Delegate and manage users' rights for tighter security

Performing administrative tasks with Windows NT usually isn't difficult, but administrators quickly learn NT 4.0's limitations on large networks. For instance, NT 4.0 doesn't offer users fine-grained rights delegation. In most cases, when you grant users the right to perform one task, you simultaneously grant them the unintended right to perform other tasks.

The routine task of resetting locked-out user accounts is a case in point. For an administrator to reset a locked account, the user must be a member of a certain user group (Administrators, Domain Administrators, or Account Operators). But membership in one of these groups might give the user the authority to perform other network functions besides simply resetting locked-out accounts.

Aelita Delegation Manager (Aelita DM) 1.01 solves the excessive-rights problem by introducing fine-grained delegation controls into an NT 4.0 network. This competitively priced product fits well into networks of any size and runs on NT Server, NT Workstation, and Windows 9x.

As an add-on for NT networks, the software comes as a server component and a client component. The server component runs as an NT service that you can load on an NT server or workstation while the client runs as a desktop application. After you install both components, the client communicates with the server to manage user-rights delegation.

The client interface resembles NT's User Manager, but Aelita DM has expanded controls. In addition to performing all the tasks User Manager can perform, Aelita DM lets you assign fine-grained rights exclusive of other rights. For example, you can assign one user the right to modify account profiles without granting that same user any other rights on the network. Aelita DM also lets you assign one user the right to grant and deny other users' dial-in access. (The product integrates with only the rights defined in User Manager; Aelita DM doesn't integrate with NTFS or ACLs.)

Installing Aelita DM is straightforward and easy. (However, your network's structure might affect installation because Aelita DM needs to communicate with NT domain controllers charged with authenticating users.) I supplied the installation path, Start menu folder name, and registration key, and the setup program quickly copied the software onto my NT 4.0 workstation. Because the server component runs as a system service, I also had to define which account to run the service under. For testing, I created an account and password for exclusive use by the server service.

I configured the server component to start automatically after each reboot. After I installed the software, I fired up the client interface and put the product through the wringer. The client interface displays a list of all user and group accounts in the selected domain. When you select a user account, a pop-up menu appears with several available options: Properties, Permissions, Delegated, Rename, and Delete. When you select a group name, the program provides one additional choice called New User.

The Properties dialog box displays user and group properties as User Manager does, but the Properties dialog box includes two additional features, Permissions and Delegated. The Properties dialog box lets you make account adjustments in the same way as User Manager.

The Permissions and Delegated dialog boxes look the same but differ in purpose. The Permissions dialog box lets you assign administrative permissions over a user account or group to another user or group, and the Delegated dialog box lets you assign permissions to a user account or group. For example, I wanted to grant a group called RAS Operators permission to modify the dial-up permissions for all user accounts, so I used the Permissions dialog box to assign that authority over all users. I selected the RAS Operators group, selected Permissions, clicked the Add button, and selected the User group (which all my users belong to) from the list. I selected the Set Dialin permission and closed the dialog box.

Aelita DM also let me develop custom Permission Templates, as Screen 1 shows. On my network, Justin handles, among other things, group memberships for all other users. Before installing Aelita DM, Justin had to be a member of NT's built-in Account Operators. As a member of Account Operators, Justin had control over other aspects of user accounts besides group membership. Using the New Template screen, I created a Permission Template called Group Manager, and I configured the template to let users change only other users' group memberships. I applied the Group Manager Permission Template to Justin, which prevented him from changing any aspects of a user's account except group membership.

Aelita DM 2.0 should be available when you read this article. This version offers a new Windows Explorer-style user interface (UI) and improved network performance. The new version also integrates with the company's directory services' product, Virtuosity; Microsoft Exchange Server; and Computer Associates' (CA's)/Unicenter TNG Framework. The new version supports up to 30 definable-user properties (e.g., employee number, employee department), scripting, enforcement of unique account names, a delegation wizard, and account cloning.

Aelita DM is a great add-on for NT. The online Help thoroughly explains the product's intricacies, and Aelita's technical support was responsive to my questions. If you're looking for control over your users and groups that goes beyond what NT offers out of the box, I recommend you take a close look at this product.

Aelita Delegation Manager 1.01
Contact: Aelita * 800-263-0036
Price: $9 per user
System Requirements: Server:
Windows NT Server 4.0
NT 4.0 or Windows 9x