No Option To Create a Login Policy Object in the Security Container - Aug 16, 2004
Aug. 16, 2004 - Added link to ADMSNAP.DLL snapin file HERE.
    
  (Clarifications added April 1, 2001. Information on snapin at the bottom of the page added Nov. 21, 2002)
Do You Need to Worry About LPO's?
First off, this tip from Ross Irvine:
    
  
"You only need the LPO if you are using Tokens. That's it! You don't need it for Radius [prior to BorderManage 3.8. Craig] or any VPN. (Unless you are using tokens for VPN). "
Here's how to avoid the need for an LPO
    
  
You should NOT need an LPO unless using RADIUS to  authenticate (or, I assume, ActivCard token authentication with the  VPN). However, there are times when the method show below seems  necessary, apparently keyed by having run RADIUS or NMAS (Novell  Modular Authentication Services) components. The suggestion I got from  Novell to avoid the process described below is to a) delete the  LPO, and b) delete a file called LPOCACHE.DAT created in the SYS:SYSTEM  directory.
  
If You Really Want to Create A Login Policy Object
In some cases, you may need to create a Login Policy Object (LPO) inside the Security container. If you have the proper snapins installed, and do not see an option for Login Policy Object in NWADMN32 when creating objects in the Security container, you probably just need to extend the NDS schema for the LPO. Try this:
LOAD BMASEXT <username> <password> ABC
Where <username> is the fully-qualified NDS name of  the admin account, such as .ADMIN.ORG, and <password> is the  admin password.
    
    The LPO may be necessary when configuring Client-Site VPN on a  BorderManager 3.5 (or later?) server. You definitely need an LPO for  ActivCard / RADIUS.
  
    Be aware that you may have to create the LPO with the ADMIN user ID, and not an Admin-equivalent ID for it to work properly.
  
    If you have the proper schema extensions and still do not get an option to create the LPO, try the following:
  
    Delete these two files :
  
    SYS:PUBLIC/WIN32/NLS/ENGLISH/ADMSNAP.LG
    and
    SYS:PUBLIC/WIN32/NLS/ENGLISH/RADSNAP.LG
  
    Then try again. You should now see a Login Policy Object option.
  
BorderManager Snapin to Manipulate the LPO
Nov. 21, 2002: The snapin required for manipulating BorderManager-related rules in the Login Policy Object is called ADMSNAP.DLL, and should be present on a BorderManager server. This snapin is required in order to create VPN and Proxy rules in the LPO. The snapin ONLY is used for BorderManager-related rules, and RADIUS. This snapin does NOT allow you to create LPO rules related to Native File Access (NFAP). NFAP rules are configured using ConsoleOne. ConsoleOne snapins do not have the option to create BorderManager-related LPO rules.

