Putting ZENworks policies into practice

In a past Guild Meeting held online, O'Reilly author Gerald Foster examined the ZENworks features that allow you to push system and user policies to all of the workstations on your network.

TechProGuild held an online chat on Sept. 13, 2000 in which Gerald Foster discussed ZENworks policies. Here's the transcript from that chat.

 Note: TechProGuild edits Guild Meeting transcripts for clarity.

Welcome to tonight’s discussion on putting ZENworks policies into practice
MODERATOR: Welcome to today's Guild Meeting! Our guest today is Gerald Foster, author of O'Reilly's Novell ZENworks.

GERALD FOSTER: Hello, everyone. I’m glad you could make it. Today I’m going to talk about ZENworks Policy Packages. These policy packages are the mechanism used to integrate your Windows desktops into your NetWare environment. The policy packages also allow control and manage your desktops by enforcing desktop preferences.

TECHWRITER: I'm not familiar with ZENworks. Could you explain what it is?

GERALD FOSTER: OK. ZENworks is a system for managing users’ Windows desktops. The policy packages allow you to integrate your Windows systems. For instance if you have Windows NT/2000 desktops, you can give access to users to the workstation via NDS authentication and policy packages.

TECHWRITER: So it's a remote administration program?

ZENworks versus Windows policies

PETE35: What's the difference between ZENworks policy packages and Windows policies? Are these the same thing?

GERALD FOSTER: ZENworks policies are a package of policies, one of which is the Microsoft policies.

JCARLISLE: Does ZEN differentiate between NT and 2000?

GERALD FOSTER: Yes, it does for application management, but not for policies. As far as ZEN is concerned, it is Windows NT 5.

Directory-enabled desktop management
TECHWRITER: The Novell Web site calls it a "directory-enabled desktop management system" What does that mean?

GERALD FOSTER: OK, directory enables management. You could manage your desktops by visiting them all, but this allows you to manage them by modifying objects in the directory.

TECHWRITER: I've heard things referred to as directory "objects" before, but I don't understand what that means. Could you explain? I know an "object" in programming is something like a dialog box or a button. But what is a directory object?

GERALD FOSTER: The NDS is a tree-structured directory composed of objects. Objects have characteristics. A user object will contain information about a user, including the password, etc.

TECHWRITER: Oh, so it's a way to list things in a tree hierarchy. Pretty cool. That's like Active Directory, right? OK, I think I’ve got it. Thanks again for the background so I can understand the discussion.

GERALD FOSTER: Active directory is Microsoft trying to keep up with Novell.

Application Management
JCARLISLE: How does application management differ for Win2k Pro versus NT Workstation?

GERALD FOSTER: Well, application management is a big subject. I would have a different set of apps for Windows 2k and NT4. Policy packages are different depending upon which platform you are targeting. There is a different package for each. There are user policy packages and workstation policy packages. There are Win 3.x, Win95/98 and Win NT/2000 packages for both users and workstations. That makes six different policy package objects plus one special package, which I will discuss if I get time.

JCARLISLE: None for Mac or Linux users, huh?

GERALD FOSTER: Mac and UNIX? Not yet, but I wouldn’t be surprised to see them soon!

User policies
JCARLISLE: Are there any problems if you have users who move from say Win9x to an NT workstation? How do the policies follow them?

GERALD FOSTER: If you create say a Windows NT User policy package, this would affect only WinNT. Users could have a separate Win 95 user policy package for the Win 95 guys.

JCARLISLE: Do you have to assign user objects to the policy package? How does ZEN know what OS the user is logging in with?

GERALD FOSTER: The user policy packages are associated with users (surprise, surprise) and the workstation packages with workstation objects. The operating system is detected automatically, so a Win 95 package would not affect a Win NT station.

SHARI: It's detected automatically, that’s cool.

GERALD FOSTER: If you have both platforms just create both objects and associate them with the users.

CAMILLE.WOOTEN: Can you have more than one user policy for each OS?

GERALD FOSTER: You can have more than one policy package for say Win NT. I have one called "Windows NT users" and another called "Windows NT administrators." The users get one, and I get the other.

JCARLISLE: What if a user floats between OSs?

GERALD FOSTER: If the user floats between OSs, it associates the user with both.

Remote Control
SHARI: What about remote access?

GERALD FOSTER: Shari, did you mean remote control or NT remote access?

SHARI: Remote control.

GERALD FOSTER: Remote control is complicated and requires a lot of ZEN to be implemented. The way the workstation is controlled is a policy within the policy package. One of the really neat policies is the "dynamic local user policy in the Win NT package. It allows you to dynamically create accounts on Windows NT and place them into the appropriate local group. There is also a policy for roaming and mandatory profiles. There is a policy for MS type policies. There is a policy for managing printers.

Shari, this is all explained in my book. It will help a lot I’m sure!

SHARI: Thanks. I'll order it after the meeting.

GERALD FOSTER: Shari (and everyone) my book has a link in it to me (via my Web site at if you have problems e-mail me. A lot of people have been helped this way.

MODERATOR: OK, shameless plug for Gerald. Here is the link to buy his book at Fatbrain:

Search Policies
CAMILLE.WOOTEN: How do search policies work?

GERALD FOSTER: This is the policy I haven’t mentioned. This policy is designed to improve login times by keeping policy searches to a minimum. Put the user policy package next to the users. Then, put a search policy next to it and configure it to ring fence the users with the policy package.

SHARI: Is there a policy for any shared peripheral?

GERALD FOSTER: Printer policies are great for adding printers when you have just introduced a new one. Set up the printer and the print queue and then indicate the driver to be used with it in the policy package, and presto the user gets the whole thing delivered when he or she next logs in and you don’t have to visit the workstation. Without ZENworks, I would go crazy. I have hundreds of workstations to manage on my own and I can do it with ZEN. I have 200 applications available on the network for our students to use.

In the workstation policy packages you can restrict who uses a workstation by granting and denying rights.

GERALD FOSTER: Have any of you tried to implement ZAK? What a pain! But it can be implemented in a simple way via ZEN policies.

PETE35: What's ZAK?

GERALD FOSTER: ZAK is Microsoft’s Zero Administration Kit. This allows you to lock down workstations.

JCARLISLE: Microsoft doesn’t push that so much anymore does it?

GERALD FOSTER: I think that Microsoft used ZAK to tackle the total cost of ownership issue. It was a solution for some but it doesn’t make money for Microsoft.

JCARLISLE: Have you looked at Intellimirror yet?

GERALD FOSTER: Sorry, I know nothing about it.

JCARLISLE: I’ve heard it’s supposed to be very ZEN-like, but you must use Win2K servers and Win2K Pro workstations only.

GERALD FOSTER: The trouble with ADS solutions is that you have to have W2k workstations. ZEN will work with all your legacy stuff as well, which in reality you will have around in some numbers for some time to come.

ZEN’s future
JCARLISLE: ZEN's been out for a while. Is Novell going to update it?

GERALD FOSTER: Zen 3 will be out any day (it has already been announced).

JCARLISLE: OH! Do you know anything about it? Can you tell us?

GERALD FOSTER: ZEN 3 has workstation imaging (like ghost); it is very powerful. Its inventory stuff has been beefed up as well. Workstation policy packages will allow you to add a policy of your own! Write or buy a program and implement it via an action in the user and policy packages.

ZEN is a mature product running on a mature directory, which will work on all your Windows platforms. It is the clear choice as far as I’m concerned.

JCARLISLE: Sounds pretty cool.

GERALD FOSTER: The workstation import policy will allow you to create workstation objects. Have you ever tried to set up something for a workstation rather than a user? Workstation objects are like user objects: they allow the workstation to be represented in the NDS Set up the action for the workstation, associate it with the workstation, and the job is done. The inventory policy in the workstation package will allow you to collect hardware and software information from the workstation without having to visit it! How many times have you tried to collect information about the workstations by visiting them and manually storing the data in a database? The data is out of date as soon as you enter it! Get the computer to inventory itself and store the data.

Tonight’s Winner
MODERATOR: Remember this month’s prize is a FIC SD-11 Athlon Motherboard and Intel 466 CPU. You win a meeting by asking the most interesting questions and you win the prize by winning the most meetings that month!

I'm afraid it's time to wrap up now. I'd like to thank our guest speaker, Gerald Foster, for coming to us all the way from the U.K.

PETE35: Thanks, Gerald. Will you speak again soon?

GERALD FOSTER: OK, thanks everyone.

MODERATOR: Today's meeting winner is Shari! Shari please send your contact info to Shari, since the month is early you're in a tie with the_argent for the motherboard and CPU from Please come back and win another meeting! Thanks everyone for coming today. Tomorrow night's meeting is on Python. Jacob Wilkins is our speaker! Hope to see you there!

Editor's Picks