You can configure and edit the local policy by using the Local Policy Editor. It provides an easy way to edit the local policy. To access the Local Policy Editor, click > > .
The Local policy is inactive in offline mode even if you select .
In online mode, after you have selected , the Events list is active. The events are:
Inactivity Timeout
Device Removal
Network Logout
Manual Lock
NOTE:Secure Workstation ignores the event unless the check box is selected.
By configuring these events, you can specify events that secure workstation must watch for and execute an action when an event occurs.
You can edit settings for a specific event by selecting the event in the list box and clicking . A dialog box is displayed with settings for the event you select.
NOTE:If you are running the Local Policy Editor on a Terminal Server, the policy editor shows the Effective policy for the session that it is running in.
Through the local policy editor, you can configure the following events:
You can use the inactivity timeout event to specify the inactivity timeout and configure a warning that is displayed just before the inactivity timeout is reached.
You can configure a .wav file to be played when the warning is shown. You can also specify a .avi file to be played for the warning. To configure these features:
Click > > > . The local policy editor opens.
Select .
Under the list, select .
Click . By default, is selected.
Select > .
Select an option.
Browse to select a .avi or .wav file.
This action plays the file that you have selected as a warning before the inactivity timeout. The warning dialog box is displayed for the last few seconds of the inactivity timeout. You can specify the number of seconds that the warning dialog box is displayed. For example, if you set an inactivity timeout of thirty seconds and configure the warning dialog box to display for ten seconds, Secure Workstation displays the warning dialog box after twenty seconds of inactivity.
Click . The changes are saved.
You can use the device removal event to enables specify the devices to be included in the policy. If a device is included in the policy, it must be present during the user's session. If a device in the list is not present, Secure Workstation executes the lock action.
Click > > > . The local policy editor opens.
Select .
Under the list, select .
Click . By default, is selected.
Select .
Select the lock actions.
Select the devices to be monitor:
Select if you want to monitor all the devices that are registered.
Select if you want to monitor specific devices, then select the devices you want to monitor.
The Devices to Monitor for Removal section contains a list of devices that are registered with the Secure Workstation.
For Novell SecureLogin, pcProx method for NMAS can report device removal events to Secure Workstation
Other NMAS partners have also implemented devices that can report device removal events to Secure Workstation. If you want to use a device that does not show up in the list, make sure that you have installed the NMAS Login Client Method for the device. If the device still does not show up, check with the vendor of the device to ensure that it will work with Secure Workstation
Click .
A Network Logout event is triggered when a user logs out of the network. This event could be triggered by either Client32 or the LDAP Authentication Client, depending on which client is present.
One of the intended uses of the Network Logout event is to close programs that the user might have used for single sign-on through Novell SecureLogin. This event might also be used to display a login dialog box or run a script when the user logs out.
Click > > > . The local policy editor opens.
Select .
Under the list, select .
Click . By default, is selected.
This event has a different set of lock actions than the other events. The Default Action list contains the following actions:
The Action for Terminal Services Clients list contains the following actions:
The Default Action list does not include the following actions:
: This action has been omitted because of the behavior of the GINA. If a network connection is not present when the workstation is locked, the Client32 GINA won’t allow the workstation to be unlocked with an eDirectory authentication.
: This action has been omitted because it does not make sense to log out of the network in response to a network logout event.
The event is the only event that includes the action. This action is actually a substitute for the action available with other events. If you want to execute a Post-Policy command on network logout, but not do anything else, use this action.
You can use the Post-Policy command to display a login dialog box or run a script.
Click .
Previous Behavior: In Novell SecureLogin, if a network logout policy action was triggered Secure Workstation disconnected Novell Client network connection and Novell SecureLogin went to offline mode, seamlessly. It was then available to the same eDirectory users and could enable applications for single sign-on.
Current Behavior: In the same scenario, although Novell SecureLogin goes to a seamless mode, the single sign-on functionality is not available. Novell SecureLogin is available only when the eDirectory user logs in through Novell Client.
Use the event option to manually trigger Secure Workstation. You can manually trigger Secure Workstation either by clicking the button on the Quick Logon/Logoff Interface or by executing SWLock.exe in the System32 directory.
To configure manual lock:
Click > > > . The local policy editor opens.
Select .
Under the list, select .
Click . By default, is selected.
Select the lock actions.
Click .
You can use the option to terminate applications and execute the post-policy command.
To use the option:
Click > > > . The local policy editor opens.
Select .
Click . The Secure Workstation Advanced Settings dialog box appears. Here you have two options:
: Selecting this option affects the way programs are shut down when Secure Workstation logs a user out of Windows. If this option is selected, Windows terminates programs that do not respond to a Close message in a timely manner. This setting logs the user out of Windows more quickly, but some programs might not get an opportunity to save their data before being terminated.
: Selecting this option controls the behavior of the action. When Secure Workstation closes programs, it always sends a Close message to each program to tell it to shut down. If the Wait Before Starting to Terminate Applications When Closing All Programs check box is not selected, Secure Workstation does nothing else to close the programs. The result is that some programs might not shut down.
For example, if Microsoft Word has an unsaved document, Secure Workstation might display a dialog box.
On the other hand, if the is selected, Secure Workstation checks to see if the programs are still running after the specified timeout. Any programs that are still running at this point are terminated and might not have a chance to save their data.
Click to specify which programs should be closed when Secure Workstation executes a action.
If you select , Secure Workstation closes only the programs listed.
If you select , Secure Workstation closes all programs except those specifically listed.
NOTE:If you select , SecureLogin closes every program in the user’s sessions except those listed. This closing includes explorer.exe, the process associated with the user’s desktop.
Secure Workstation closes only the programs that the currently logged in Windows user has sufficient rights to close on his or her own. Programs that the user does not have rights to (such as a service running as the LocalSystem account) are not closed.
When Secure Workstation is running on a Terminal Server, only the programs in the current user's session are closed. Programs running in other users' sessions are not affected.
To add new programs to the list, click .
You do not need to specify the full path and name of each program in the program list. For example, instead of adding c:\winnt\system32\notepad.exe to the list, you could just add Notepad.exe.
However, if you do not specify the full path, the entry affects to all programs with that name, regardless of the path. For instance, listing Notepad.exe in the list without the path would match both c:\winnt\system32\notepad.exe, and c:\documents and settings\user\notepad.exe.
You can also use environment variables in the program list. For example, you could specify %systemroot%\System32\notepad.exe instead of c:\winnt\system32\notepad.exe.
If you want to delete a program from the list, select the program and click .
The Post-Policy command is a command that is executed after Secure Workstation executes the lock action. This feature was designed to display a login dialog box after a or action has been executed. However, you can use this feature to run any program or script. You must provide the full path and name of the program to run.
To display the login dialog box, use .exe for Client32. Use for the LDAP Authentication Client. One of the programs is located in the system32 directory, depending on the mode of installation.
If you have configured the Network Logout event, Secure Workstation restarts the program specified in the Post-Policy command if it terminates before a user is logged in. This allows the login dialog box to be displayed again if a user clicks Cancel. For more information on configuring events for Secure Workstation, Novell Technical Information Document 3407572