Novell Client 2 SP4 for Windows
ZENworks DLU synchronizes the eDirectory password to the Windows user.
A user has Windows mixed-case password (e.g. "MypaSSword") synchronized with the eDirectory user password. When the user logs in, she mistypes the password case (e.g. mypaSSword, not capitalizing the leading "M"). "Change your Windows password to match your Novell password after a successful login" is enabled. Since eDirectory passwords are case-insensitive, eDirectory accepts the "wrong" password and it is synchronizized to the Windows user. Later, when the machine is locked and the user tries to unlock the machine with the original password, the Novell Client accepts the password, but Windows doesn't not and she can't unlock the workstation.
A setting in the ZENworks Dynamic Local User Policy allows you the 'manage' the existing Windows account. See "Manage Existing User Account" in "ZENworks 11 SP3 Documentation".
With this policy enabled, as soon as the user enters the "wrong" password ("mypaSSword" instead of "MypaSSword, in the example above), ZENworks will change the Windows user's password (again, in the example, from "MypaSSword" to "mypaSSword"). In other words, if ZENworks validates a password, it will change the Windows password to the new password.
If this is not the desired behavior (i.e. you don't want the Windows password to be changed), there are two options:
1. Enable the eDirectory 8.8 feature of "NDSD_TRY_NMASLOGIN_FIRST=true" as described in TID 5037961.
2. Enable the NMAS "Universal Password" policy. This will allow you to enforce password characteristics such as extended characters, mixed case, etc. See "Novell Password Management 3.3.2 Administration Guide".