This security-maintenance tool handles the grunt work

TP Software's Domain Assistant 4.0 is a security-maintenance tool for Windows NT networks. The software is useful if you add and delete users and services on a regular basis and if your typical user's security assignments span several network resources. The program provides a GUI and a command-line interface to let administrators choose the right tool for the job.

Domain Assistant provides search and management features that standard NT management applications lack. The program can pinpoint potential security risks and make changes to prevent problems. Although other NT security utilities can perform the same actions as Domain Assistant, those utilities require the administrator to do more work and to remember or record important information, making the administrator's job tedious and error-prone. With Domain Assistant, an administrator can use one console to manage all the NT servers and workstations in multiple network domains. The product makes routine security maintenance practical rather than burdensome.

After the fast and easy installation, the NTP Software Domain Assistant folder appears in the Start menu's Programs folder. The software's GUI is also in this folder, but you must locate the command-line utilities manually. The installation process doesn't automatically add the utilities' path to the system's PATH variable.

Domain Assistant recognizes a computer and its associated domain or workgroup. You can add various computers, but the software monitors security only on NT systems. New computers automatically show up under their associated domain. You can manage computers remotely, but you must have local administrator rights on the system you want to administer. Unlike User Manager for Domains, Domain Assistant can't accommodate low-speed connections. Therefore, you'll want to use the software to manage local computers or computers to which the management console has a high-speed connection.

Using the GUI
The software's GUI has an NT Explorerlike interface, with a hierarchical display of domains, computers, and Domain Assistant wizards. The wizards include the Service ID wizard, the Rights Manager wizard, the SID Editor wizard, and the Share Editor wizard. To open a wizard, click a computer's wizard icon. A dialog box appears in the right windowpane. You use the Back and Next options to step through the wizard's dialog boxes.

The Service ID wizard lets you make configuration changes to one or more NT services. This wizard is similar to the Services applet in Control Panel that lets you start and stop services and configure startup and security settings. The wizard's service list shows the logon account that you must click a button in Control Panel's Services applet to view.

The Rights Manager wizard, which Screen 1 shows, helps you find and delete rights. You can use it to select accounts based on a specific right, select rights associated with deleted accounts, or select rights associated with a set of existing accounts. An example of a specific right is Take ownership of files and other objects. Typically, only administrators have this right. The Guest account has limited rights. You can use the Rights Manager to verify the Guest account's rights and revoke inappropriate rights.

The SID Editor wizard lets you search for resources that meet security criteria you specify, and lets you make changes to users' access control lists (ACLs). The wizard has six built-in searches; custom searches aren't available. A typical search criterion is for objects that all users can access. Uncontrolled access is often undesirable. The SID Editor helps you locate and fix uncontrolled access, although the initial search on a large hard disk is time-consuming. This wizard is useful for network administrators who handle high-security servers, because it can generate random passwords for services.

The Share Editor wizard, which Screen 2 shows, lists a computer's disk shares. The wizard can identify invalid shares that point to deleted directories. In addition, the wizard lets you change an existing share's path. If you use NT Explorer to change a share's path, you need to delete the share and add a new share. However, this process is difficult if the ACL contains more than one or two items. The Share Editor keeps the same ACL settings for the new share. Although the Share Editor provides a convenient list of shares, its inability to provide access to a share's ACL is a deficiency. You can use the Share Editor to delete existing shares and create new shares, but creating shares is tedious because the wizard lacks a browse button. Creating a share requires a local path, and everyone has access to the share initially. Using NT Explorer to create new shares is faster and easier.

Using the Command Line
Domain Assistant comes with a set of four command-line utilities: Sidedit, Servid, Rights, and Sharedit. These utilities duplicate the GUI's functionality. Advantages of the command-line utilities include the ability to incorporate them into batch files and the ability to use them from other applications. For example, you can access Domain Assistant's services through a Web browser if you write suitable serverside script code for the Web server.

Each command-line utility supports command-line options or the name of a command file. Commands can apply to the security settings of a set of resources that match particular criteria (e.g., resources that deleted user accounts control). The ability to build command scripts based on these features lets some administrators use the command-line interface more effectively than the GUI, especially for regular maintenance such as cleaning up after you delete user accounts. The software's printed documentation includes input file samples.

The command-line utilities generate comma-delimited files that you can easily import into spreadsheet or database applications. These files describe changes that the utilities make. The administrator must process the information into a presentable form.

The software comes with a useful printed manual. Screen shots accompany the manual's installation and general operation sections. Magnified sections of dialog boxes help you see pertinent details.

Domain Assistant's context-sensitive online Help is excellent. In fact, it's so good that you don't need the printed manual for general operation. The online Help covers the GUI and command-line applications. The command-line Help includes numerous samples organized by procedure (e.g., Take Ownership Conditionally).

Do You Need Domain Assistant?
If you have more than limited security concerns, consider Domain Assistant. The software is easy to use and has plenty of features and no major design flaws. The product will save time and effort for any NT network administrator who manages security.

Domain Assistant 4.0
Contact: NTP Software * 603-622-4400 or 800-226-2755X
Price: $1090
System Requirements: Windows NT Server 4.0