Product Reviews

Who's Responsible?

Pass off simple admin tasks to someone else via Aelita Delegation Manager 3.0.

Managing a Windows NT network is like long-term job security, so you need help with mundane tasks like changing user passwords or unlocking accounts. If only you could pass off these jobs to help desk personnel—but to give them that type of authority means granting them membership in the Administrators or Account Operators groups, which in turn can expose your network to unnecessary security risks. So, you can keep doing these tasks, or you can try Aelita Delegation Manager 3.0.

This program works like User Manager for Domains and offers greater flexibility in the permissions that you can assign. “Why replace the native NT tools?” you ask. While NT lets you add users to groups like Administrators or Account Operators, it doesn’t let you change the permissions that those groups provide to their members. With User Manager for Domains, any member of Account Operators can change passwords for users, but that member can then make a slew of other changes. Using Aelita DM instead, you can specify a narrower set of permissions.

If you’re concerned about replacing the current SAM database with a new security database, don’t be—Aelita DM doesn’t replace the SAM database by keeping its own user accounts. Instead, Aelita DM keeps a database of privileges that are associated with users that exist in the SAM database. In total, you have two security databases after installing Aelita DM: the Windows NT SAM database and the Aelita database that stores the enhanced permissions.

Aelita DM is actually a client/server system. You have a server that holds the permissions database and a client front-end that replaces User Manager and grants the enhanced permissions to users. The way an administrator assigns users permissions to change account properties is interesting: With Aelita DM user accounts are treated just like files on an NTFS drive. Users can be granted permissions on each account, which are lumped together in what DM calls “templates.” For example, if John the help desk technician needs to be able to change user passwords, you simply open John’s account and use the Delegate button to assign him permissions for all of the necessary accounts. If you need to assign him permissions on one account at a time, you use the Permissions button.

To use the privileges that have been assigned, a user logs onto the network using his or her standard user account, then opens Aelita DM to make changes. Aelita DM sends the change request to the Delegation Server (where the permissions database is maintained) to verify that this user can make the requested changes. Suppose a help desk technician is granted the permission to reset user passwords and he needs to exercise this right. In order to reset a password with Aelita DM, the technician opens up the client for Aelita DM instead of User Manager for Domains to make the change. The client verifies with the DM server that the technician has this authority; if the tech has permission to reset passwords, Aelita DM makes the appropriate change to the end user account in the SAM database.

Aelita Delegation Manager is perfect for managing a large number of accounts.

Aelita Delegation Manager takes some getting used to. For one, since it can be used to replace User Manager for Domains, you have to remember to open it instead of User Manager (against what you’ve been trained to do). Second, the terminology can be confusing at first, until you understand the role of permissions and delegates. Third, you actually need more than one Delegation Server, because if it goes down your users won’t be able to do anything since they’re merely mortal users without the Delegation Server to grant them powers.

Despite these minor annoyances, Aelita promises a program designed to make granting permissions granular so that you can take a load off of your own back. If you have a small company where there’s only one or two administrators, this program may not hold advantages. But Aelita DM is perfect for the admin responsible for divisions of users. Even better, if you’re in a large company with junior admins or a helpdesk, you should give Aelita Delegation Manager serious consideration.

About the Author

Joseph L. Jorden, MCSE, MCT, CCNA, CCDA is Chief Technical Officer for Dugger & Associates ( He was one of the first 100 people to achieve the MCSE+I and one of the first 2,000 to become an MCSE under Windows 2000. Joseph frequently contributes to books from Sybex and various periodicals.

comments powered by Disqus
Most   Popular