased files in >>>specific or entire directory trees? >> >>Salvage or filer will give you a list of the deleted but not purged files. > >Larry (or other's), I've been through FILER and cannot find reference >to a deleted files list. > >Salvage seems hopless.... It only lists deleted files in one >directory at a time, it fails with out of (conventional) memory errors >when there are more than ~2000 files, and it must be used manually. > >How could I even think of using a manual program like SALVAGE to find >which directory has the surplus of deleted files I wish to purge. >There are over 3500 directories on the volume, rather time consuming >to look in each one? Am I missing something? > >>>I have a few users who generate bunches of salvagable junk files that >>>take up valuable space. I could PURGE the files if I knew which >>>directory they were in. >>> >>>I'd prefer not to purge the entire volume or set the auto-purge time >>>shorter. >> >>If these are never recovered, you could set the directories as purge, >>and the files will automatically disappear. > >That's a great idea, one I'd like to do, but I first have to identify >which few directories/users containg the "purgable" files. Like I >said, there are over 3500 to look at! I discovered a freeware program that is advertised as doing what you want. The URL is: http://www.jumbo.com/pages/utilities/dos/lan/lsalv103.zip.download.htp. I haven't tried it yet but will do so today. ------------------------------ Date: Sat, 15 Feb 1997 09:17:13 -0600 From: "Mike Avery" To: netw4-l@ecnet.net Subject: Re: Network Menu >I personally like the one which comes with netware. It is a subset >of the Saber LAN Station product from Mcafee. Novell bought the >rights to the DOS portion of the Saber LAN workstation product >before McAfee aquired Saber Software. > >I like the potential ability to "upgrade" to the higher end product >(which works with Windows and does a lot of other things...) and not >losing my time investment in my DOS menus. The problem with the Saber menu is that it loads as a TSR. In order to get it to load called programs with no memory overhead, it has to unload again. As a result, it is not as stable as some other menus, such as NetInc's NetMenu or DougMenu. It can be made to work and work well, but the need to compile the menu before use is also a bother. With NetInc's NetMenu and DougMenu I have set up options, based on user ID and group membership, that let me edit the menu on the fly. It makes it really easy to add an application or a function. I've used all three, and for my money DougMenu has the best bang per buck since it's free, NetInc's NetMenu is the best product, and Saber is useable. --------- Date: Sun, 16 Feb 1997 11:10:22 -0600 From: Darwin Collins To: netw4-l@ecnet.net Subject: Re: Network Menu >Does anyone know of a DOS-based, NDS-aware, network menu? I have seen >a lot of menu solutions over the Internet, but none with NDS support. > >We still have several DOS workstations, and it would be useful if we >could replace our menu with one which works with NDS. John Toney Net Enhancment Inc. 1-713-446-6727. Product called 'NetMenu'. ------------------------------ Date: Mon, 17 Feb 1997 10:46:06 EST From: Gilbert Armour Subject: Re: WIN95/WINNT on 3.12 Placing config files on the network... Win95: Control Panel:Passwords:User Profiles tab. Second option, Users can customize their preferences. If done while logged in using client32, it will create User.Dat in the user's mail dir (SYS:Mail/userid). When user logs in, Client32 looks in user's mail dir first for User.Dat file then looks on local PC. If not found, then W95 looks locally for user's profile. If not found, then default user configuration is used. When user logs out, config data is saved on server in user's mail dir. This should work for the other client versions (MS and VLMs). WinNT: Administrative Tools: User Manager: user: Profile Button. For each user, enter the path to the user's profile. I would suggest the user's home dir on the server. If it's not there the first time, NT will use the local default profile and save it to the path on log out. WinNT user validation by NetWare: Novell just released its Workstation Manager, but it requires NetWare 4. According to the Jan 97 isse of NetWare Connection, it allows NTW to authenticate to a NetWare server. Otherwise, You'll have to set up users on each NTW. Set up only those users in the same area as the NTW? It would cut down your work. The only other options are get an NT Server or upgrade to NetWare 4.1. ------------------------------ Date: Tue, 18 Feb 1997 09:28:38 GMT From: Adrian Cunnelly Subject: Re: Require utility to check the space used by users >I hope some one can tell me if there is a shareware/freeware utility >or a method to report the network volume space used by users. The latest version of WnSyscon will print user details including volume restrictions. http://www.amcsoft.demon.co.uk/wnsyscon.htm ------------------------------ Date: Wed, 26 Feb 1997 03:12:31 GMT From: "David G. McDivitt" Subject: shareware utilities I have converted several shareware programs to freeware. They do many useful things, such as: 1) edit, cut, paste files in binary mode up to 2 gig in size on network drives 2) use Novell fileserver calls for copying 3) view printed reports in 132 column VGA mode, page by page 4) neat utilities for building complex batch files from dir scans and byte string search 5) bookmark editor to merge Netscape and Explorer 6) replacement for XCOPY and NCOPY with many options such as file exclude, ERRORLEVEL exit, and report generation for completed backup 7) others I plan on adding more once I add a little documentation to them. http://cust.iamerica.net/mcdivitt/sharewar.htm ------------------------------ Date: Thu, 27 Feb 1997 19:15:30 +1300 From: "Baird, John" Subject: How to make bindery values consistent with NDS? >If I change a user's Full Name on the 4.1 server using NWAdmin, then >then any bindery utilities (SYSCON, JRB's GETREST) will report the new, >changed name -- just as expected. HOWEVER, if I change the user's name using >UIMPORT, then bindery-based utilities don't see the change -- they continue >to report the original, unchanged name. So, two questions: > >1. Is there a way to make the bindery values consistent with NDS after >making changes through UIMPORT? Can I force the bindery services value for >Full Name to take on the NDS Full Name? The bindery is always consistent with NDS (subject to replica synchronisation) as there is no separate bindery database. 'Bindery' information is retrieved from NDS. I'm not familiar with the quirks of uimport but if changes to the full name do not subsequently show in nwadmin or in bindery based tools, then uimport is not changing the full name. Are you saying above that the changes show in nwadmin but not in bindery tools, or that the changes dont show in either? >2. Out of curiosity, where is the original Full Name being stored such that >bindery services still sees it even after it has been changed in NDS? Not surprizingly its stored in an attribute named "Full name". However, that wasn't a silly question as for example, the field named "Department" by netadmin/nwadmin is stored in an attribute named "OU". ------------------------------ Date: Mon, 17 Mar 1997 14:23:33 GMT0BST From: Liz Jarman Subject: Re: how do I stop messages in Windows? >I have two Netware 3.12 networks with the workstatsions running windows >for workgroups 3.11. The networking option of WFW is not used, but the >students go into File Manager, Network Connections, then to Netware Send >Messages, then make a nuisance of themselves. How can I stop them from >sending messages? > >They don't really need to go to the Network Connections option, as all >the drives that they need are mapped when they log on. We now use VLM 1.21 and client 32 (which both use the same Netware.drv). We got the following from Brett Looney via the Novell list: >From May 1996 Appnote: The biggest change to NetWare User Tools is that all functionallity of NetWare User Tools may now be restricted. The following user interface restrictions may be included in the [Restrict] section of the NETWARE.INI file: UserTool=0 Disable all user interfaces provided by NETWARE.DRV NoHotKey=1 Disable all Hotkey access NoDrives=1 Disable the NetWare Drive Connections portion NoLPTs=1 Disable the NetWare Printer Connections portion NoConnections=1 Disable the NetWare Connections portion NoSend=1 Disable the NetWare Send Message portion NoSettings=1 Disable the NetWare Settings portion NoUser1=1 Disable the user-definable button 1 portion NoUser2=1 Disable the user-definable button 2 portion Perhaps this could be one for the FAQ, accredited to Brett. ------------------------------ Date: Mon, 17 Mar 1997 09:58:29 -0500 From: Dan Schwartz Subject: Re: Macintosh Questions >I am a public school teacher, in charge of our network... > >Is there anyway to use the "Read Only" attribute with Mac files? Some >of my students discovered they can copy programs at will from an >application folder they have access to, to their own personal folder. The >"read only" flag should prevent that, but it can't be selected in NWAdmin. It's not a big deal if the kids copy an application to their own folder (for execution speed, as the application will call Resources on the local drive); but it IS a big deal if they put it on a floppy to take home. Here's how to dampen the floppy copying: 1) Create an image of, say, 1 megabyte in Adobe Photoshop. Make it "complex," i.e. not a solid color, so it will NOT compress into a few bytes; 2) Save the file as a PICT Resource -- Use a name like "Filler-Killer" & keep it handy; 3) Highlight your copy of the ResEdit application (free, available at or ) and select "Get Info" from the Finder File menu; 4) Increase the Minimum Memory size to 2000 kilobytes; and the Preferred Memory size to 8000 kilobytes or so; and close the Get Info window. This is needed to handle the large resource you created in Step 2; 5) Create a COPY of the application you wish to pad by highlighting it's Icon and hitting Command-D (or selecting "Duplicate" from the Finder File Menu); 6) Open the "Filler-Killer" file and copy the PICT to the Clipboard; 7) Open a copy of the application in ResEdit and double-click on the PICT Resource icon; "Create 8) Select Create New Resource from the Resource Menu (Keyboard shortcut: Command-K); 9) Paste in the big PICT from the Clipboard; 10) Select Get Resource Info (Keyboard shortcut: Command-I) from the Resource menu and assign it an unused number. But, DO NOT use a number below 130!! 11) Save and close. What you just did was paste a picture file into the target application, so that it takes up more than 1 floppy. Test it with Stuffit to assure that even compacted, it still takes up more than 1.4 MB. ------------------------------ Date: Tue, 18 Mar 1997 07:51:00 GMT From: Adrian Cunnelly Subject: Re: Network Administration from Win95/WinNT >We are running Novell 3.12, and have just moved our workstations to >Win95 and WinNT. In no time flat, it seems that we have become >"mouse-dependant." Are there any Windows utilities (preferably free) >that do the job of most of the common Novell utilites (Syscon, Filer, >Pconsole, etc.)? I have produced a Windows version of Syscon, you can get an evaluation copy from: http://www.amcsoft.demon.co.uk/wnsyscon.htm ------------------------------ Date: Tue, 18 Mar 1997 12:40:49 -0600 From: Joe Doupnik Subject: Re: netware 4.x volume mirroring >Does anyone know of any software package or utility that can >mirror/copy netware volumes and/or directories on volumes to other >volumes on other servers. I'd rather not deal with ncopy batch files, >I'd rather use a utility that is NDS aware. -------------- Try the beta of Novell's Replication Services (NRS). This replicates files/dirs to many destinations and keeps them in synchronization (one way or two way). Users need rights to only their copy. Runs on NW 4.1. Think of it as a form of NDS for file systems. Visit www.novell.com to get the beta. Joe D. ------------------------------ Date: Thu, 20 Mar 1997 17:42:56 -0600 From: Joe Doupnik Subject: Re: # of connections >My server is running Novell Netware 4.1 (patches applied). Our workstations >are running Windows 95 (with Client32) and Windows NT 4 (with and without >Client32). Recently I limited the number of concurrent connections that >users can have to the server (some to one and others to two). Now, some of >users that are limited to one connection can't log in while others can. >Also, some that are limited to two connections can log in on only one >machine - others two. It does not seem to be consistent. >According to Document ID 2916684 the "additional connection is created by >design" and "because this connection is not a licensed connection [it] will >not affect the license count." I am not concerned with the license count, >but it seems to affect the limit placed on concurrent connections. > >Also, according to Document ID 2913700 "Novell is aware of the issue" but >only suggests as the solution "[increasing] the users concurrent connections >limit by one." To me, this can pose a security problem. While increasing >the number of concurrent connections to two allows the user to log in only >once using Win95 and Client32 it allows the user to log in twice using DOS, >Windows 3.1, or Win95 without Client32. > >Is Novell planning on doing something about this? If so, what can be >expected - and when? -------------- I can relay only impressions on this widely reported difficulty. And that is Novell is indeed aware of the problem in some detail, and that so far as I am aware no solution is in the immediate offering. I suspect, but do not know, that there has been a minor collision of goals (mending broken connections and doing the regular breaking of them upon logout) mixed with probably incomplete code. Such conditions take awhile to unravel to their underlying implications. No solace in the above paragraph, and not much information either. Joe D. ------------------------------ Date: Mon, 24 Mar 1997 14:50:04 EST From: "Robert L. Herron" To: netw4-l@ecnet.net Subject: Re: Login Restriction Problem >From time to time, a user calls us, saying they can't log in, message >"number of logins allowed exceeded"...but the user is not logged in to >ANY stations. When I look at the monitor, the user is not logged in. >When I type NLIST USER /A /R /S to see all users active, the user appears >as if he was logged in. When I type NLIST USER /A /B, the user does NOT >appear. Check out REMADR.EXE from SUPPORT.NOVELL.COM ------------------------------ Date: Wed, 26 Mar 1997 18:36:22 -0600 From: Joe Doupnik Subject: Re: Win95 Policy/Registry Control >Maybe what would come closest is RPL boot Win95. Testing for %OS_VERSION >in the Login Scrips to see if Win95 is used (and if so if the WIN directory is >anything >else then your RPL Win95 directory reboot the PC) and if not reboot the PC. >Put USER.ROM in all MAIL dirs. Revoke rights in MAIL dirs to safeguard >USER.ROM. >That besides specialized software that I don't know off. --------- What seems to be being discussed here is "we want the network to assume management roles" in one form or another. The way MS has .pol stuff arranged it is easy to bypass, as noted previously. The problem is, whether users turn on bad stuff, and they don't need Win95 to do that. In my view that's the real problem, not the aspect of trying to control the desktop from the file server (can't be done). Managers trying to prevent folks from tinkering with their desktops are in a losing battle from day one. As also pointed out, the way to approach the bad stuff on the wires is apply filtering on routers, and then have an approved policy in place to notify, educate, and coerce offenders. My site has about 20K users, of all stripes. We have folks firing up Win95, NT, Linux RedHat, whatnot, proclaiming to be NW servers. Our policy says if you do that your hub port stops working. We try education first, naturally. But we also have loads of two user NW 4 "gumdrops" in student dorms, and we tell our Cisco routers to block those items. In all, a file server can't control these activities, so don't try that tactic. It's half a people problem (education) and half a people problem (discipline), with routers engaged to limit the damage. Joe D. --------- Date: Thu, 27 Mar 1997 09:22:46 +0100 From: David van Duijne Subject: Information concerning Windows '95 System Policies Windows '95 has a great ability to "lock" pc's configuration and abbilities. If you have searched the WIN95RK.HLP then you should have noticed it. Now, we have a config of two servers and 30 users. Couple of them use Win '95, others win 3.x. And I am happy to say that the Win '95 machines have better protection than the 3.x machines. Here is how to protect (even "alien") pc's from globbering your network: Minor setback is, you have to enable Users Profiles in the Network settings. - Install POLEDIT on your Administrating PC. - Open a new file named CONFIG.POL and put it in the directory F:\PUBLIC. - Open the DEFAULT USER. - Disable the configuration, Use the ALLOW ONLY REGISTRED WINDOWS APPLICAIONS feature to disable Setup.exe etc. - On the DEFAULT COMPUTER, enable Profiles (This can be done automaticly, you won't have to jump all around campus to do that.) The only thing you have to do is, config the machine to use the Netware login as the default login. - Copy this file (CONFIG.POL) into every server PUBLIC direcotry. - CAUTION !!! Do not forget to add a user with your name and enable the POLEDIT.EXE or you won't be able to do your tasks. Yes, with this thing you can assign different users different rights to certain parts. When a user first logs in, this will create a sub directory under his MAIL Dir and Win '95 uses it as the START MENU. Do disable this, use the USE THIS DIRECTORY FOR START MENU under the Shell option in the Default User. Set this to WINDOWS\START MENU. ------------------------------ Date: Wed, 26 Mar 1997 22:43:23 -0500 From: Glenn Fund Subject: Re: NAL (App. Launcher) 1.11 update == 1.10? >>>>They really need to improve on a menuing type system in NAL. This is >>>>its weak point - every net app is in one folder. There has to be away >>>>to do it - maybe display the apps by branch level in the OU , etc. >>>> >>>>My uppers are big on the drill-down 'menu' concept for ease of use and >>>>have started using a program called Win U (shareware type u register) >>>>which totally takes away from the 95 desktop and makes it like a old >>>>DOS based menu. You can't exit this menu - it kills the taskbar, all >>>>desktop icons.. and stays ON top of everything else except the >>>>programs it launched. I'm not big on that at all and am looking into >>>>NAL as much as I can as a alternate method - plus NAL does on the fly >>>>drive/port mappings and scripting which will solve my drive mapping >>>>problems for the smaller apps and CD=3DROM access, etc. >>>> >>>>Now.... that I drifted off a bit...... I really need to know if NAL is >>>>capable of doing some sort of metering of apps - limiting use to a >>>>certain # of people or something to that effect. Also I saw a E-mail >>>>field somewhere -- where do I configure this info? >>>> >>>>We need a seperate list for NAL and NAM! I think Novell has another >>>>winner here - it just needs some improvement. >>>NAL does not have any metering/monitoring features yet that I am aware >>>Of. Maybe in the next mutation of NAL, which I think is called >>>ManageWise Application Manager. >>The feature we are missing most is sub-foldering and after repeated >>discussions with Novell we keep hearing it "will be in the next >>release". >> >>I've been busy installing a new IntranetWare server from scratch and >>have applied the Service Pack2, and been playing with NAL - its new >>and very nifty! I appled the 1.11 updated to the v1.02 which came >>installed with the base NOS. However under Help -> About in NAL it >>reports v1.10 - is this ok? I know 1.11 updated some DLLs which might >>not reflect the true version number. Just checking...... >> >>Anyone know anything about NAL on how to configure sub folders/etc or >>isn't it capable of doing different levels yet?=3D20 Yes, you are right. It is a winner. If you couple this product with Seagate's WinInstall, you have the App Launcher configured centrally with application ICONs appearing on users desktop based on OS platform (Win31, Win 95 or NT) and on any NDS criteria that you can think of. The WinInstall actually creates the script to install the necessary libraries, establish the icons and change the registry to have the components in place to actually run the application. The fist time a user clicks an Icon, the application installs itself based on the WinInstall script and then runs the app. Thereafter, the Registry keeps track of what has already been installed and simply runs the application. I personally like SoftTrack for metering which is a totally independent product. ------------------------------ Date: Mon, 31 Mar 1997 19:15:02 -0600 From: "Mike Avery" To: netw4-l@ecnet.net Subject: Re: NetWare 4.1 and ManageWise 2.1 >I've got about 1000 diskless >workstations attached to a number of Compaq servers running NetWare >4.1. I have recently started a migration to ManageWise 2.1 from >NMS/LANDesk etc. Both NetWare and ManageWise are patched to the >required level. The problem is when LDISCAN.EXE runs at login a >message pops up that says "No such file or directory" then the scan >completes successfully. If I login on a machine with a hard disk >there is no problem. Novell haven't yet figured out an answer for me. You haven't talked to the right person at Novell yet. I'd ask for my money back. The inventory assumes that there IS a local hard disk. There is a switch you can use to make it skip the local check, but that rather defeats the purpose of the whole thing. It could be worse - some earlier versions of Intel's LANDesk just locked up. I'd move the inventory out of the login script and into a batch file called from the "exit" line in the login script, and have the batch file test for a C: drive. "If exist c:\autoexec.bat" is usually a fairly safe test. If it exists, then do an inventory. If not, skip it. Or, look at the flags available on the command and then only do a hardware inventory on the diskless machines, and a full inventory on the ones with disks. I got rid of ManageWise a while ago, so the manuals are un-installed also. But, look at the command line options for the inventory programs, and your questions should be answered. ------------------------------ Date: Tue, 1 Apr 1997 09:06:06 -0600 From: "Mike Avery" To: netw4-l@ecnet.net Subject: Re: NetWare 4.1 and ManageWise 2.1 >Can anybody suggest a management product for little guys? I am just >getting started in networking and want to set up a Lan for our >organisation. Probably with time a maximum of 50 PC's. I have tried >the ManageWise demo but it seems to big for me. I would like to >have something to reduce (not increase) management overhead. There are a number of choices. Here they are, with my opinions. Novell ManageWise - a solid NetWare product, with limited cross platform support. A high price and a steep learning curve make this a difficult product to recommend for small to medium sized LANs. Intel's LANDesk - a sibbling to Novell's Managewise. While they parted ways several revisions ago, similarities remain. I used to use it, and every time there is a change to the NetWare environment, it seems to fall on it's face, and a new version of LANDesk is required - and an update fee is usually charged. Intel is working on platform independence, but the package has been so tied to NetWare for so long, it's not there yet. All in all, I feel it's overpriced, and that it doesn't meet its goals. Microsoft SMS - an interesting product for NT LAN's, but poor cross platform support renders it (all but) useless for NetWare 4.X. I suggest against it. A number of third party vendors have produced add-ons that fill in the holes that it leaves unfilled, such as software metering. Not a good choice. McAfee Saber System software - I had trouble getting in to the package. I found it too large, too klunky, too buggy, and too expensive. However, it gives the system manager an unequaled level of control over the Windows environment, which is good for situations that demand control over the users. Seagate DMS - this is the re-packaging of Frye's management system. It's promising, as Seagate has added and integrated a number of other packages to it. I haven't looked at the most recent version, but am about to. I looked at the previous version, and it was promising. LANOvation's LAN Escort - this is a Windows software distribution and management package. It's management options are limited, but what it does, it does extremely well. It's my favorite software distribution system. It works well with NAL, giving a reasonable level of control over the Windows environment. Attachmate's NetWizard - A good package, but it is such a new one that the companies commitment to the market has not yet been demonstrated. Netsoft's NodeVision Pro - a good choice for a smaller LAN - inexpensive, easy installation, easy learning curve, but it is missing anti-virus and remote control functions. Word macro protection is available at no cost from Microsoft, and Symantec (among others) will sell you anti-virus and remote control programs separately. Netsoft is looking at remote control options, but feels that most people have settled on anti-virus products and is reluctant to add one to their package. Symantec NAS Basic and Enhanced versions - good choices, full fledged packages, everything from soup to nuts. The price is not cheap, but it is reasonable. The package integration could be better, but isn't a major problem. However, Symantec just sold NAS to HP, so the product's future is, to some extent, uncertain. I suspect that it will be integrated with HP's OpenView, giving HP a better handle on Intel based LAN's. The price is good, though higher than that of Netsoft's NodeVision Pro. The package has the best level of NOS independence I have seen, especially important for hetergenous environments. The enhanced version adds excellent WAN capabilities and server management. --------- Date: Tue, 1 Apr 1997 10:31:44 -0600 From: "Mike Avery" To: netw4-l@ecnet.net Subject: Re: Experience with ManageWise 2.1 >I am studying some network management tools. I would like to buy >ManageWise 2.1. Sounds like you made your decision before you evaluated your options. Sometimes that turns out well, but the results can't be counted on. >I have an Ethernet network with 5 servers (2 Netware 4.1 and 3 >Unix System V). Is ManageWise useful for a network like this? I >mean, does ManageWise support Unix servers? Does anybody use other >tool? To the best of my knowledge, ManageWise does not get into Unix systems at all. The question that comes to mind is, what do you need to do to, with, or for the Unix hosts with ManageWise? If a client PC attaches to both the Unix and NetWare servers, then the ManageWise will be able to control the clients, and only 3 servers will remain the odd men out. Not too bad. You can usually manage Unix hosts with telnet or x-windows pretty effectively. If you need Unix management, you might start out looking at that, and then see what those packages offer with respect to NetWare management. One of the problems is that the first question will be which Unix, on what hardware platform? Sun, SCO, HP, IBM, Linux, FreeBSD, DEC, and many others are available and they are all different. Or you might look to see what sort of integrating platforms are available that will manage differerent packages that will in turn manage NetWare and Unix servers you have. Be ready to write big checks though, integrating platforms tend to be expensive. >Can anybody tell me his/her experience about it and about >ManageWise in great terms? I have not used ManageWise on a daily basis for an extended period of time. However, I feel that the learning curve is rather steep, and that for small to medium sized networks it may cause more problems than it resolves for an inexperienced system administrator. There are simpler, and cheaper, packages. The exception to this is for service agencies that are using it to manage clients LAN's. It's better to manage remotely than to visit the users site (if you can get paid for remote management). --------- Date: Wed, 02 Apr 1997 08:51:56 -0500 From: Dennis Large To: netw4-l@ECNET.NET Subject: Re: Experience with ManageWise 2.1 >I am studying some network management tools. I would like to buy >ManageWise 2.1. I have an Ethernet network with 5 servers (2 NW 4.1 >and 3 Unix System V). Is ManageWise useful for a network like this? >I mean, does ManageWise support Unix servers? Just getting started with it myself, but you'll need to decide which of it's parts you want/need. For day to day mgmt, the suggestion of rconsole and PCAnywhere (or suitable sub) is probably the best. 1) the server agent - does an excellent job of giving you info for trend analysis, capcity planning, troubleshooting. 2) Virus - it's major weak point for me. I'd stay away till it's fixed. 3) netexplorer (inventory) - Not in yet, but seems like it's going to do as good a job as most of the others. Value seems bit dubious for small networks, but I may be a little shortsighted about that. 4) client remote control - could be helpful for the helpdesk function, esp if you're like me - lazy and don't want to leave your desk. 5) lanalyzer - good trouble shooting tool, at least for it's segment. You'll want the client piece as well. 6) other systems - anything else would be covered by SNMP standards, which it will accept. You'll be limited by the mibs on that particular piece of eqpt. --------- Date: Wed, 2 Apr 97 07:03:15 -0800 From: Randy Grein To: Subject: Re: Experience with ManageWise 2.1 >Side question - anybody have any suggestion on good books for learning >the ins and outs of SNMP? The redbooks are pretty skimpy. Some decent >info in 'Internetworking with Netware TCPIP' from New Riders, but thought >there might be some others worthwhile. There's a couple of GOOD books on the subject on the unix side of things, but they're pretty deep. The ones I'm thinking of are part of a series on the various protocols that make up TCP/IP, blue& white. Can't recall the name offhand, but I'll check it out later today. --------- Date: Wed, 2 Apr 1997 09:33:34 -0600 From: "Mike Avery" To: netw4-l@ecnet.net Subject: Re: Experience with ManageWise 2.1 >There's a couple of GOOD books on the subject on the unix side of >things, but they're pretty deep. The ones I'm thinking of are part >of a series on the various protocols that make up TCP/IP, blue& >white. Can't recall the name offhand, but I'll check it out later >today. Those would be the O'Reilly books, and they are widely available. Check Walden Books, BookStop, B. Dalton, Books-a-Million, or any other book seller, they either have them, or can get them. (Hint - many times the bookstores for colleges with computer science departments have pretty good book selections.) --------- Date: Wed, 2 Apr 97 06:22:17 -0800 From: Randy Grein To: Subject: Re: Experience with ManageWise 2.1 >To the best of my knowledge, ManageWise does not get into Unix >systems at all. The question that comes to mind is, what do you need >to do to, with, or for the Unix hosts with ManageWise? If a client >PC attaches to both the Unix and NetWare servers, then the ManageWise >will be able to control the clients, and only 3 servers will remain >the odd men out. Not too bad. You can usually manage Unix hosts >with telnet or x-windows pretty effectively. > >If you need Unix management, you might start out looking at that, and >then see what those packages offer with respect to NetWare >management. One of the problems is that the first question will >be which Unix, on what hardware platform? Sun, SCO, HP, IBM, >Linux, FreeBSD, DEC, and many others are available and they are all >different. Or you might look to see what sort of integrating >platforms are available that will manage differerent packages that >will in turn manage NetWare and Unix servers you have. Be ready to >write big checks though, integrating platforms tend to be expensive. Of course, the only 'unix' management imbedded in Managewise is SMTP, but it does accept quite a number of snapin modules. As Mike mentioned, you should check out what's available for your particular flavor. Depending on that you should get full functionality. ------------------------------ Date: Wed, 9 Apr 1997 15:43:49 -0400 From: Debbie Becker Subject: Re: Netware 4.1 Security >I am running 9 Novell 4.1 servers over a WAN with container >administrators in each state. How can I check users security, >i.e. who has supervisor access etc. at both the NDS and file levels. > >I am aware of a utility that came with Netware 3 called SECURITY. >I don't have a copy of this and am not sure if it would be of any >use if I did have it. I would assume it would only work within a >bindery context and wouldn't know about NDS rights. > >I have used RIGHTS /S /T from the [root] context. Is this the only way? >or is there a another? I use RIGHTS VOLUMENAME: /T /S to get trustee assignments for all directories/files on a volume. Usually port this off to a file for easier evaluation. For NDS rights, I CX to the [Root] of the tree and type: NLIST * SHOW ACL This will show you the Access Control List (a.k.a. Object Trustees List) for all objects in the [Root] context ([Root], Country, Organization) with trustees and all Object and Property rights granted shown. I then run this for any object I want to check trustees for (i.e., NLIST "ORGANIZATIONAL UNIT" SHOW ACL /S). Usually run it for Organizational Units and Server objects. (Sometimes for volumes as well, since people seem to feel that granting NDS rights to volume objects will somehow translate into file system rights). Last thing I do is to run NLIST USER SHOW "SECURITY EQUAL TO" /S for a listing of all security equivalences (groups, org.roles, other users, servers, etc.) ------------------------------ Date: Sun, 13 Apr 1997 00:41:01 GMT From: "David G. McDivitt" Subject: Re: Redirecting NCOPY's output >I am trying to automate some large NCOPY'ing in NetWare 3.12 and >would like to capture the output to file for my record's. Try my NCOPY replacement program. It has more features, including an exclude list for directories or files you don't want to copy. I have another program which optionally deletes files from the destination tree which no longer exist in the source tree. Both programs produce a history file for results. They used to be shareware, but are now freeware. Find them at: http://cust.iamerica.net/mcdivitt/sharewar.htm ------------------------------ Date: Thu, 17 Apr 1997 19:02:54 -0400 From: Doug Black Subject: Re: NWAdmin annoyance >I am in NW 4.11's NWADMIN, and I frequently have to do searches to >find users in a large tree. > >So I pull down the Object menu, select Search, and tell the utility I want to >search the entire subtree of whatever my context is. > >But every single time, I have to select User from a pick list, then select >Name from another pick list, then check the Search Entire Subtree >box, and then of course the username value. This is every search >instance, even if that's all I've been doing for the last half hour! When I open NWAdmin for the first time, I click on the local root, then open a search box. I select "Search entire subtree", then I select "User" and leave the property fields blank. What I get is a list of ALL users in the part of the tree I manage. Then when given a particular user to lookup, I just highlight the search box and start typing the login name. Presto! I'm there. This works for other objects (print queues,etc), too, of course. Now if I could make NWAdmin open this box for me by default, I'd be all set! ------------------------------ Date: Tue, 22 Apr 1997 21:10:45 +0000 From: "Robert S. Sfeir" Subject: Re: splitting up large student OU's > The same way one deals with email addresses and sundry web server >addresses: explain "that's the way they are" and walk away. People are >quite devious, clever, and energetic if they want something, so just walk >away and don't be their implement. > Joe D. While I agree with Joe, this is sometimes hard to ignore if it's coming from higher ups, who sometimes don't quite understand the logistics of subdividing a network and an NDS tree, and just want you to make it happen. (Thank God I'm not in that situation anymore!) I read a book called "Novell's four principles of NDS design". We recently rebuilt our whole network, including the tree, to accommodate future expansion and WAN links, and that book was IT! Without it I would have spent a lot more time trying to figure things out. The book discusses large OU containers and the problems they can cause in NDS, and what options you have to make them better. I suggest you spend the $30.00 and go get it. You will find what you need in there. As far as login scripts that's really tough. I think if you have different contexts you're inevitably going to need the stations to switch automatically. So keep your container names short, print out the exact syntax for the login name, give it to your users, and hope for the best. Once inside and logged in you can use NAL to MAP drives on the fly depending on the applications or directories they are trying to access. Once they are done, everything is reset for the next person. If at all possible use one of the client 32s... I find that my users can log in a lot easier with a graphic interface, rather than the ugly useless DOS red bar login style where you can't even see anything when you type a password, and you have to type login every time you make a mistake in your password and login name... As to the e-mail addresses, I solved this by simply using SLMailNT and Eudora. When a user logs in a drive is mapped directly to his/her Eudora application folder. I use NAL to MAP the drive on the fly and point it to the correct directory based on the %login_name variable. If you want to make your life simple, just stick Eudora on a floppy, point the map to the A: drive, and have the users simply put the floppy in the drive... Instant MAPPING!... Maybe you can think of a way to implement that with your e-mail system! ------------------------------ Date: Thu, 24 Apr 1997 02:47:41 +0100 From: Philip Zelazowski Subject: splitting up large student OU's >I currently have an organizational unit with about 4500 student ID's. >While it seems to work ok for the most part, some of our performance >problems are undoubtedly caused by the large number of objects in the > OU. >I am planning to split the OU into sub-containers but would like to see >what others are doing in similar situations. We have 4 servers handling >the 4500 users, so my initial thought was to create a separate OU for >each server an put 1/4 of the objects in each OU. This would result in >somthing like username.server1.student.acadia. If we did this approach > I would use some easy scheme to determine which server the student was >located on, although undoubtedly there would be confusion. > Alternatively I could avoid a server-centric OU design and set up >several OU's based on last name. This might produce something like > username.abc.student.acadia >and username.def.student.acadia and so on. I would have to assign home >directories to the OU's to try to keep things as uniform as possible. >While this approach avoids assigning a specific server to a student >(which perhaps makes things a bit more flexible), it doesn't really >avoid the confusion. I've got only 1500 students at my school, but still a handful with a throughput of some 500 a year. With this figure in mind I designed my NDS over four geographic sites, the degree course, the year a student graduates. The year containers are further grouped using groups to demonstrate what kind of degree, ie 2yr_BA, 3yr_BA, MA. The starting context for each site is the same, the organization itself - the school name .o=ccad (Chelsea College of Art & Design.) The student has learned the syntax for their rather long login name like this: myname.year I finish.what I do.where I do it from - smithj.98.public_art.limegrove They use the same login name at any machine from any of the four sites scattered over west London, the system login scripts are duplicated throughout the year containers (which contain the students) and will map the student's data, email, preferences drives to the student's local site server, while mapping operating system and applications drives and machine specific files from the server local to the login. The file structure is much simpler, the volumes are aliased as system, applications, data, where system and applications are mapped to the server local to the login and data mapped to the student's home server. During login, the original context is changed to a container called resources where all the aliases live with user friendly names to print devices, volumes and so on. There's a resources container hanging off each site container. The data volumes are organised (from the point of view of the student) as data:students\year\login_name. Though there is a huge amount of work in preparing just one account, the NDS and file system is so sweet and easy to maintain that it it worth it. The advantages from my point of view is that it is very easy to train people up to login and use the network and resources. Dealing with the throughput on the NDS is very simple - you add new year containers for the new input, you delete old year containers as they leave you! The same with the file system - you delete a year, you add a year. Once the user object is created then my interest in the NDS is purely and quite literally year in, year out. However, the complexity of the NDS reflects not only logical organisation from an administrative but also from a communications point of view. Using the free 1st Mail that comes with netware it is very easy to email a class of students specifically, ie 3yr_BA_grp.99.fine_art.manresa_rd. This makes life easy for tutors and administrators within the school. General email is handled differently. I use netscape and a pop server for each operating system, with the pop servers all converging on one set of email directories in the data volume local to the user's home site. There is added name space support on this volume so different operating systems can read and write the same set of files. This makes for a totally uniform email platform across all operating systems that is simple to use, works perfectly, free and looks good. (We use netscape for nearly everything cyber.) Emailing is simply addressed to login_name of the recipient if local, or an ordinary email address out of the college. Email in is to login_name@chelsea... This extra feature almost doubles the time it takes to create a user account with the creation of individual email directories, updating of pop server ini and mail policy files, individual sig files and addition of certain individual rights at the user object level. All in all the NDS and file system structure are very easy to maintain a steady throughput of students. The server load across sites is evenly balanced - small site, small server; big site, big server. The only problem was it took half an hour to build an account manually. I wrote a suite of basic programs centred around the netware uimport utility. Information in via a form is fullname, login_name, degree, year of graduation. Every 9 seconds a perfectly formed user object with all the files and directories and rights and personalised ini files is created. I am further automating this process so that it becomes part of enrollment so that a) information needs to be typed in only once, and b) it's out of my hair. ------------------------------ Date: Sun, 4 May 1997 16:03:24 +1200 From: "Baird, John" Subject: Re: accessing user properties in login script >I am trying to some different properties in the login script. The >Location field in NWADMIN can be accessed as %L in a script, but I cannot >find a way to access the Department field. The SETNAME JRB utility can be >used to set the property using the name %Depart, but that does not seem >to work in a script. It appears that the field is not available... Many of the field names used in nwadmin/netadmin do not correspond directly to the attribute names. Here is a list of mismatches that come to mind: Attribute name Nwadmin field name CN Login name (the first value in CN) Other name (2nd value in CN) Surname Last name OU Department SA Street address Physical Delivery Ofice Name City S State or Province L Locality ------------------------------ Date: Sun, 4 May 1997 16:20:30 +1200 From: "Baird, John" Subject: Re: replcation causing problems with account setups >I am trying to use UIMPORT to create accounts, but most of the time when >I run the program, I get errors similar to this: > >F:\>p:uimport student.ctl student.dat >Import context: student.acadia > Creating user 999900T.sz > Adding User > Generating key pair >**** Updating 999900T.sz **** >| >UIMPORT-4.26-991: An error occurred in NWDSMapNameToID. This may mean >that the skulker has not put object 999900T on server AXE1 yet. Error >code: FDA7. | UIMPORT-4.26-991: An error occurred in NWDSModifyObject. >Error code: FD9B. > User: .999900T.sz.student.acadia > Attribute: Profile > Value: .SSTUDENT.profile.acadia >*** Done > >I have a good idea that the problem is caused by the fact that uimport >has created the user in one partition and then when it goes to set other >information for the user, it retrieves a partially replicated account >from another partition. Is there anyway, aside from destroying the 2 >redundant copies of replica, to force all uimport requests to a >particular partition? As you suspect, the problem arises because Uimport is sending requests to different servers. The object creation request has gone to server A, uimport is almost certainly then creating the user's home directory on server B, and the error FDA7 reported by NWDSMapNameToID will occur when Uimport is obtaining the user's ID on server B for purposes of creating a trustee assignment. Server B has not yet received an update from server A announcing the new user. Error FD9B is reporting a similar problem i.e. a request was sent to server B asking for an attribute value to be added, and the attribute value was the new object name e.g. Uimport is trying to add the new user to a group. I dont know of any solution for Uimport. Its only recently that the SDK has contained any mechanism for ensuring that NDS requests are sent to a particular server, and the odds are that noone has gotten around to updating Uimport to use this facility. However, as we have discussed off line, JRButils creatobj now uses this facility. --------- Date: Sun, 4 May 1997 12:19:02 EST From: "joe_flowers@ncsu.edu" Subject: Re: replcation causing problems with account setups I'm curious. If you make sure you are authenticated to Server A and Server B while logged in with complete "Admin" rights over both servers, does this make any difference. We use UIMPORT here alot, but I always make sure I'm authenticated to all the relevant servers first. I haven't seen your error before. Is there a "timeout" count for UIMPORT retries that can be increased ? ------------------------------ Date: Fri, 9 May 1997 13:33:26 -0600 From: Joe Doupnik Subject: Re: NDS tree surgery >I've got an annoying NDS problem that I've been researching with no >success. I taught a NetWare 4.x class and created a container where >students could run amok with full rights. Now I've got several >containers with an IRF that blocks everything except Browse. This >makes cleanup "challenging" since there's no way to delete the >containers or the objects therein. I've checked and the accounts >used to create the containers are locked out as well. > >If there's a next time, I'll bring up a disposable tree for students >to frolick in. For now, I just want to lop off a branch of my NDS tree. ---------- Here's an object (sic) lesson for your students and staff: always create a safe administrative account on each server so that you can always get in and override anything others have done. Do not use "equivalent to." Here's another: never put play servers in the same NDS domain as production equipment. And the corrollary is never trust a server which has been tinkered with by less than expert hands: clean the drives and make fresh installations. Joe D. ------------------------------ Date: Fri, 30 May 1997 08:14:50 GMT From: Teo Kirkinen Subject: Re: How many users can be defined in a server? >I would to know what is the limit for a Novell server (3.x or 4.x) to >define users in the bindery and NDS. Will be the performance goes >down with a lot of users, at login only or in general? It depends ;-) When we were still running NW 3.11 our largest server had 12000 user accounts. From the point of view of the users everything was OK. The managers couldn't use SYSCON or some other utilities that wanted to read all the user names to memory. There were of course alternate way of managing the users, for example the excellent shareware package JRBUTILS. With NW 4.x things are totally different. The important limit is not users/server but users/partition. One server can hold replicas of more than one (even large) partition if the hardware is fast enough. Most people plan the NDS so that one partition has less than 1500 objects but partitions up to 5000-6000 objects work fine, if you have the right hardware. ------------------------------ Date: Thu, 5 Jun 1997 22:54:17 -0400 From: Debbie Becker Subject: Re: NW 4.x Help Desk Role >What I'm wondering at the moment is: > >1) What do all think of using an Organizational Role for this "SubAdmin" or >help desk role (resetting passwords, intruder lockout, application group >ownership, etc.) as opposed to a group or individual user objects having >these assignments? Although I know that Novell is a big fan of the Org Role right now, I'm not crazy about it. Several reasons: When I log in as a user, if I'm an occupant of an Org Role, I automatically have the administrative rights. Now, maybe it comes from my NetWare 3x background/training, but I've always felt that you should have an Administrative user to log in as to do admin stuff and a regular user account to log in as to do everyday stuff (and to test what you've setup as Admin!) I also don't care for the fact that if you assign the Org Role the Create right only at the container (so as to keep from getting locked out of that part of the tree), when an occupant of the Org Role creates objects in the container, the occupant (user object) will be made a trustee of the objects and given Supervisor object right! That means if I don't want someone doing Admin anymore, I have to remove him/her from the Org Role, remove him/her as a trustee to all objects created, and give someone else Supervisor rights to manage him/her! Seems like a lot of hassle to me! I also don't like not being able to assign them to print queues, etc., as you mentioned below. I prefer to stick to a user object with an obviously administrative name (SubAdmin, AltAdmin, etc.) >2) Our structure is Organization (1, of course) branching down to >Geographical Organizational Units (3 to-date, will be 7). Underneath these >Geographical OUs are the servers, volumes, print servers, printers, and >application groups (we may have to break some of these classes into their >own OU's due to quantity, soon). Also, under the Geographical OUs are >defined our departments. Under our Departmental OUs are defined print >queues and users. Given *this* model I see no risk assigning rights to the >department OUs for administration. Agreed? As long as you want the folks assigned to be able to really *manage* the containers/branches, no problem. You might want to take the precautions mentioned to make sure that they can't lock *you* out, but otherwise, let them handle the day-to-day stuff! >3) Similar to #1, above, I'd like to define a print server/printer/queue >manager's Organizational Role with all rights to each object I mentioned. >Of course, those objects can't assign Operator status to Organizational >Roles. I find the quasi-support of Organizational Roles frustrating. >Anyone have a way of making this work or do I fall back on Groups? As mentioned above, I'd rather create admin user objects. If there are several I can always make an Admin group for them. Just don't care for those Org Roles! ------------------------------ Date: Fri, 6 Jun 1997 17:29:24 -0400 From: Dennis Large Subject: Re: Creating Student ID's >I am interested in colleges or universities who assign individual login >IDs for students on a Novell network. We have had students logging in >as a generic STUDENT id and forcing them to save all their information on >floppies. We are purchasing new servers with GBs of disk space and are >going to allow them to save on the network. My questions are as follows: > >1. How do you assign IDs to each student? >2. What kind of naming conventions do you use? I'll throw in just a couple of small pieces here for your consideration. We have, and have had forever I guess, a central account mgmt group housed within the central computing providers, currently known as Information Technology (IT). That group sets all standards for such things on all central resources. While we're behind a bit (okay, a lot) on having a central account database, we try to keep accounts consistent across all platforms. Where departments have their own server, they generally accept our suggestion that they stick with using the system defined userids, winse this will makes things go much easier in the furture as various services become network entities, and more cross- platform things come into play. As to the convention itself, pretty simple. First and middle initals, frist 4 of last name, and 2 serial digits to break ties. zeros are used to pad any part of it to 8 chars. (the heritage of this from the mainframe which is 8x8 char bound, much like DOS 8x3.) At any rate the 8 chars is a reasonable least common denominator for all platforms, and uniqueness can be guaranteed. >3. Do you create one for them? yes. >4. Do you have a form they fill out and have someone create their IDs >from this form? >5. Do you have a data entry program that will create a file that you can >import into the NDS? Not yet. We're not playing this game with netware yet, but the unix and VM systems have batch routines that query against the student (and staff and faculty) registration (or staff) databases. We're just beginning a rollout of fee-based LAN services for facutly and staff. we're starting with manual processes for now, but keeping an eye on how to automate. We're also just starting implementation of new HR and SIS systems which will be Oracle based instead of our current MVS/IDMS systems. I'm very hopeful about being able to use netbasic to do some of this stuff. >6. Can students create more than one ID? >7. How do you authenticate students? ------------------------------ Date: Mon, 9 Jun 1997 07:25:32 +0000 From: Jay Raynis Subject: Re: Creating Student ID's >During registration the students full name is entered in our Student >Records System on an HP9000. After all students are registered, we run a >COBOL program that assigns the user ID's based on the first 5 characters of >the last name, first character of the first name and a two digit number >starting with 01. This is for the 20 or so smithj's that are generated. The >program simply checks for duplicates then increments the number by one. > >(i.e. smithj01, smithj02, smithj03, etc.) > >This program generates a text file in the format I need to use UIMPORT to >create the users. > >>2. What kind of naming conventions do you use? > >See above. > >>3. Do you create one for them? > >One what? > >>4. Do you have a form they fill out and have someone create their IDs >>from this form? > >No, they do not fill out anything extra except the normal registeration >information. > >>5. Do you have a data entry program that will create a file that you can >>import into the NDS? > >See above. > >>6. Can students create more than one ID? > >Students cannot create ID's > >>7. How do you authenticate students? > >The COBOL program that generates the student ID's also grabs the SSN of the >student and puts it into the UIMPORT file as their password. We tried >generating random passwords but the problem was getting the passwords to >all of the students and they would forget them often. With their SSN as >their password, they are not likely to forget it and we don't have to try >to distribute it to them. We publish their user ID on our local web page so >all they have to do is look it up from any student accessable workstation. BIG WARNING HERE! While you have simplified the process, you have also created a password for each user that is easily "abused" by other users. Social Security is no longer confidential, and appears in too many places. If you're forcing changes on first logon and first logon is required first day of school, you may be OK, but I'd guess not. We were doing the same thing, except using a roll-over from our student records database on our AS400. We used the student ID which doen't appear in too many places, and this year for the first time I went in and manually modified those IDs so that there would be variety (and increased security). It isn't the cleanest or fastest, but takes only ten minutes to go through the text file before creating the users and add or delete a couple of characters in their student ID/password. I then do a print out with user name and password and pass it off to teachers to hand out. Users are then strongly encouraged to change their passwords. ------------------------------ Date: Fri, 13 Jun 1997 09:10:08 +0800 From: Brett Looney Subject: Re: CLIENT: Group pol >It support the group pol or not? I have installed some clients and >the group pol don't work. Is there an option to activate them? Something I found out a little while ago was that: not only do you need the GROUPPOL.DLL file on the machine where you build the policy - you also need that file (and it needs to be installed, _not_ just copied on) on every machine where you want Group Policies to work. ------------------------------ Date: Sat, 14 Jun 1997 14:24:20 +1200 From: "Baird, John" Subject: Re: Grace logins and makeuser >>>I use Makeuser to create the mass amount of user accounts that we >>>need at the beginning of each semester here at the University. The >>>only thing I am having problems with is that it (makeuser) creates >>>these accounts with "grace logins allowed" set to 7. This is way too >>>high and I want to change it to a lower value. There doesn't seem to >>>be a variable for setting this within the makeuser utility. I have >>>checked Novell's documentation and the FAQ of this list and cannot find >>>anything on it. >>> >>> Am I going to be able to change this value or am I >>>doomed to go through individually after the accounts are created and >>>change it??? >> >>In NW 3.1x SYSCON look at "Supervisor Options", "Default Account >>Balance/Restrictions". Change what needs to be changed before you >>run MAKEUSER. > >I have set the default account options, but makeuser is not picking >the "Grace logins allow" value from there. I have it set to 3 there, >but makeuser is setting it to 7. If I remember correctly, the values set under "Default Account Balance/ Restrictions" are used when creating users via Syscon but not by makeuser. If there is no facility for specifying this in a makeuser input file then your only option is to reset the grace logins value after running makeuser. The setrest program in jrb300a.zip will do this for multiple users, so you could set the grace logins for all users on the server after creating your new users e.g. setrest * gla 3 You would also need to set the grace logins remaining e.g. setrest * glr 3 Jrb300a.zip can be downloaded from one of the following: netlab2.usu.edu apps risc.ua.edu pub/network/misc ftp.let.rug.nl jrbutils tesla.dfm.dtu.dk pub/network/jrbutils tui.lincoln.ac.nz jrbutils ------------------------------ Date: Mon, 16 Jun 1997 08:55:56 -0600 From: Joe Doupnik Subject: Re: Restricting deletion of local files >One of our biggest problems, in our university labs are students who >either delibrately or accidently delete files on the local machine. >Using ghost to rebuild takes 4 minutes. Do you use any utility >that can restrict deletion of local files/folders, or alternatively >any utility that monitors a given set of files and automatically >recopies them back to the local machine from the server, if they >get deleted. Anything at all that can prevent the deletion of local >files, or atleast make it extremely difficult. ---------- May I add a comment on this topic? You are looking for a bandaid to apply to another bandaid. If I were in your shoes I would be asking more fundamental questions, such as how can I deliver these files quickly at low expense. I think you will find the answer is often: from the file server itself if we have adequate network bandwidth. Keeping public files on the file server means they are always the same every time, because you make the directories read-only. Users can be assigned temporary workspace on the server too, on a per-user or per-station basis, and you can clean that space very very quickly via commands in the login script. This means there need not be a local hard drive at all (what a surprize!), or if you insist upon them for some reason then the file contents may be minimal. Removing local hard disks also means you don't have to purchase them nor replace them periodically nor back them up to tape nor figure out, as you are now, how to keep them coherent not to mention virus free. Can a file server take the load of diskless client operation? Yes, better than you probably expect. A disk farm on the server can be shared too, decreasing the number of MB needed overall. But what about bandwidth and Windows swap files? First, put memory into the clients so that swapping becomes a rare event; 32MB is a good figure for that these days. Memory is cheaper than disks. If bandwidth is limited now then make it larger, by adding more pathways to the server and/or going to 100Mbps Ethernet. The cost of adding that bandwidth is also surprizingly low, and you will have to do it sooner or later anyway. In a public facility I am now converting to 100Mbps Ethernet and I am getting the full wire capacity. And keep in mind that you are already hitting the wire very hard reloading local hard disks. In summary, with increased bandwidth a file server once again becomes competitive with local hard disks in terms of performance, and it remains cheaper and preferable for managment (delivery of service). Joe D. --------- Date: Tue, 17 Jun 1997 21:15:59 -0500 From: "Gregory Gerard Carter (Mascot)" Subject: Local vs Remote workstations management [Joe's msg reply above snipped] Joe makes a lot of good points in pointing out that booting workstations from a centrally managed location has many advantages. But, in my experience, these advantages are outweighed by the problems that arise from: #1 Wire management. Essentially, what you are doing, is transferring the storage management problems Joe points out that are solved in a network booting workstation, to a wire management problem caused by network bandwidth. Remember, every path or service extension you want to bring to your organizations members is delivered through that wire. I think personally, the costs and complexities of designing a network so that people can contiuously load thier network operating systems over is not cost effective vs the cost of adding a hard disk to load that information from at boot time. Take a look at the future. . Applications/OS don't get smaller they always get much much bigger and much more complicated. Meanwhlie HD's meet the challenge by continuously getting much much cheaper and are storing more. IDE hard disks for 1GB are much better value in performance and value I think than any 100BaseT port. #2 Software management. Another problem is software management. Any of you who have ever, or God help you still do, maintain shared Windows 3.1 installations on your Netware or Unix file servers understand what happens when you have to install a new application for your users to use. The hair on my rear end would stand up on end when I had to do the Office 4.2 upgrade for my users a long time ago and pray it didn't screw around with my dll's for cc:Mail, FoxPro, and what else and what not I had working perfectly. Trying to figure out the gazillion new dll's that Microsoft put out each year and the problems they would cause was a circus for my staff and my help desk "The Day After Ground Zero". I had lab equipment up the ying yang to do pretesting on this stuff before hand and it still almost always had non-trivial problems afterwards. Simply put, I don't trust shared installs. I just do not like the idea of that much responsibility on one central location on one machine with that much software. This is not the way people do things anymore for a large number of practical and theoretical reasons from costs to scalability. So this is what I am currently doing: #1 Application installs are done off the file server to the local workstation. This serves the purpose of archiving your current apps off site, and getting what you need fast onto a workstation. This includes OS installs. I use it to protect my corporate investment in software too in case of disaster destroying the originals or theft whatever... #2 Segment and partition access to your Data. This means in your case, identifying the data that you do not want changed, and what can be changed and using the file server technology at your disposal to build the login envirnment that enforces this. #3 There are, a number of different software vaulting packages that allow you to very effectively lock the Windows\System and selective C:\ directories on your workstations. Some of them plug into the existing management solutions from Novell's Managewise and Intel's LAN Manager. Quite painless and from my experience fullproof tampering. #4 Critical Data. I use to have an order entry department. Well, if the server went down, they STILL needed to be up and running, so I had to load the local machines with hard drives anyway to keep them going when during those very few times (2 times while I worked there for 3 years) the file server dumped itself. All they had to do is reboot and run locally. If you have any great amount of people, a file server dump REALLY is a drag and they let you know about it if it is shared off the net. Besides the argument that Joe uses for hardware savings is gone in about 2 minutes with 300-400 people sitting around doing nothing. This has been my experience in the debate surrounding network bootable configurations and standalone ones. ------------------------------ Date: Tue, 22 Jul 1997 13:07:28 +1200 From: "Baird, John" Subject: Re: Directory Space Restrictions Question >Are the students allowed to write anywhere beside their home >directories? If not, then setting the volume restriction would >accomplish the same goal as restricting the directory size. Not necessarily, depending on the setup. Years ago when we first ran 3.x on the student servers we used volume quotas. The student home directories were spread over multiple volumes, and each had RWCEMFA to their home directory. They quickly discovered that if user A on vol1: teamed up with user B on vol2: and each granted the other write access to their home directory, volume quotas could be worked around because we were not setting zero quotas for students on the volumes where their home directory did not reside. Rather than set quotas for every student on every volume (or remove the A right which we had reasons to retain), we changed to directory quotas which have been very successful. ------------------------------ Date: Mon, 28 Jul 1997 17:03:46 +1200 From: "Baird, John" Subject: Re: Unauthorized files allocated in the SYS:MAIL directory >We found that some users cheat the Netware disk quota restriction by putting >files on their MAIL directory on the SYSTEM volume. My question is > >1. How to identify which user has done this from the directory name in > a quick way? Use NDIR which will tell you who owns the files, and hence who placed them in the directory. >2. Could we implement some disk quota restriction on SYS: volume? Will > these quota setup transparent to normal users? Yes. Volume quotas are unlikely to be a good choice here as they may affect the user's ability to print, assuming your queue directories are on SYS:. Best bet is to use directory quotas. If you are using Pegasus Mail, you should set a quota on each directory, if not and the total contents of SYS:MAIL are pretty much static, you could set a single quota on SYS:MAIL itself. ------------------------------ Date: Wed, 20 Aug 1997 08:45:57 -0400 From: James E Borchart Subject: Re: Utility for NDS User list It depends on what info you want, but NLIST can print out quite a bit of the info. There are also several commercial report printing programs. REPV202, which can be downloaded as shareware from http://www.leo.org/pub/comp/platforms/pc/networking/novell/utils/index.html is a nice, simple utility. Bindview EMS, which is fantastically expensive, is a top-flight reporting program. It can print or export every concievable report. This is an especially good program for very large corporations: http://www.bindview.com If you have an ODBC-based reporting program that you use now, or if you are a programmer, you can get the ODBC kit for NDS (beta): http://developer.novell.com/rad/sdk/ --------- Date: Wed, 20 Aug 1997 08:44:47 -0400 From: Dan Strohl Subject: Re: NOVELL Digest - 19 Aug 1997 Executing: cx [root] NLIST * /c /s /d > nds.txt will get most of the information... Otherwise you can get bindview that can run reports against nds. ------------------------------ Date: Thu, 21 Aug 1997 08:49:25 -0500 From: Dave Kearns Subject: Re: Directory/file access counter >I am interested in receiving any ideas about utilities for counting >directory/file accesses. Blue Lance's LT Auditor: http://www.bluelance.com/noframe/auditor.shtml is one tool I've used to do just that. ------------------------------ Date: Sat, 23 Aug 1997 13:37:44 GMT From: Michael Roth Subject: Re: ghost/n4.11/win95 >We are attempting to use ghost to setup our win95/N 4.11 >based labs and have encountered a problem. When we try to >use ghost between dissimiliar hard drives (a 550 MB image >to a 2 GB) the 2 GB machine will not boot after the image >is copied to it. > >We have 4 different size drives and any time two different >drives are involved, the problem occurs. With the same drive >there is no problem. > >Ghost is using 32 bit fat. and the docs. say that you can ghost >dissimiliar drives. To use ghost on dissimliar drives you'll need to create a copmressed image first and then uncompress it onto the new drive. ------------------------------ Date: Mon, 1 Sep 1997 09:01:52 +1200 From: "Baird, John" Subject: Re: rights issue to assign space limits and login >What is the minimum rights needed to change user space limits ? >I can not do it unless I am logged in w/ Sup rights. I thought this would >be easy but no other rights combo other than sup lets me make the changes. Both directory based quotas and volume based quotas are stored on the volumes, not in NDS. To set a volume based quota, you need supervisory rights to the root of the volume, to set a directory quota, you need supervisory rights to the parent directory. >I was under the impression that in order to log in to a server you had to >have R F to the login directory on SYS. Yet, when I went and checked >effective rights of a user object, it had none. Yet this user object was >able to log in. Public doesn't have any rights there either. How is this >happening?? No rights are needed. The sys:login directory has special status and is visible to any client connecting to the server. A workstation establishing a connection to the server can execute any programs in the login directory, but of course those programs wont be able to access other directories on the server, and access to NDS is limited by what rights [Public] has, until a login is performed. ------------------------------ Date: Tue, 2 Sep 1997 09:08:45 +1200 From: "Baird, John" Subject: Re: Util to find user whohas OU-loginscript open >Does anyone know how to find a user or connection which holds a >Container login script open. >If e.g. you have a command to run an external program in your login >script which waits for keyboard input by the user and the user is not >responding you can NOT alter the script in the meantime. I am not aware of any way of doing this as this requires that the file in sys:_netware containing the container login script be identifiable (login scripts are stream attributes which are stored in separate files in sys:_netware). I have not found any way of finding the file name for a given login script. At best, you can check the open files for each user and anyone holding a file open in sys:_netware is a possible culprit. ------------------------------ Date: Thu, 25 Sep 1997 11:41:50 +0200 From: "David W. Hanson" Subject: Re: Triggered commands >I currently have an IntranetWare server set up, and the terminals >are running DOS and Windows for Workgroups 3.11 (remotely). > >Due to the large amounts of temporary files that are not removed by >the applications I wish to automate the deletion of these. Is there >a way to trigger a command from the Console or are there any utilities >to do this. I created a batch file called CLEANTMP.BAT, flagged it ROSH and put it in the SYS:PUBLIC directory. It contains the following commands: @ECHO OFF IF EXIST %TEMP%\*.TMP DEL %TEMP%\*.TMP IF EXIST %TMP%\*.TMP DEL %TMP%\*.TMP I then put the command: #CLEANTMP in the login script after the point where the drive mappings occur. That way, every time users log in, they clean all of the .TMP files from whatever directory their TEMP or TMP environment variable points to. ------------------------------ Date: Mon, 29 Sep 1997 03:21:04 +0200 From: Ondrej Chvala <0@LIB.AMU.CZ> Subject: moving user's home dirs - solution Here is some howto if someone is interested in... The trick was: using n4object.exe or similar utility export users's login names and home directories to a text file, simply change the path and then use UIMPORT to upload information into NDS. UIMPORT uses two files - one with control commands, second with data. Furthermore, one can use control file like: Import control home directory path =3D home directory volume =3D import mode =3D U && (U stands for Update info in NDS) Fields Name Home directory Then, datafile can be: "","" "","" .... this will change user's home dir location to :\ If you want to have user's home dir name different from for some users, simply use: "","" to assign as home dir for user . then use: uimport and in container login script one can use: map root i:=3D%home directory ]-) ------------------------------ Date: Tue, 30 Sep 1997 10:25:16 -0500 From: Tom Kustner Subject: Re: Need help with cloning client32 workstations with ghost >>I just started using ghost to clone my novell 4.1 win95 workstations. >>When I dump the image from the server onto a workstation, it says it >>detects a new network card. Ghost tech support says that's because >>of the different MAC hardware address on the Ethernet etherExpression >>Pro 10+ cards - all workstations are exactly the same except for the >>mac addresses and individual ip addresses. >> >>any suggestion re: automating the process of creating the clone >>workstations? is there a file in registry that i can preserve for >>each workstation and load it after the clone? >> >>any help/suggestions are most welcomed. thanks >> > >I haven't tried this so I don't know if this will work, but before you >clone the next 95 computer, specify a MAC address in Client32 properties in >the Network Panel. Then, after you have brought the clone back down to the >new workstation, delete the softcoded MAC address to use the manufacturer's >address. We use GHOST 3.1d and like it a lot (one bug, though, with OS/2). We have 3COM cards which have Pnp disabled, since Client32/Win95 work better that way. Having PnP disabled has avoided this issue. I didn't realize this until you brought up your problem! --------- Date: Tue, 30 Sep 1997 12:51:40 -0700 From: Kevin Brackley Subject: Ghost We use Ghost to clone NT 4.0, 3.51, and Win '95 workstations, even across different hardware and it works great. This may not be what you are having trouble with, but we ran into a similar problem with our '95 workstations, only it was related to the Plug 'n Play settings (or Plug 'n Confuse settings). I later found out that the original '95 workstation used to create the master image had the CMOS pnp feature turned off. Every time I put the image onto a new workstation (which sometimes had the PNP OS feature enabled), we'd get "Windows has detected . . . " (everything from PNP CMOS, keyboard, mouse, to Network card). When we recreated the image, we made sure that the PNP feature was enabled before installing the '95 client. Once we created a new, clean master image and made sure that all of the clone's CMOS settings were the same, the problem went away. The MAC addresses are never changed, we always use what the NIC has been assigned by the manufacturer. I don't see how this could cause the PNP features to detect new hardware anyway--maybe I'm missing something. We never had the problem with NT because its not really a PNP OS. ------------------------------ Date: Thu, 2 Oct 1997 15:04:10 +1000 From: Jean-Marc Annonier Subject: Re: I need a program for Node Installs The solution to your problem is: Seagate WinInstall. I'm using it with a great success, it will take you two or three days to install and understand it, plus three to four days to setup the software you want to distribute and test it (you'll need a "blank" test workstation). Now when I want to update or install a new software, I just set it up in the Wininstall Administrator program and the next morning, 60 users are updated, all the activity is recorded in an Access (or other) database, including installed software per login name, NIC address, etc. The typical case is anti-virus software you have to install every three months or so, now it takes me 10 mins. You can even select your recipient using Netware groups. Three delivery methods are available: manual, automatic or e-mail, I'm using the automatic one. Yes, it's a good product, and quite cheap. ------------------------------ Date: Tue, 7 Oct 1997 21:03:53 +1300 From: "Baird, John" Subject: Re: Number of bindery objects in Novell 3.12 >A simple question, with a simple answer, but I can't find it anywhere. >How many bindery objects is the bindery in Novell 3.12 is it possible >to have ? I believe the absolute maximum is 65535 objects, but the practical limit is a fraction of that. Syscon can run out of memory on some operations with as few as 2-3000 (e.g. making one user security equivalent to another) and will run into serious problems at 7,000-10,000. The OS/2 version of Syscon is one way around this, command line tools are another, and there is Windows version of Syscon written by someone in the UK whose address I cant find at the moment. One UK university had around 20,000 objects but they had figured the format of the bindery and were maintaining it via direct access rather than the Netware APIs. --------- Date: Tue, 7 Oct 1997 04:44:41 -0400 From: Slak! Subject: Re: SysCon for Windows - WnSysCon >there is Windows version of Syscon written by someone in the UK whose >address I cant find at the moment. One UK university had around 20,000 The program is called WnSysCon, sorks with NetWare 2.x & 3.x (never tried it with 4.x under Bindery emulation). It works under all version of MS-Windows 3.x and above, even NT 5.0 Build 1627 and Win98 build 1559 (some minor tweaking req'd). The program is available on AMC Softwares web site: http://www.amcsoft.demon.co.uk/product3.htm ------------------------------ Date: Wed, 22 Oct 1997 22:33:33 +1300 From: "Baird, John" Subject: Re: Utility needed for file deletion >I need a utility that, in a specific directory, deletes all the files >or sub-directories *CREATED* before a certain date. > >Let me emphasize that word again - *created* - not "modified" or >"accessed". > >Now, NDIR can tell me that (NDIR /CR BEF 10-18-97), but I don't know >how to automate the deletion after that, since NDIR doesn't have a /B >option the way DOS's DIR command does, where it writes out only the >name of the file and no other information. If I "could" do that, then >I could simply pipe the output to a DOS "sed" command, which could >format my deletes from there. (Novell - why isn't there a NOHEADER >option or a /B option?). > >Windows 95 Explorer's Find command is no good, because it looks for >files "created or modified" and, in any case, I need to do this for >more than one directory (dozens, in fact). > >Does anyone have a utility that does this, or does someone know how to >take the NDIR output and format it in a such a way as to show only the >file or directory names and nothing else? I've read the manuals but >had no luck. Thanks for any help. Maybe I overlooked something. The forthcoming release of JRButils (I hope to cut a master CD next week) will contain an updated version of whodidit which allows you to select files and/or directories on any criteria (owning name space, creation date, update date, any attribute e.g. compressed, IRM, size etc etc) and either display selected information for each file, or you can use a template file allowing you to format the required info in any way e.g. as commands. Assuming a template file (c.dat) contains del h:\%pathfile the command 'whodidit vol1: c lt 1-jan-93 /dft /o=@c.dat /h /l=delete.bat' would produce a file (delete.bat) of delete commands for every file on the volume created before 1 jan 1993 e.g. del h:\LINCOLN\CCMAIL.BAT del h:\LINCOLN\WPSEM2.BAT del h:\LINCOLN\PMSWAP.EXE del h:\LINCOLN\TRPUT2.EXE del h:\LINCOLN\LIMENU.BAT del h:\LINCOLN\PRNPOST.BAT ------------------------------ Date: Sat, 1 Nov 1997 10:24:29 MST/MDT From: "Benjamin E. Fore" Subject: Re: Reset Win'95. >We have 4.11 with NAL 2.0. Is there any way that we can reset Windows95 >either using some NetWare 4.11 or NAL feature, that will reset all the >icons and backgrounds to their original state on a restart. In our labs, we use user policies to limit the students' access to things such as changing the background, etc. (There have been several items on the list in the last few weeks about policies--they can give you more information.) We also have a mirror that we periodically run to restore the computers do their "correct" state. The mirror is created using several low cost (freeware & shareware) utilities. The creator of the mirror also created a web page explaining the process: http://www.snow.edu/services/helpdesk/win95mirror ------------------------------ Date: Tue, 4 Nov 1997 20:30:56 -0500 From: Don Voss Subject: Re: System Policies >I have a 20 or so user LAN running 4.1. Right now my workstation is the >only Win95 machine (I can unscrew mine when I screw it up). I am about >to add several more machines to my LAN which run Win95. Some of these >machines are going to people who haven't figured out how to log in to MS >Mail under Win 3.1 so I am somewhat reluctant to turn them loose with >Win95. I have two questions. > >Is there a quick and easy guide to using policy editor to lock down >desktops? > >Will it work with the Novell Intranetware Client or must I use the >microsoft client on these machines. We do not directly use them here .. just some experiments. Faculty frown on limits .. so we have some bullit holes in penny loafers .. keeps us working. User polices can go into the sys\mail\nnnn dir and a blanket system policy will trigger if found in a mapped public dir. If you really want to nail down the units .. do a net search on FORTRESS , we use a version to lock down a win95 labs setups. It works well with a bit of trial and error .. almost too tight. There are other third party win95 security apps to try also. --------- Date: Wed, 5 Nov 1997 08:17:58 +0200 From: Mike Glassman - Admin Subject: System Policies First off, you can use any client you want in order to tune the policies of Win95 for the simple reason that Win95 runs the poilicy stuff from registry and local disk, and not from the server, so no need to worry about that. As far as defining policies goes, you should consider a single policy for all users including youreself, where you define a specific profile for SUPER-PEOPLE which gives them full access to all, and another for all others. Using the policy editor is a bit scary at first as it's a pretty powerfull thing, but it is actually very easy to use. Read up on it a bit, and then play around with it on a dedicated pc. Remember that you can build a policy file on one ws, store it in another and test it that way. It's the best way to go about it. --------- Date: Wed, 5 Nov 1997 10:47:35 +0200 From: "Henrik Olsen, local supervisor" Subject: Re: System Policies One of the main things to remember about the policy editor is to keep it in a place where regular users can't run it. Since it's possible to change the HKEY_CURRENT_USER registry values with it even if registry editing had been disabled for the user, putting it where your users can see it makes for a security hole the size of the Gibraltar Strait. --------- Date: Wed, 5 Nov 1997 22:39:46 -0500 From: Jeri Fawcett Subject: Re: SAP advertising >>How to fix my problem of WIN95 workstations >>advertising as servers on my Novell 4.1 network. >>We are using Microsoft's policies, however we are using >>Novell's client32 v2.11 for WIN95. In the policy we have file and >>print sharing turned off. >> >>We were told that Microsoft's policies work only with Microsoft's >>client for Netware. Is anyone using Microsoft's policies with >>Novell's client32? Besides disabling file and printer sharing there is a specific policy option that allows you to disable SAP advertising. If you're not seeing this policy option then possibly you're not using the appropriate template. Also, I'd highly recommend you invest in a copy of the Win95 resource kit and read up on implementing policies. Its no small task to do properly. MS policies for Win95 work fine with Client32. Worth mentioning, however, is that you must use the most recent Client32 (not necessarily Client for INW) if you wish to use group, not just user, policies. If you decide to use the INW Client there is a new policy template. I haven't looked at the template yet but I suspect it could make for some confusion in an environment with multiple client versions. ------------------------------