Excluding User from a DLU Policy still permits Domain Authentication

  • 7008095
  • 10-Mar-2011
  • 27-Apr-2012

Environment

Novell ZENworks 10 Configuration Management
Novell ZENworks 11 Configuration Management

Situation

If a DLU Policy is assigned to a Device or User and that Device or User is listed in the Exclusion List for that Policy, the user is able to use other existing credentials such as a domain account to logon to the PC.

Resolution

This is working as expected.

Additional Information

The role of the DLU policy is to create and manage local accounts on the PC.
Excluding a user or device from the DLU policy will prevent the creation or management of local accounts on the PC.
The exclusion from a DLU policy will not prevent the user of Domain Credentials or Local Credentials for which the user has the password.
 
A security GPO can be created via ZCM or the Domain to prohibit logging into a device, even if the credentials are known by specifying users or groups in the "Deny Logon Locally" policy and assigning that policy to a set of devices.
Both Local and Domain Users/Groups can be specified in this policy.