Moving to Domain from Workgroup. How to be prepared ?
-
@scottalanmiller said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
- I do not have hands-on experience with Domain network, and I learned AD things more than 3 years ago, so not much good at anything related to AD DC and GPOs. Any advise here ?
Start just with AD authentication, keep it simple. No need to use GP until you are ready. When you are, do it just a little at a time.
Okay, noted.
-
@scottalanmiller said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
- Of course, I do not want to use main administrator account at client PCs while setting up applications, or any admin tasks, so what kind of account should I create (limited) ?
Every admin should have their own admin account that they use, not shared accounts.
Okay not shared accounts. Whether every IT person should have admin account with full rights ? isn't there any limited permission group for setting up applications etc. ?
-
@Mike-Davis said in Moving to Domain from Workgroup. How to be prepared ?:
How many computers total are you joining to the domain? You might want to have someone help you at the onset to line things up properly before you start joining computers. Or you can just start joining a few a week like you suggested and learn as you go. As long as your users are patient with you, that approach works too.
Around 100. Yeah, got few fellows to help and yes, I prefer to few people every week to make things easier.
But the issue will be with end-user, about Enabling Password (as few users do have password till now) and entering password every time pc got locked due to inactivity.
-
@Mike-Davis said in Moving to Domain from Workgroup. How to be prepared ?:
You didn't mention the client OS, except for that some have home versions. Depending on what OS that is, there are ways to move their profile from local to domain. There is also the Microsoft easy transfer wizard that will let you back up and copy profiles from one account to another. This does more than a simple copy of the my documents folder, etc, because it also backs up some of the registry keys that hold application settings.
All are Windows, with combination of 7/8/8.1/10.
Noted about easy transfer wizard, I will check it.
-
@Mike-Davis said in Moving to Domain from Workgroup. How to be prepared ?:
Most of your applications will be just fine. I have only had problems with a few applications that had some issues with permissions on registry keys, but that was probably like 1 out of 200 apps.
Okay, hope to move fine.
-
I would suggest starting off with your fellow IT team members and moving them as guinea pigs. That way if there's any major problems they'll be able to accurately describe to you what is wrong, hopefully.
-
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@scottalanmiller said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
- Of course, I do not want to use main administrator account at client PCs while setting up applications, or any admin tasks, so what kind of account should I create (limited) ?
Every admin should have their own admin account that they use, not shared accounts.
Okay not shared accounts. Whether every IT person should have admin account with full rights ? isn't there any limited permission group for setting up applications etc. ?
IF the IT person needs an admin account (if they're only changing passwords, give them that specific right, not full admin). Then you want a standard user account for them to use, and a special admin account for each person who needs it. That way you're able to run audits, which are impossible with any shared account.
-
I'll expand on @travisdh1 posts.
Every IT admin should have two accounts. A local one to use day to day on their computer, and a domain admin one that is only used to log into server and run admin tools from their local workstations.
Example: dashrender and dashrender-admin
On my workstation (or any computer I log into) I log in as dashrender. When I need to install something, I'll be prompted (or right click the installer and choose run as admin) and type in my dashrender-admin user and password.
-
It goes to reason that all of your users are running as local admins on their workstations today. This is something you should move away from ASAP. When you join their computer to the domain and move the user to using their new domain account, make sure they are not local admins (they shouldn't be by default).
If you run into a situation where a user requires local administrator rights, DO NOT give them domain administrator rights in their user profile on the domain - instead give them local admin rights by adding them to the local admin group on their PC only. But you should only do this as a last resort if you can't solve their need for local admin rights in some other way (like giving write permissions to the specific program folder under c:\program files, etc).
-
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@Mike-Davis said in Moving to Domain from Workgroup. How to be prepared ?:
You didn't mention the client OS, except for that some have home versions. Depending on what OS that is, there are ways to move their profile from local to domain. There is also the Microsoft easy transfer wizard that will let you back up and copy profiles from one account to another. This does more than a simple copy of the my documents folder, etc, because it also backs up some of the registry keys that hold application settings.
All are Windows, with combination of 7/8/8.1/10.
Noted about easy transfer wizard, I will check it.
Definitely give this a try for users who have been on their computer for a while.
That said, using now as a way to cleanup profiles isn't a bad idea either. When possible I don't bring over anything more than is absolutely required (my docs, favorites, desktop icons) and then I reconfigure the rest (printers, app settings).
-
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@Mike-Davis said in Moving to Domain from Workgroup. How to be prepared ?:
How many computers total are you joining to the domain? You might want to have someone help you at the onset to line things up properly before you start joining computers. Or you can just start joining a few a week like you suggested and learn as you go. As long as your users are patient with you, that approach works too.
Around 100. Yeah, got few fellows to help and yes, I prefer to few people every week to make things easier.
But the issue will be with end-user, about Enabling Password (as few users do have password till now) and entering password every time pc got locked due to inactivity.
That's just a training thing. Not much to be done there. Your issue isn't moving to a domain, but moving from insecure to secure.
-
@scottalanmiller said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@Mike-Davis said in Moving to Domain from Workgroup. How to be prepared ?:
How many computers total are you joining to the domain? You might want to have someone help you at the onset to line things up properly before you start joining computers. Or you can just start joining a few a week like you suggested and learn as you go. As long as your users are patient with you, that approach works too.
Around 100. Yeah, got few fellows to help and yes, I prefer to few people every week to make things easier.
But the issue will be with end-user, about Enabling Password (as few users do have password till now) and entering password every time pc got locked due to inactivity.
That's just a training thing. Not much to be done there. Your issue isn't moving to a domain, but moving from insecure to secure.
I don't think the default is to require a logon when the screen saver kicks in or when you wake the machine from sleep mode. Unless you set this on Pre Windows 10, they shouldn't see a logon unless they cause it to lock.
-
@dafyre said in Moving to Domain from Workgroup. How to be prepared ?:
I would suggest starting off with your fellow IT team members and moving them as guinea pigs. That way if there's any major problems they'll be able to accurately describe to you what is wrong, hopefully.
That's good idea, thanks.
-
@travisdh1 said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@scottalanmiller said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
- Of course, I do not want to use main administrator account at client PCs while setting up applications, or any admin tasks, so what kind of account should I create (limited) ?
Every admin should have their own admin account that they use, not shared accounts.
Okay not shared accounts. Whether every IT person should have admin account with full rights ? isn't there any limited permission group for setting up applications etc. ?
IF the IT person needs an admin account (if they're only changing passwords, give them that specific right, not full admin). Then you want a standard user account for them to use, and a special admin account for each person who needs it. That way you're able to run audits, which are impossible with any shared account.
Got it.
-
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@travisdh1 said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@scottalanmiller said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
- Of course, I do not want to use main administrator account at client PCs while setting up applications, or any admin tasks, so what kind of account should I create (limited) ?
Every admin should have their own admin account that they use, not shared accounts.
Okay not shared accounts. Whether every IT person should have admin account with full rights ? isn't there any limited permission group for setting up applications etc. ?
IF the IT person needs an admin account (if they're only changing passwords, give them that specific right, not full admin). Then you want a standard user account for them to use, and a special admin account for each person who needs it. That way you're able to run audits, which are impossible with any shared account.
Got it.
The concept of "least privileges" - don't give people the power to do anything that they don't need to do.
-
@Dashrender said in Moving to Domain from Workgroup. How to be prepared ?:
I'll expand on @travisdh1 posts.
Every IT admin should have two accounts. A local one to use day to day on their computer, and a domain admin one that is only used to log into server and run admin tools from their local workstations.
Example: dashrender and dashrender-admin
On my workstation (or any computer I log into) I log in as dashrender. When I need to install something, I'll be prompted (or right click the installer and choose run as admin) and type in my dashrender-admin user and password.
Yeah, that's how we are doing while we are in Workgroup with users too. All users have standard account and a separate local admin account, so if something needs to do setup etc. it will prompt for admin password.
-
@Dashrender said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@Mike-Davis said in Moving to Domain from Workgroup. How to be prepared ?:
You didn't mention the client OS, except for that some have home versions. Depending on what OS that is, there are ways to move their profile from local to domain. There is also the Microsoft easy transfer wizard that will let you back up and copy profiles from one account to another. This does more than a simple copy of the my documents folder, etc, because it also backs up some of the registry keys that hold application settings.
All are Windows, with combination of 7/8/8.1/10.
Noted about easy transfer wizard, I will check it.
Definitely give this a try for users who have been on their computer for a while.
That said, using now as a way to cleanup profiles isn't a bad idea either. When possible I don't bring over anything more than is absolutely required (my docs, favorites, desktop icons) and then I reconfigure the rest (printers, app settings).
Yeah, maybe fresh profile I will try to go with, it may leave any bad things back in the profile which was effecting performance too.
-
@scottalanmiller said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@Mike-Davis said in Moving to Domain from Workgroup. How to be prepared ?:
How many computers total are you joining to the domain? You might want to have someone help you at the onset to line things up properly before you start joining computers. Or you can just start joining a few a week like you suggested and learn as you go. As long as your users are patient with you, that approach works too.
Around 100. Yeah, got few fellows to help and yes, I prefer to few people every week to make things easier.
But the issue will be with end-user, about Enabling Password (as few users do have password till now) and entering password every time pc got locked due to inactivity.
That's just a training thing. Not much to be done there. Your issue isn't moving to a domain, but moving from insecure to secure.
Moving to secure, that's right.
-
@Dashrender said in Moving to Domain from Workgroup. How to be prepared ?:
I'll expand on @travisdh1 posts.
Every IT admin should have two accounts. A local one to use day to day on their computer, and a domain admin one that is only used to log into server and run admin tools from their local workstations.
Example: dashrender and dashrender-admin
On my workstation (or any computer I log into) I log in as dashrender. When I need to install something, I'll be prompted (or right click the installer and choose run as admin) and type in my dashrender-admin user and password.
I am bit confused here.
While now we are in Workgroup, IT admins will be having :
a. Local Standard account
b. Local Admin account -with access( and knows the password for all PCs Local Admin account)And End user while in Workgroup :
a. Local Standard account - with access
b. Local Admin account - with no access but only for IT.After we move to Domain, IT admins will be having:
a. Local Standard account -not in use(maybe better to remove at all ?)
b. Local Admin account
c. Standard Domain Account - In use
d. Separate Domain Admin AccountAnd End users after migrating to Domain:
a. Local Standard account - not in use (maybe better to remove at all after copying everything?)
b. Local Admin account - with no access
c. Standard Domain Account - In useam I correct ?
-
Boy, that seems like a long way to write it, but yeah.
Though I think I rather look at it like this:
Domain accounts: users - user level account IT Admins - user level account - admin level account Account on PC: Single local account with admin rights - only IT admins know the password. this account is for fall back purposes onlydomain user accounts are automatically added to the local user group on all domain PCs, And the Domain Admin group is added to the local Administrators group.
