What kinds of
organizations use TEM?
Organizations from 250 to 80,000 users are reaping the benefits of using
TEM today! Universities, petroleum companies, major communications
carriers, investment firms, banks, insurance companies, space research
firms, U.S. Military, and many other organizations are using TEM to
achieve effortless enterprise management.
What is cost of Trusted
Enterprise Manager (TEM)? Does Avatier offer a software maintenance
program? If so, what does it cost? What are the details?
Enterprise licenses and the answers to these or any other questions on
Trusted Enterprise Manager are available by contacting Avatier at sales@avatier.com.
Software maintenance plan is also available. We highly recommend it due
to Avatier's aggressive development cycle. With our maintenance plan, you
will always be assured of the latest and very best in enterprise
management solutions.
(back to top)
Design and Architecture Questions
What is Trusted Enterprise Manager
(TEM)?
Trusted Enterprise Manager (TEM) is the
premier tool for delegating NT/2000/Exchange/WTS authority on the market
today. TEM is designed as an NT BackOffice and Windows 2000 compliant
security and administration solution. TEM has been optimized and tested
in corporate environments with over 70,000 NT accounts. However, sites
with as few as 50 users can appreciate the simplicity of TEM's security,
reporting, task automation, naming, interface, and management features.
What are the
components of TEM?
Trusted Enterprise
Manager is comprised of several integrated components. These include
several specialized TEM services, a SQL server backend, and the TEM
Client interface.
The TEM services are
special background programs that run on NT/2000 Server and/or NT/2000
Workstation. These include services that the Client communicates with and
other services that populate the Directory Shadow Repository SQL DB.
The TEM Client interface
is used by Enterprise Managers ("high-level" NT/2000 Domain
Administrators) to set global options, to produce reports, and to
delegate specific permissions over groups, users, and computers to
Trusted Managers ("junior" or "remote" administrators). TEM
automatically determines an Enterprise Manager's credentials when the
Client is launched, and it presents expanded menus and options that are
not available to Trusted Managers..
Trusted Managers use the
TEM Client interface to manage computers and groups of users assigned to
them by Enterprise Managers. TEM Client interface users can only view
and make changes to their assigned computers, users, and groups. For
Trusted Managers, TEM Client replaces most of the functionality from
several Microsoft tools; including User Manager for Domains, Server
Manager, Exchange Admin, User Manager Terminal Server Edition, and Active
Directory Users & Computers.
Does TEM allow for managing access to
resources, such as files and printers?
TEM provides delegated
management of specific computer attributes, NT/2000 services, and NT/2000
shares directly per computer.
TEM can manage other
resources indirectly, yet effectively. By providing secure management of
global groups, TEM allows for measured access to some resources located
in account or resource domains. A global group managed by TEM may be
made part of a local group that has the proper access authority over
resources in a domain (printers, files, directories, etc). A Trusted
Manager with the '[Am] Add Members...' TEM Permission can then add users
to the global group for access to the particular resource. Upcoming
versions of TEM will continue to add management for resources on the
network, including files, directories, printers, profiles, and policies.
How does TEM integrate with the Windows
2000 and Active Directory?
TEM v4 is officially
certified for Windows 2000. Because TEM uses supported Microsoft APIs
and only manages native objects (global groups, users, computers, etc.)
that all still exist in Windows 2000, are all still accessed by standard
API calls, and all have specified migratory paths to the directory, TEM
manages them effectively in a NT and/or Windows 2000 Active Directory
environment. TEM is Organizational Unit (OU)-aware for copying users and
groups in a native Active Directory (ADS) environment. Full-ADS OU,
Exchange 2000, and extended ADS property/permission management will be
continually added to the product throughout 2001.
A white paper is
available from Avatier that discusses Directory Services and how TEM will
enhance your Windows Network environment today and tomorrow. Avatier will
provide additional tools for migrating and modeling the current
environment to Windows 2000 Active Directory. TEM will also evolve to
manage and report on the permissions available in the Directory. TEM is
an ideal bridge to enable migration to Microsoft Directory Services.
What happens when the product is
un-installed - how much cleanup of group permissions is required? Are
permissions "broken"?
TEM does not change or
affect native group permissions at all when un-installed. TEM's uses
industry standard installation software, InstallShield, that ensures a
smooth de-installation. TEM does not introduce management configuration
information or changes to the NT registry. TEM does not introduce
foreign objects, terms, or constructs to the network. More importantly,
TEM does not leave any of these objects behind when the product is
uninstalled.
Will your products integrate with other
BackOffice products: e.g. Exchange, Windows Terminal Server, SMS, SNA
Server, SQL Server, DNS Manager, DHCP Manager, etc.?
TEM currently manages
Exchange mailboxes, distribution list/group synchronizations, and Windows
Terminal Server profiles. Future Avatier products and snap-in modules to TEM
will address the breadth of the BackOffice family of products.
Can views of the domain be restricted for
various classes of users/administrators? Can individuals be given the
power to administer individual groups, or will group managers have access
to modify group membership for all groups.
Sure. Enterprise
Managers set up Trusted Managers (individual users, Global Groups, or NT4
Local Groups) to manage specific Global Groups of users. Trusted
Managers will only see the groups, users, and computers that were
assigned to them in the TEM Client. This scope-of-management reduction
allows the Trusted Manager to focus on only the network objects they are
responsible for, and significantly reduces their learning curves and
training costs.
How many individual levels of access can
be defined?
TEM 4 Series supports
over 35 individual levels of permissions that can be delegated
individually or in a combination. With TEM’s Active Collections™,
customized "roles" – such as “Help Desk”, “Remote Admin”, etc. – can be
applied to groups, allowing for simple, standardized administration
practices across the organization.
Can the product be
used along with native NT tools - e.g. NT’s native User Manager?
Absolutely. The TEM
user cache can be scheduled to refresh with NT’s SAM (& 2000's Directory)
and automatically refreshes at 1 AM by default. It can also be manually
refreshed with User Manager for Domains whenever necessary. Once TEM is
deployed, Avatier encourages customers to avoid using User Manager to manage
groups and users that are to be managed with TEM. Avatier encourages Domain
Administrators to only use NT's User Manager to administrate trusts,
policies, etc. The same recommendation holds with Active Directory Users
& Computers in Windows 2000. By managing groups and users outside of TEM,
it is likely that the naming standards you defined in TEM will not be
followed, task automation will not occur, and certain features (Rename
Groups in NT4 or multi-select in W2K) will not be available. Also, if
additions/deletions of users, global groups, or local groups occur in
User Manager, these changes will not immediately appear in TEM unless
manually synchronized or until the scheduled SAM synchronization occurs.
This is due to TEM’s caching model that provides a 1200% performance gain
over User Manager for Domains in environments over 1000 users.
Can "Reset Password" power be the only
permission granted and not allow other changes to the user account (e.g.,
change User Name, description, add to groups, disable account, etc.)?
Can a Trusted Manager be restricted to adding (and not have rights to
delete) users?
TEM provides secure
granular levels of authority. Each permission allows the Trusted
Manager to carry out only its specific function on assigned
groups, computers, and user accounts. For example, a Trusted Manager can
be restricted to adding but not deleting users – [Cu] Copy/Create Users
is a separate TEM permission from [Du] Delete Users.
Is the power to add members to the
various administrative groups restricted to a single set of individuals;
or can permissions be granted to additional users by "junior"
administrators?
If a Trusted Manager has
[Dr] Delegate Rights authority over a Global Group, he/she can delegate
authority to other peers over the groups and users they manage. A Trusted
Manager with [Dr] Delegate Rights can only delegate the group/user
permissions he/she currently has (or a subset of them). This feature
allows TEM to scale administration to the largest NT/2000 environments
that typically have a multi-tiered support model.
(back to top)
Performance Questions
Does TEM affect Windows NT/2000
operations and performance?
TEM does not affect
normal Windows NT/2000 operations, such as logon authentication,
background replication, and access to resources. TEM adds specialized
services and the necessity for SQL Server (TEM ships with the runtime
version) to the environment that require significant RAM and minimal disk
space/CPU utilization. The TEM DSR/SQL combination require the most RAM,
but the primary Robot service only utilizes approximately 1 MB of memory
per 1000 users cached on startup. The TEM Robot service's load time
equates to approximately 1 minute per 1000 users cached. Once the
service has cached the managed users on startup and the SQL database is
similarly populated, user account/mailbox management performance
dramatically improves over native tools. This improvement is more
noticeable the larger the number (over 1000) of managed user accounts.
Does TEM make it easier and faster to
manage user accounts and groups?
Definitely! Auto Naming,
multi-select property changes, and several other Task Automation
features save countless hours when creating and managing users, groups,
and resources. One of the biggest time saving features in TEM is the
ability to simultaneously change the properties of multiple accounts.
Trusted Managers can modify multiple accounts in one step; such as
resetting passwords, changing Exchange information, or creating home
directories/shares for multi-selected users on the same server.
(back to top)
Security Questions
Is TEM's communication secure? Does the
product add any security constraints beyond that of NT/2000?
In order to be Windows
NT/2000/BackOffice Logo certified, TEM must utilize native Windows NT C2
security logon authentication and file/directory security. TEM only
utilizes the security APIs that Microsoft supports and recommends for
Windows NT/2000. TEM utilizes export-compliant encrypted communications
for all calls across the network.
TEM's primary
configuration files are located on a restricted share point and a secured
database. TEM uses NT's unified logon verification and does not add a
separate login ID/password construct per BackOffice logo specifications.
What auditing/logging capabilities are
available? Can these logs be protected against unauthorized access?
All TEM Client
activities are logged in the Microsoft Event Viewer on the computers
running the TEM services. TEM leverages NT's own security to protect the
Event Viewer logs. Additionally, TEM can be configured to track all
audit-worthy TEM events to an external file on a secure share that is in
.CSV format for a simple upload into Excel or Access.
Does TEM write any secure information in
the NT/2000 registry?
No. TEM does not write
unencrypted, sensitive or enterprise management configuration information
to the NT/2000 registry. Avatier believes that the registry is the least
optimal and most dangerous place to write any management data, as it is
limited in size, relatively insecure, and does not allow for proper fault
tolerance or rapid contingency recovery. Products that create enterprise
management structures in the NT/2000 registry should be avoided at all
costs to maintain the integrity of the network and associated Domain
Controller servers.
What reporting capabilities are
available?
TEM provides excellent
reporting of users, Trusted Manager rights, group memberships,
properties, settings, etc., and this area will be significantly enhanced
in future versions of TEM.
TEM’s “Details View”
grid provides the TEM Client user with a spreadsheet-like interface of
the managed objects (users, groups, account properties, mailbox
settings, WTS profile information, last logon statistics, etc.) and the
abilities to sort, filter, arrange, freeze, format, print, and modify.
This powerful and unique Admin-by-Report view
allows direct management to the objects and their properties following
the desired filtering, sorting, and other column functions.
TEM allows for reporting
of who is administering what groups and what permissions they have. The
comma-separated file can be imported to a common spreadsheet/database
format for further reporting and sorting. Future reports will be
available in Crystal Reports interface.
TEM v4 now integrates
with Enterprise Security Reporter (ESR) from Small Wonders Software. ESR
provides file/directory/share security reporting information (effective
and explicit) for users and groups. It also and has other valuable
reports for domains. When configured to work with TEM, a specific user
or group can be selected in the Client to display their effective and
explicit permissions on certain servers in the network in a Crystal
Reports interface.
(back to top)
Configuration Questions
Where does TEM store its Trusted Manager
authorization information?
For Trusted Manager
assignments over Users and Groups, TEM securely stores five control
files, TEMAdmin2.TDB, TEMGroup2.TDB, TEMMAP.CFG, GRPQUOTA.TDB, and
TEMOPTIONS.INI in the TEMCFG directory. This directory is shared on the
network and leverages NT's native NTFS/Share security model. Only NT/2000
Administrators, TEM Enterprise Managers, and the TEM services should have
administrative and access rights. No one else (including Trusted
Managers) needs to have ANY access to this directory.
For Trusted Manager
assignments over computers, services, and shares, TEM uses a secure SQL
database. Eventually, all Trusted Manager assignments and permissions
will be stored and updated here.
The TEM Robot service is
a "substitute Domain Administrator" and proxies requests on behalf of the
Trusted Managers using the TEM Client. This service may run on any
NT/2000 machine in the Domain in which it is managing. It can run on
multiple machines in the managed domain(s) for performance, fault
tolerance, and contingency recovery. In this scenario, synchronization
of the TEMCFG control files and the SQL DB are necessary.
(back to top)
Fault Tolerance Questions
What happens if the server or workstation
on which the TEM service is running fails?
TEM's flexible
architecture allows for planning of contingency recovery and fault
tolerance levels according to business needs. Localized performance
improvements can also be achieved through these methods:
The TEM services can be
installed on multiple NT/2000 computers in the domain and be active for
distributed local caching performance and fault tolerance purposes. While
only one TEM ROBOT needs to be active at a time, the secondary services
can be running and available if the main TEM server fails. As long as any
PDC is functioning in a managed domain, TEM can function.
The TEM Client would
need to include simple .INI file entries to indicate the available TEM
servers that could be used in the event of an outage or performance hit
of any TEM server.
The TEM ROBOT can also
be pointed at a still-active TEMCFG shared directory or an alternate
shared directory as long as recently replicated system files are present.
TEM can be configured
using the "foreign domain" feature to take control of another domain as
long as the PDCs are still functioning properly in both domains.
Caveat: Since the PDC is
the only true Read/Write database of user accounts in a NT4 domain, a PDC
failure would prohibit all changes to User Account information in that
domain until 1) the PDC is back up running or 2) a BDC is promoted to a
PDC.
(back to top)
Scalability Questions
Can TEM be used to manage multiple
domains at one time?
Organizations are
limited by Microsoft’s own Domain architecture when planning an adoption
of Windows NT4. Domains serve as distinct management boundaries, and
still do in Windows 2000 (even though OUs have been instituted one level
below domains).
Trusted Enterprise
Manager is one of the few products on the market that can manage multiple
NT4/2000 domains at once. This allows IT Management to simplify, extend,
report, plan and protect their entire enterprise from one console view.
Can TEM's administration span multiple
master domains?
Certainly. TEM spans
any domain model as long as proper trusts or pass-through authentication
is in place. Users from the IT Domain can manage users in
Finance and Sales Domains. Because TEM spans multiple
domains, it actually gives more flexibility to design domain models
around business requirements.
Can the product generate alerts based on
user-defined criteria (e.g. when a new Domain Admin has been added, a key
group has been deleted, etc.)?
Not natively, but other
products (like Avatier partner - Heroix's RoboMon) can accomplish this by
responding to events posted by Trusted Enterprise Manager to the NT/2000
Event Viewer.
How are trusted domains identified to the
product?
Domains are added to TEM
management during initial setup of TEM. To update this list after setup,
the TEMROBOT.INI can be edited to add or remove domains from TEM
management.
How does the product replicate account
information across the network to BDCs?
TEM updates the SAM on
the PDC and then relies on NT's native replication to update the BDC's.
This is basically the case for Windows 2000 as well.
Is the product accessible across the
network, or must each "administrator" have a client version on their
desktop?
TEM Client can be
installed on a network share point using the Advanced/Clients/Network
Installation option. The TEM Client user must then run a mini-setup to
provide the proper TEM shortcut icons and any necessary Microsoft files.
How is the Group naming convention
restricted, if at all?
Trusted Managers may
only copy existing global groups that they manage (if the [Cg] Copy
Global Group w/ Inherit or [Cf] Copy Global Group w/ Full Control
permission is assigned) in order to create new global groups. The group
prefix is configured by the TEM Enterprise Manager and it is applied to
all subsequent groups that a Trusted Manager creates from that source
group. The prefix can be up to 18 characters and always has a separator
character.
(back to top)
Platform Questions
Does TEM support non-Intel based
machines?
Currently, TEM is only
available for Intel processor machines.
What components run on NT, 2000, Windows
9x?
The TEM services only
run on NT Server/Workstation 4.0 and all Windows 2000 versions. TEM
Client can run on NT 4.0, Windows 2000, or Windows 95/98/ME.
Open
support ticket
Email a friend!
