Product Reviews
Delegate NT Administration
Trusted Enterprise Manager lets systems administrators sleep at night.
If you’re responsible for managing
a large network with a Windows NT backbone, sooner or
later you run up against a simple problem: By default,
nearly every bit of user management has to be done by
members of the Domain Admins group. Unfortunately, this
group has awesome powers to mess up things if its members
aren’t careful. This leaves you with two unattractive
choices:
-
Put a lot of users in the Domain
Admins group and hope no one causes a disaster.
-
Keep the Domain Admins group
small, and require a few administrators to take
care of every lost password and group membership
request.
Trusted Enterprise Manager (TEM)
offers a third option. This client/server software allows
you to define groups of trusted users who can perform
a limited subset of the domain’s administrative
functions. For example, the people who answer the phone
at your corporate help desk could be empowered to reset
passwords and change group membership—but nothing
else!
TEM consists of a server and client
application. The server application runs on one or more
of your domain controllers and logs on, using a privileged
account. The client application communicates with the
server application, not with the underlying Windows
NT structure directly. This enables the server to do
its own security checking and decide whether a particular
operation should be allowed. Indeed, because the clients
get their information from the server, the assigned
administrators don’t even see accounts or operations
that they can’t work with. A nice touch is the
Quick Password Reset dialog. TEM makes password resets
super easy to do, which solves a large number of help
desk calls.
|
Quick Password Reset is just one
of many functions you can delegate in Trusted Enterprise
Manager. |
TEM lets you delegate many functions
in addition to password management:
-
Changing account information
-
Deleting users
-
Enabling RAS access
-
Forcing a password change
-
Modifying logon hours
-
Modifying user profiles
-
Changing group membership
For large domain structures, TEM
offers distributed and cached security information.
This adds fault tolerance to your network’s user
management, and things like the refresh rate for cached
information can be adjusted for the best balance of
performance and concurrency. TEM also integrates with
Microsoft Exchange, so you can delegate the creation
and modification of Exchange mailboxes, as well as other
user administration tasks.
All in all, Trusted Enterprise Manager
is a polished solution that will come in handy in many
large enterprises. It appears that MDD takes security
very seriously. Despite having been out for three versions
now, there have been no reports of security holes in
TEM at any of the major security sites I monitor—which
is more than you can say for Windows NT.
About the Author
Mike Gunderloy, MCSE, MCSD, MCDBA, is a former MCP columnist and the author of numerous development books.