Mission Critical's Enterprise Administrator 4.6: A Versatile NT Overlay

• 02/03/1999

Any network-centric operating system must incorporate its own means of controlling access to various levels of system authority, resources and capabilities. There are probably about as many different desired approaches to implementing system controls as there are companies using a particular operating system, making it tough for developers to meet many sets of expectations.

Historically, this aspect of network operations has been done well by Novell Inc., with a business-oriented approach to structuring user accounts and authority. It has been a particularly weak point for Microsoft Corp., which structures the Windows NT domain as the basic business unit. This has a tendency to cause a proliferation of Windows NT domains and an excessive demand on administrative functions. One Atlanta-area telecommunications company, for example, spawned more than 100 Windows NT domains -- an administrative nightmare -- in an attempt to compartmentalize network control and authority within the enterprise.

Enterprise Administrator (EA) 4.6 from Mission Critical Software is described by the company as a rules-based administration environment for large-scale Windows NT networks. The product incorporates itself seamlessly with a Windows NT installation and greatly expands the range of actions available to the system administrator.

The most appealing addition to the administrator's arsenal is an ability to delegate precisely definable levels of authority, including almost any conceivable combination of attributes, to Marshals and Deputies. These, in turn, have authority only in the EA Territory assigned to them. This means that Windows NT's constraints are essentially gone, and the creation of new users, resource management and Microsoft Exchange administration can be delegated to the appropriate individuals within an enterprise.

EA has several capabilities that add a new dimension to possible security arrangements under Windows NT. For instance, it is possible to have overlapping security domains, as well as precisely defined groups and powers, with enhanced logging and reporting capabilities to back up the expanded capabilities. Dual-key security may be employed where needed, making it possible to tie certain actions, such as changing administrative passwords or deleting user accounts, to simultaneous action by two users.

An example helps to clarify the power and simplicity of EA's operation. Imagine a multi-location company with locations in Boston, Cincinnati and Denver. Administrative, sales and production staffs are in each location, with the directors for sales and production in Boston and the administrative director in Denver. A Windows NT-only implementation in this scenario would probably require at least three, and possibly as many as nine, domains for the business units and locations, and also require the establishment of trust relationships between them. A Windows NT controller would also be needed for each domain, with all of the hardware, software and human resources necessary to support it. EA creates one domain, with Territories for administrative, sales and production groups that are independent of location and controlled by the directors. Each Territory's Deputies have control of the local resources.

EA 4.6 also supports the synchronization of Microsoft Exchange distribution lists with Windows NT group memberships and EA Territories. This feature can prevent a duplication of effort and can minimize the time needed to maintain Exchange distribution lists. With EA, administrators can create detailed templates for Exchange mailboxes and new user accounts. When a new salesperson is hired and added to the system, the distribution lists, supervisor information, e-mail aliases and other information are ready to go once the new name is typed in.

Anyone who has ever had to troubleshoot difficulties in a Windows NT system has probably had cause to wonder about the perverse text that appears in Event Viewer messages, which seem to magically combine too many entries with too little real information. With EA, however, Mission Critical has taken pains over the logging -- which cannot be turned off -- to make it more detailed and descriptive. These efforts have paid off. The usefulness of the reports that EA generates shows as well: Mission Critical points to the Last Logon report, which shows logon statistics from all accessible domain controllers within a domain. This is aimed at identifying inactive user accounts and the security risk that they represent.

Mission Critical also added a few features that result in nice tweaks to Windows NT operation. For example, a one-click password reset function generates a complex random password, and it has a default setting that requires the user to change the password at the next logon. It is also possible to enforce the strength of passwords by enforcing a minimum inclusion of uppercase and lowercase alphabetic, numeric or special characters. EA automatically creates a home directory as a new user is added, and simplifies the task of moving a user's files to a new home directory. Last but not least, EA can enforce naming conventions for user accounts, groups and resources. Therefore our example company could mandate that all servers, workstations and printers in Boston have a BOS- prefix to make physical locations apparent.

For networks that already have multiple domains, and the cumbersome administrative layering that accompanies them, the Domain Consolidation Toolkit can be used to add EA to the system. This set of tools includes the Account Replicator, the File Security Translator, and the Exchange Security Translator. These tools permit the copying of user accounts and groups to another domain and the resolution of the resulting Security Identifier issues. Another utility, the Task Automation Scripting Kit (TASK), can integrate other applications with EA. For example, an HR application could be updated with new employee information as the new user is being added to the system.

Mission Critical's EA provides powerful and needed enhancements to the native capabilities of Windows NT, especially in systems with large numbers of users. Problems that become a full-time headache with a few thousand users can be reduced or eliminated through the capabilities of Enterprise Administrator. The hardest part of installing EA is likely to be the creation of a proper plan and structure for delegating authority within the enterprise, which is a necessary precursor. The advent of Windows 2000 will only slightly lessen the need for this kind of network tool, and a current purchase of EA with maintenance includes the commitment to support the next generation of Windows when it arrives.

Enterprise Administrator 4.6
Mission Critical Software Inc.
Houston, Texas
(888) 323-6768
www.missioncritical.com

+ Ability to precisely define levels of authority
+ Overlapping security domains
+ Precisely defined groups and powers with enhanced logging and reporting capabilities

- Installation requires the creation of a proper plan and structure for delegating authority

Also See: SeNTry: The Enterprise Event Manager