Enterprise Administrator 4.0

Enterprise Administrator 4.0 from Mission Critical Software lets you manage user accounts, create and assign permissions and manage security on a large scale.

Joel Sloss

April 30, 1997

5 Min Read
ITPro Today logo in a gray background | ITPro Today

Large-scale distributed security administration

Whether you manage Windows NT user accounts for 1000, 10,000, or 100,000people, you know that tasks such as creating accounts, assigning grouppermissions and policies, and fixing users' passwords can eat up significantportions of your day. Even if you distribute the task among severaladministrators, the work still requires many people-hours, and distributingadministrative authority creates new security holes--and administrativeconflicts.

What if you could automate the work? What if you could manage all your NTdomains from one location, create user accounts via batch processes, and assigngroup permissions en masse? Do you want to save 5 minutes 100,000 times? Thenconsider Enterprise Administrator (EA) 4.0 from Mission Critical Software.

Territorial Justice
The NT Server tool for managing domain accounts, User Manager for Domains,lets you perform most administrative chores. You can create, delete, anddisable accounts; you can even select groups of users and manage their accessrights (and through NT 3.51 File Manager or NT 4.0 Explorer, you can assignaccess rights to objects for groups of users). Unfortunately, User Manager forDomains covers only one domain or system at a time. You cannot work on multipleservers or domains simultaneously, and configuring one domain for 10,000 userscan quickly become unmanageable.

EA lets you easily manage user accounts (and associated home directories,profiles, etc.) across multiple domains or one large corporate domain, createand assign group permissions for large numbers of users, and manage the securitypolicies of the NT systems on your network--with no effect on NT's securityfunctions. The product uses rules-based techniques for administeringsecurity instead of data-based techniques: You set up rules foradministrative authority, rather than track the who, what, when, and where ofyour network through a large database of access control lists (ACLs).

EA evokes images of the Old West: Marshals and Deputies assume varyinglevels of control over system security, according to their assigned Territory (aTerritory can be anything from a whole domain to a group of 10 users or machinesto just 1 user). EA still requires server and domain administrators, but you canappoint any user as a Marshal or Deputy with limited rights to administeraccounts.

The idea is that you don't need to hand out complete systems administratorauthority for just managing accounts. You can divvy up user management tasks tolocal administrators but enforce companywide security policies (e.g., no one cancreate a new account with a never-expiring password). A Deputy assigned to oneTerritory cannot fiddle with user accounts in another Territory--anadministrator cannot delete accounts belonging to another administrator's group.

On the Trail
Installing EA 4.0 is simple: An applet from the CD-ROM lets you set all thebasic operating parameters and install either the server or client software.(The user management server software, which runs as an NT service on the PrimaryDomain Controller--PDC--or Backup Domain Controller--BDC--can be either Intel orAlpha, but administrative clients are Intel only.)

You can install EA anywhere (on a workstation, standalone server, PDC, orBDC), but your best choice is a PDC or BDC (or both, for fault tolerance). Ifyou put EA on another system, everything still works, but you must point EA to afocus domain every time you start the application. You must install EA in eachdomain you want to administer, with a dedicated user (service) account that hasfull administrative authority.

After EA is up and running (which takes no time at all), EA gives youfront-end access to (and control over) NT's user administrator functions viaMicrosoft-provided APIs. EA can communicate with Microsoft Systems ManagementServer (SMS) through the NT application log; you can even install EA via SMS.

Not only can you manage individual users or groups, but you can manage howusers and groups are set up and by whom, with complete logging and auditing ofall administrative events in a secure portion of your Registry and event postingto the application log. EA tracks all changes to user accounts and groups,including who made the change, when the change occurred, and from where, withindividual user information such as last logon date. You can use a reportingtool such as Microsoft Access to view administrative histories.

EA supports just about any naming convention you choose for your users andgroups. For example, you might name a group NYC.accounting or name a user NYCaccuserid.You can use wildcards (such as *.*) when you specify users and groups withinyour master domain, or even across domains. Wildcards are particularly handywhen you use EA's command-line interface to create batch processes ofadministrative functions, such as moving many accounts from one server toanother.

EA's drag-and-drop GUI displays all user and group security information forany combination of Territories, as you see in Screen 1. On the Marshals tab,Marshals and Deputies appear as different icons (the Marshal is a Deputy with ahalo), so you always know who has what authority.

EA comes with an administrative guide and online Help files for conceptsand operation. That's all the basic information you need.

Round 'Em Up
Although I didn't test EA in a domain of 10,000 users, I tested EA in theWindows NT Magazine Lab's enterprise test environment of databaseservers and client-simulation workstations. (EA ran on a Compaq ProLiant 5000server, pointing to a Digital Prioris HX running as a PDC.) I experienced somelogon problems when I used EA on a server that wasn't a PDC, so I recommend thatyou run the software with service installations on both your PDC and BDC.

Changing the computer's NetBIOS name, domain, or network services afterinstalling EA can also cause operational problems. Even with these few bumps, EAis a good way to either centralize user management or distribute it to severalindividuals, while you are maintaining corporate security policies.

Your warranty and technical support includes a one-day, on-site visit by aMission Critical engineer to help with installation, and phone supportthereafter (also email support via [email protected]). Ifnecessary, Mission Critical will send a development team armed with laptopcomputers and development kits to your site to solve your problems.

Enterprise Administrator 4.0

Mission Critical Software * 281-602-1700 or800-814-9130Web: http://www.missioncritical.comPrice: $900 per managed domain, $14 per managed user account

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like