Large-scale distributed security administration

Whether you manage Windows NT user accounts for 1000, 10,000, or 100,000 people, you know that tasks such as creating accounts, assigning group permissions and policies, and fixing users' passwords can eat up significant portions of your day. Even if you distribute the task among several administrators, the work still requires many people-hours, and distributing administrative authority creates new security holes--and administrative conflicts.

What if you could automate the work? What if you could manage all your NT domains from one location, create user accounts via batch processes, and assign group permissions en masse? Do you want to save 5 minutes 100,000 times? Then consider Enterprise Administrator (EA) 4.0 from Mission Critical Software.

Territorial Justice
The NT Server tool for managing domain accounts, User Manager for Domains, lets you perform most administrative chores. You can create, delete, and disable accounts; you can even select groups of users and manage their access rights (and through NT 3.51 File Manager or NT 4.0 Explorer, you can assign access rights to objects for groups of users). Unfortunately, User Manager for Domains covers only one domain or system at a time. You cannot work on multiple servers or domains simultaneously, and configuring one domain for 10,000 users can quickly become unmanageable.

EA lets you easily manage user accounts (and associated home directories, profiles, etc.) across multiple domains or one large corporate domain, create and assign group permissions for large numbers of users, and manage the security policies of the NT systems on your network--with no effect on NT's security functions. The product uses rules-based techniques for administering security instead of data-based techniques: You set up rules for administrative authority, rather than track the who, what, when, and where of your network through a large database of access control lists (ACLs).

EA evokes images of the Old West: Marshals and Deputies assume varying levels of control over system security, according to their assigned Territory (a Territory can be anything from a whole domain to a group of 10 users or machines to just 1 user). EA still requires server and domain administrators, but you can appoint any user as a Marshal or Deputy with limited rights to administer accounts.

The idea is that you don't need to hand out complete systems administrator authority for just managing accounts. You can divvy up user management tasks to local administrators but enforce companywide security policies (e.g., no one can create a new account with a never-expiring password). A Deputy assigned to one Territory cannot fiddle with user accounts in another Territory--an administrator cannot delete accounts belonging to another administrator's group.

On the Trail
Installing EA 4.0 is simple: An applet from the CD-ROM lets you set all the basic operating parameters and install either the server or client software. (The user management server software, which runs as an NT service on the Primary Domain Controller--PDC--or Backup Domain Controller--BDC--can be either Intel or Alpha, but administrative clients are Intel only.)

You can install EA anywhere (on a workstation, standalone server, PDC, or BDC), but your best choice is a PDC or BDC (or both, for fault tolerance). If you put EA on another system, everything still works, but you must point EA to a focus domain every time you start the application. You must install EA in each domain you want to administer, with a dedicated user (service) account that has full administrative authority.

After EA is up and running (which takes no time at all), EA gives you front-end access to (and control over) NT's user administrator functions via Microsoft-provided APIs. EA can communicate with Microsoft Systems Management Server (SMS) through the NT application log; you can even install EA via SMS.

Not only can you manage individual users or groups, but you can manage how users and groups are set up and by whom, with complete logging and auditing of all administrative events in a secure portion of your Registry and event posting to the application log. EA tracks all changes to user accounts and groups, including who made the change, when the change occurred, and from where, with individual user information such as last logon date. You can use a reporting tool such as Microsoft Access to view administrative histories.

EA supports just about any naming convention you choose for your users and groups. For example, you might name a group NYC.accounting or name a user NYCaccuserid. You can use wildcards (such as *.*) when you specify users and groups within your master domain, or even across domains. Wildcards are particularly handy when you use EA's command-line interface to create batch processes of administrative functions, such as moving many accounts from one server to another.

EA's drag-and-drop GUI displays all user and group security information for any combination of Territories, as you see in Screen 1. On the Marshals tab, Marshals and Deputies appear as different icons (the Marshal is a Deputy with a halo), so you always know who has what authority.

EA comes with an administrative guide and online Help files for concepts and operation. That's all the basic information you need.

Round 'Em Up
Although I didn't test EA in a domain of 10,000 users, I tested EA in the Windows NT Magazine Lab's enterprise test environment of database servers and client-simulation workstations. (EA ran on a Compaq ProLiant 5000 server, pointing to a Digital Prioris HX running as a PDC.) I experienced some logon problems when I used EA on a server that wasn't a PDC, so I recommend that you run the software with service installations on both your PDC and BDC.

Changing the computer's NetBIOS name, domain, or network services after installing EA can also cause operational problems. Even with these few bumps, EA is a good way to either centralize user management or distribute it to several individuals, while you are maintaining corporate security policies.

Your warranty and technical support includes a one-day, on-site visit by a Mission Critical engineer to help with installation, and phone support thereafter (also email support via support@missioncritical.com). If necessary, Mission Critical will send a development team armed with laptop computers and development kits to your site to solve your problems.

Enterprise Administrator 4.0
Mission Critical Software * 281-602-1700 or 800-814-9130
Web: http://www.missioncritical.com
Price: $900 per managed domain, $14 per managed user account