Large-scale distributed security administration
Whether you manage Windows NT user accounts for 1000, 10,000, or 100,000
people, you know that tasks such as creating accounts, assigning group
permissions and policies, and fixing users' passwords can eat up significant
portions of your day. Even if you distribute the task among several
administrators, the work still requires many people-hours, and distributing
administrative authority creates new security holes--and administrative
conflicts.
What if you could automate the work? What if you could manage all your NT
domains from one location, create user accounts via batch processes, and assign
group permissions en masse? Do you want to save 5 minutes 100,000 times? Then
consider Enterprise Administrator (EA) 4.0 from Mission Critical Software.
Territorial Justice
The NT Server tool for managing domain accounts, User Manager for Domains,
lets you perform most administrative chores. You can create, delete, and
disable accounts; you can even select groups of users and manage their access
rights (and through NT 3.51 File Manager or NT 4.0 Explorer, you can assign
access rights to objects for groups of users). Unfortunately, User Manager for
Domains covers only one domain or system at a time. You cannot work on multiple
servers or domains simultaneously, and configuring one domain for 10,000 users
can quickly become unmanageable.
EA lets you easily manage user accounts (and associated home directories,
profiles, etc.) across multiple domains or one large corporate domain, create
and assign group permissions for large numbers of users, and manage the security
policies of the NT systems on your network--with no effect on NT's security
functions. The product uses rules-based techniques for administering
security instead of data-based techniques: You set up rules for
administrative authority, rather than track the who, what, when, and where of
your network through a large database of access control lists (ACLs).
EA evokes images of the Old West: Marshals and Deputies assume varying
levels of control over system security, according to their assigned Territory (a
Territory can be anything from a whole domain to a group of 10 users or machines
to just 1 user). EA still requires server and domain administrators, but you can
appoint any user as a Marshal or Deputy with limited rights to administer
accounts.
The idea is that you don't need to hand out complete systems administrator
authority for just managing accounts. You can divvy up user management tasks to
local administrators but enforce companywide security policies (e.g., no one can
create a new account with a never-expiring password). A Deputy assigned to one
Territory cannot fiddle with user accounts in another Territory--an
administrator cannot delete accounts belonging to another administrator's group.
On the Trail
Installing EA 4.0 is simple: An applet from the CD-ROM lets you set all the
basic operating parameters and install either the server or client software.
(The user management server software, which runs as an NT service on the Primary
Domain Controller--PDC--or Backup Domain Controller--BDC--can be either Intel or
Alpha, but administrative clients are Intel only.)
You can install EA anywhere (on a workstation, standalone server, PDC, or
BDC), but your best choice is a PDC or BDC (or both, for fault tolerance). If
you put EA on another system, everything still works, but you must point EA to a
focus domain every time you start the application. You must install EA in each
domain you want to administer, with a dedicated user (service) account that has
full administrative authority.
After EA is up and running (which takes no time at all), EA gives you
front-end access to (and control over) NT's user administrator functions via
Microsoft-provided APIs. EA can communicate with Microsoft Systems Management
Server (SMS) through the NT application log; you can even install EA via SMS.
Not only can you manage individual users or groups, but you can manage how
users and groups are set up and by whom, with complete logging and auditing of
all administrative events in a secure portion of your Registry and event posting
to the application log. EA tracks all changes to user accounts and groups,
including who made the change, when the change occurred, and from where, with
individual user information such as last logon date. You can use a reporting
tool such as Microsoft Access to view administrative histories.
EA supports just about any naming convention you choose for your users and
groups. For example, you might name a group NYC.accounting or name a user NYCaccuserid.
You can use wildcards (such as *.*) when you specify users and groups within
your master domain, or even across domains. Wildcards are particularly handy
when you use EA's command-line interface to create batch processes of
administrative functions, such as moving many accounts from one server to
another.
EA's drag-and-drop GUI displays all user and group security information for
any combination of Territories, as you see in Screen 1. On the Marshals tab,
Marshals and Deputies appear as different icons (the Marshal is a Deputy with a
halo), so you always know who has what authority.
EA comes with an administrative guide and online Help files for concepts
and operation. That's all the basic information you need.
Round 'Em Up
Although I didn't test EA in a domain of 10,000 users, I tested EA in the
Windows NT Magazine Lab's enterprise test environment of database
servers and client-simulation workstations. (EA ran on a Compaq ProLiant 5000
server, pointing to a Digital Prioris HX running as a PDC.) I experienced some
logon problems when I used EA on a server that wasn't a PDC, so I recommend that
you run the software with service installations on both your PDC and BDC.
Changing the computer's NetBIOS name, domain, or network services after
installing EA can also cause operational problems. Even with these few bumps, EA
is a good way to either centralize user management or distribute it to several
individuals, while you are maintaining corporate security policies.
Your warranty and technical support includes a one-day, on-site visit by a
Mission Critical engineer to help with installation, and phone support
thereafter (also email support via support@missioncritical.com). If
necessary, Mission Critical will send a development team armed with laptop
computers and development kits to your site to solve your problems.
End of Article
Anonymous User October 18, 2004 (Article Rating: