Pass off simple admin tasks to someone else via Aelita Delegation Manager 3.0.
Managing a Windows NT network is
like long-term job security, so you need help with mundane
tasks like changing user passwords or unlocking accounts.
If only you could pass off these jobs to help desk personnel—but
to give them that type of authority means granting them
membership in the Administrators or Account Operators
groups, which in turn can expose your network to unnecessary
security risks. So, you can keep doing these tasks,
or you can try Aelita Delegation Manager 3.0.
This program works like User Manager
for Domains and offers greater flexibility in the permissions
that you can assign. “Why replace the native NT
tools?” you ask. While NT lets you add users to
groups like Administrators or Account Operators, it
doesn’t let you change the permissions that those
groups provide to their members. With User Manager for
Domains, any member of Account Operators can change
passwords for users, but that member can then make a
slew of other changes. Using Aelita DM instead, you
can specify a narrower set of permissions.
If you’re concerned about replacing
the current SAM database with a new security database,
don’t be—Aelita DM doesn’t replace the
SAM database by keeping its own user accounts. Instead,
Aelita DM keeps a database of privileges that are associated
with users that exist in the SAM database. In total,
you have two security databases after installing Aelita
DM: the Windows NT SAM database and the Aelita database
that stores the enhanced permissions.
Aelita DM is actually a client/server
system. You have a server that holds the permissions
database and a client front-end that replaces User Manager
and grants the enhanced permissions to users. The way
an administrator assigns users permissions to change
account properties is interesting: With Aelita DM user
accounts are treated just like files on an NTFS drive.
Users can be granted permissions on each account, which
are lumped together in what DM calls “templates.”
For example, if John the help desk technician needs
to be able to change user passwords, you simply open
John’s account and use the Delegate button to assign
him permissions for all of the necessary accounts. If
you need to assign him permissions on one account at
a time, you use the Permissions button.
To use the privileges that have been
assigned, a user logs onto the network using his or
her standard user account, then opens Aelita DM to make
changes. Aelita DM sends the change request to the Delegation
Server (where the permissions database is maintained)
to verify that this user can make the requested changes.
Suppose a help desk technician is granted the permission
to reset user passwords and he needs to exercise this
right. In order to reset a password with Aelita DM,
the technician opens up the client for Aelita DM instead
of User Manager for Domains to make the change. The
client verifies with the DM server that the technician
has this authority; if the tech has permission to reset
passwords, Aelita DM makes the appropriate change to
the end user account in the SAM database.
Delegation Manager is perfect for managing a large
number of accounts.
Aelita Delegation Manager takes some
getting used to. For one, since it can be used to replace
User Manager for Domains, you have to remember to open
it instead of User Manager (against what you’ve
been trained to do). Second, the terminology can be
confusing at first, until you understand the role of
permissions and delegates. Third, you actually need
more than one Delegation Server, because if it goes
down your users won’t be able to do anything since
they’re merely mortal users without the Delegation
Server to grant them powers.
Despite these minor annoyances, Aelita
promises a program designed to make granting permissions
granular so that you can take a load off of your own
back. If you have a small company where there’s
only one or two administrators, this program may not
hold advantages. But Aelita DM is perfect for the admin
responsible for divisions of users. Even better, if
you’re in a large company with junior admins or
a helpdesk, you should give Aelita Delegation Manager
Joseph L. Jorden, MCSE, MCT, CCNA, CCDA is Chief Technical Officer for Dugger & Associates (www.Dugger-IT.com). He was one of the first 100
people to achieve the MCSE+I and one of the first 2,000 to become an MCSE under Windows 2000. Joseph frequently contributes to books from Sybex and various periodicals.