Joining/Binding Macs to AD Domain - Should I Bother?



  • I have been working at this SMB for almost 6 years and never have added the Macs, of which their are currently only 5, to the AD domain. The users have their own local accounts and then use AD credentials to access shares on Windows servers. Side note- I have about 60 desktops and 35 laptops, all running Windows and on the domain.

    We are getting a new Mac Mini to replace a failed iMac and thought I should see what, aside from having the user login with AD creds, the benefit would be? I had done this back in 2008 when I was doing consulting for an MSP for a customer that was all Mac client based and it didn't seem to work well. Obviously there have been several version changes on both sides since then so I want to see if I should even bother.

    What does everyone think?



  • Binding them is easier now that it used to be, but if your current system is working... why fix what's not broke?



  • @Minion-Queen said in Joining/Binding Macs to AD Domain - Should I Bother?:

    Binding them is easier now that it used to be, but if your current system is working... why fix what's not broke?

    That is generally my line of thought. However, I was wondering if it is a best practice thing and if there was something I hadn't considered as a benefit.



  • @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @Minion-Queen said in Joining/Binding Macs to AD Domain - Should I Bother?:

    Binding them is easier now that it used to be, but if your current system is working... why fix what's not broke?

    That is generally my line of thought. However, I was wondering if it is a best practice thing and if there was something I hadn't considered as a benefit.

    In a sense, I think joining to a domain becomes a necessary evil. There are obvious access and control benefits, but at the cost of added complexity and security risk. If the Macs are set up in such a way as to be happy where they are, why introduce the security risk? Is there any real gain from being on AD that you are feeling pain from not currently having?



  • @art_of_shred said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @Minion-Queen said in Joining/Binding Macs to AD Domain - Should I Bother?:

    Binding them is easier now that it used to be, but if your current system is working... why fix what's not broke?

    That is generally my line of thought. However, I was wondering if it is a best practice thing and if there was something I hadn't considered as a benefit.

    In a sense, I think joining to a domain becomes a necessary evil. There are obvious access and control benefits, but at the cost of added complexity and security risk. If the Macs are set up in such a way as to be happy where they are, why introduce the security risk? Is there any real gain from being on AD that you are feeling pain from not currently having?

    I was not aware of a security risk by joining them to the domain. How does it increase risk?

    I am trying to ascertain if there is something that is missing from them not being bound to AD. Are there ADMX templates for GPO?



  • The basic security risk is inherent in creating an opportunity for a single breach to affect multiple endpoints. A lone computer can only be compromised itself. An entire network can be compromised through the breaching of a single account (if it's the right account).



  • @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @art_of_shred said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @Minion-Queen said in Joining/Binding Macs to AD Domain - Should I Bother?:

    Binding them is easier now that it used to be, but if your current system is working... why fix what's not broke?

    That is generally my line of thought. However, I was wondering if it is a best practice thing and if there was something I hadn't considered as a benefit.

    In a sense, I think joining to a domain becomes a necessary evil. There are obvious access and control benefits, but at the cost of added complexity and security risk. If the Macs are set up in such a way as to be happy where they are, why introduce the security risk? Is there any real gain from being on AD that you are feeling pain from not currently having?

    I was not aware of a security risk by joining them to the domain. How does it increase risk?

    It doesn't. If someone hacks your network, I doubt they would try to login to Macs through Active Directory. The paydirt is on servers and network storage anyway. Hackers aren't going to go after your marketing team's Macs.



  • @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @art_of_shred said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @Minion-Queen said in Joining/Binding Macs to AD Domain - Should I Bother?:

    Binding them is easier now that it used to be, but if your current system is working... why fix what's not broke?

    That is generally my line of thought. However, I was wondering if it is a best practice thing and if there was something I hadn't considered as a benefit.

    In a sense, I think joining to a domain becomes a necessary evil. There are obvious access and control benefits, but at the cost of added complexity and security risk. If the Macs are set up in such a way as to be happy where they are, why introduce the security risk? Is there any real gain from being on AD that you are feeling pain from not currently having?

    I was not aware of a security risk by joining them to the domain. How does it increase risk?

    It doesn't. If someone hacks your network, I doubt they would try to login to Macs through Active Directory. The paydirt is on servers and network storage anyway. Hackers aren't going to go after your marketing team's Macs.

    Because they are Macs and not real business computers, I yield to your point.



  • @art_of_shred said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @art_of_shred said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @Minion-Queen said in Joining/Binding Macs to AD Domain - Should I Bother?:

    Binding them is easier now that it used to be, but if your current system is working... why fix what's not broke?

    That is generally my line of thought. However, I was wondering if it is a best practice thing and if there was something I hadn't considered as a benefit.

    In a sense, I think joining to a domain becomes a necessary evil. There are obvious access and control benefits, but at the cost of added complexity and security risk. If the Macs are set up in such a way as to be happy where they are, why introduce the security risk? Is there any real gain from being on AD that you are feeling pain from not currently having?

    I was not aware of a security risk by joining them to the domain. How does it increase risk?

    It doesn't. If someone hacks your network, I doubt they would try to login to Macs through Active Directory. The paydirt is on servers and network storage anyway. Hackers aren't going to go after your marketing team's Macs.

    Because they are Macs and not real business computers, I yield to your point.

    In theory you are right about mo devices mo problems. I just don't see the Macs as a particular threat.


  • Banned

    @art_of_shred said in Joining/Binding Macs to AD Domain - Should I Bother?:

    The basic security risk is inherent in creating an opportunity for a single breach to affect multiple endpoints. A lone computer can only be compromised itself. An entire network can be compromised through the breaching of a single account (if it's the right account).

    Only true to some degree.. Computers inherently trust each other even not on a domain they will always try pass through authentication first. actually requesting pass through and getting NTLM or Kerberos tickets are some of the easiest ways into a network.


  • Banned

    We have a few macs. They are not domain joined. The have local accounts, and are encrypted (preventing single user mode bypass/reset of passwords without damaging files), they just store their AD account in keychain. They have to change their password via RDP. Heck most of their tasks are still done via RDP. The macs they just use for internet and outlook. Pretty dumb if you ask me but Marketing Director seems to like it. Guess he fits in at Starbucks with other marketing folks.



  • @Jason said in Joining/Binding Macs to AD Domain - Should I Bother?:

    We have a few macs. They are not domain joined. The have local accounts, and are encrypted (preventing single user mode bypass/reset of passwords without damaging files), they just store their AD account in keychain. They have to change their password via RDP. Heck most of their tasks are still done via RDP. The macs they just use for internet and outlook. Pretty dumb if you ask me but Marketing Director seems to like it. Guess he fits in at Starbucks with other marketing folks.

    It's hard to argue actual business usage for a Mac unless you are really doing some heavy music or video editing.



  • @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

    It's hard to argue actual business usage for a Mac unless you are really doing some heavy music or video editing.

    is that even still true? Macs and Windows machines run the same hardware. Most, if not all of the editing software that used to be Mac-centric is also available on Windows. What I don't know - all things being equal except price, is the Mac faster?



  • @Dashrender said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

    It's hard to argue actual business usage for a Mac unless you are really doing some heavy music or video editing.

    is that even still true? Macs and Windows machines run the same hardware. Most, if not all of the editing software that used to be Mac-centric is also available on Windows. What I don't know - all things being equal except price, is the Mac faster?

    I am sure you can do use alot of browser based tools, but I am sure you would probably run into unsupported hiccups. You say except price like there is only a $50 or $100 difference in pricing per unit. Generally you are paying double if not triple for a Mac.

    Grandma can use a Lamborghini to get the groceries, but that doesn't make a Lamborghini the best choice for Grandma.



  • @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @Dashrender said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

    It's hard to argue actual business usage for a Mac unless you are really doing some heavy music or video editing.

    is that even still true? Macs and Windows machines run the same hardware. Most, if not all of the editing software that used to be Mac-centric is also available on Windows. What I don't know - all things being equal except price, is the Mac faster?

    I am sure you can do use alot of browser based tools, but I am sure you would probably run into unsupported hiccups. You say except price like there is only a $50 or $100 difference in pricing per unit. Generally you are paying double if not triple for a Mac.

    Grandma can use a Lamborghini to get the groceries, but that doesn't make a Lamborghini the best choice for Grandma.

    I'm not sure if you are talking about the Mac software versus the Windows software - I was talking more about the hardware. Windows hardware that is on par (i.e. business class machine with similar specs) generally seem to be pretty close to the same cost as a Mac.

    I have no clue regarding software side of the house.



  • OK. Based on the replies, I will just keep it as is. One less project.



  • Install Windows over the OS. Join domain, for non-intensive or specific tasks MacBooks make the best Windows machines.

    At least this is what we do for users that insist they must have them.



  • The point for these users is the Mac OS


  • Banned

    @Dashrender said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

    It's hard to argue actual business usage for a Mac unless you are really doing some heavy music or video editing.

    is that even still true? Macs and Windows machines run the same hardware. Most, if not all of the editing software that used to be Mac-centric is also available on Windows. What I don't know - all things being equal except price, is the Mac faster?

    It hasn't been true for years.. People just assume that still.


  • Banned

    @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @Dashrender said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

    It's hard to argue actual business usage for a Mac unless you are really doing some heavy music or video editing.

    is that even still true? Macs and Windows machines run the same hardware. Most, if not all of the editing software that used to be Mac-centric is also available on Windows. What I don't know - all things being equal except price, is the Mac faster?

    I am sure you can do use alot of browser based tools, but I am sure you would probably run into unsupported hiccups. You say except price like there is only a $50 or $100 difference in pricing per unit. Generally you are paying double if not triple for a Mac.

    Grandma can use a Lamborghini to get the groceries, but that doesn't make a Lamborghini the best choice for Grandma.

    Browser based? No audio or video editing professional app runs in the browser. Avid Pro Tools is the Standard for Music, for Video it's Avid Media Composer and Adobe Premiere Pro. Final Cut Pro used to be a choice but after the switch from 7 to X it was a consumer app. When there was Final Cut Pro and the integration with Logic Pro, SoundStage their was some argument for macs not anymore. Adobe used to run better on Mac but now Mac OS X is such a bloated OS it runs better on Windows. Font Rendering used to be better than windows, now it's the same.


  • Banned

    @Jason said in Joining/Binding Macs to AD Domain - Should I Bother?:

    We have a few macs. They are not domain joined. The have local accounts, and are encrypted (preventing single user mode bypass/reset of passwords without damaging files), they just store their AD account in keychain. They have to change their password via RDP. Heck most of their tasks are still done via RDP. The macs they just use for internet and outlook. Pretty dumb if you ask me but Marketing Director seems to like it. Guess he fits in at Starbucks with other marketing folks.

    To be clear are marketing department is not a graphic design, web design, video or audio editing team. They work on campagins, corporate account pitches etc. All the other stuff is outsourced.



  • @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

    The point for these users is the Mac OS

    Is this business case or just the users want to have it?

    If there is no business case behind it why add the complexity of managing another OS?

    Now to @Minion-Queen point if it isn't broke don't fix it, I agree with that stance, but when it comes time for refresh I would be having the conversation.



  • Binding is not hard, if adding a new machine and AD is in place already, might make sense. No cost, not much effort.



  • @Jason said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @Dashrender said in Joining/Binding Macs to AD Domain - Should I Bother?:

    @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

    It's hard to argue actual business usage for a Mac unless you are really doing some heavy music or video editing.

    is that even still true? Macs and Windows machines run the same hardware. Most, if not all of the editing software that used to be Mac-centric is also available on Windows. What I don't know - all things being equal except price, is the Mac faster?

    I am sure you can do use alot of browser based tools, but I am sure you would probably run into unsupported hiccups. You say except price like there is only a $50 or $100 difference in pricing per unit. Generally you are paying double if not triple for a Mac.

    Grandma can use a Lamborghini to get the groceries, but that doesn't make a Lamborghini the best choice for Grandma.

    Browser based? No audio or video editing professional app runs in the browser. Avid Pro Tools is the Standard for Music, for Video it's Avid Media Composer and Adobe Premiere Pro. Final Cut Pro used to be a choice but after the switch from 7 to X it was a consumer app. When there was Final Cut Pro and the integration with Logic Pro, SoundStage their was some argument for macs not anymore. Adobe used to run better on Mac but now Mac OS X is such a bloated OS it runs better on Windows. Font Rendering used to be better than windows, now it's the same.

    I wasn't tallking about audio or video editing here. I was talking about simple web based business apps that your company may be using.



  • These are the graphic designers and are Mac fanatics. I would have ditched them long ago if I could have.



  • @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

    These are the graphic designers and are Mac fanatics. I would have ditched them long ago if I could have.

    Yeah, who needs graphics designers anyway.

    Oh, did you mean the Macs?


Log in to reply