Solved Moving to Domain from Workgroup. How to be prepared ?
-
@dafyre said in Moving to Domain from Workgroup. How to be prepared ?:
I would suggest starting off with your fellow IT team members and moving them as guinea pigs. That way if there's any major problems they'll be able to accurately describe to you what is wrong, hopefully.
That's good idea, thanks.
-
@travisdh1 said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@scottalanmiller said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
- Of course, I do not want to use main administrator account at client PCs while setting up applications, or any admin tasks, so what kind of account should I create (limited) ?
Every admin should have their own admin account that they use, not shared accounts.
Okay not shared accounts. Whether every IT person should have admin account with full rights ? isn't there any limited permission group for setting up applications etc. ?
IF the IT person needs an admin account (if they're only changing passwords, give them that specific right, not full admin). Then you want a standard user account for them to use, and a special admin account for each person who needs it. That way you're able to run audits, which are impossible with any shared account.
Got it.
-
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@travisdh1 said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@scottalanmiller said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
- Of course, I do not want to use main administrator account at client PCs while setting up applications, or any admin tasks, so what kind of account should I create (limited) ?
Every admin should have their own admin account that they use, not shared accounts.
Okay not shared accounts. Whether every IT person should have admin account with full rights ? isn't there any limited permission group for setting up applications etc. ?
IF the IT person needs an admin account (if they're only changing passwords, give them that specific right, not full admin). Then you want a standard user account for them to use, and a special admin account for each person who needs it. That way you're able to run audits, which are impossible with any shared account.
Got it.
The concept of "least privileges" - don't give people the power to do anything that they don't need to do.
-
@Dashrender said in Moving to Domain from Workgroup. How to be prepared ?:
I'll expand on @travisdh1 posts.
Every IT admin should have two accounts. A local one to use day to day on their computer, and a domain admin one that is only used to log into server and run admin tools from their local workstations.
Example: dashrender and dashrender-admin
On my workstation (or any computer I log into) I log in as dashrender. When I need to install something, I'll be prompted (or right click the installer and choose run as admin) and type in my dashrender-admin user and password.
Yeah, that's how we are doing while we are in Workgroup with users too. All users have standard account and a separate local admin account, so if something needs to do setup etc. it will prompt for admin password.
-
@Dashrender said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@Mike-Davis said in Moving to Domain from Workgroup. How to be prepared ?:
You didn't mention the client OS, except for that some have home versions. Depending on what OS that is, there are ways to move their profile from local to domain. There is also the Microsoft easy transfer wizard that will let you back up and copy profiles from one account to another. This does more than a simple copy of the my documents folder, etc, because it also backs up some of the registry keys that hold application settings.
All are Windows, with combination of 7/8/8.1/10.
Noted about easy transfer wizard, I will check it.
Definitely give this a try for users who have been on their computer for a while.
That said, using now as a way to cleanup profiles isn't a bad idea either. When possible I don't bring over anything more than is absolutely required (my docs, favorites, desktop icons) and then I reconfigure the rest (printers, app settings).
Yeah, maybe fresh profile I will try to go with, it may leave any bad things back in the profile which was effecting performance too.
-
@scottalanmiller said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@Mike-Davis said in Moving to Domain from Workgroup. How to be prepared ?:
How many computers total are you joining to the domain? You might want to have someone help you at the onset to line things up properly before you start joining computers. Or you can just start joining a few a week like you suggested and learn as you go. As long as your users are patient with you, that approach works too.
Around 100. Yeah, got few fellows to help and yes, I prefer to few people every week to make things easier.
But the issue will be with end-user, about Enabling Password (as few users do have password till now) and entering password every time pc got locked due to inactivity.
That's just a training thing. Not much to be done there. Your issue isn't moving to a domain, but moving from insecure to secure.
Moving to secure, that's right.
-
@Dashrender said in Moving to Domain from Workgroup. How to be prepared ?:
I'll expand on @travisdh1 posts.
Every IT admin should have two accounts. A local one to use day to day on their computer, and a domain admin one that is only used to log into server and run admin tools from their local workstations.
Example: dashrender and dashrender-admin
On my workstation (or any computer I log into) I log in as dashrender. When I need to install something, I'll be prompted (or right click the installer and choose run as admin) and type in my dashrender-admin user and password.
I am bit confused here.
While now we are in Workgroup, IT admins will be having :
a. Local Standard account
b. Local Admin account -with access( and knows the password for all PCs Local Admin account)And End user while in Workgroup :
a. Local Standard account - with access
b. Local Admin account - with no access but only for IT.After we move to Domain, IT admins will be having:
a. Local Standard account -not in use(maybe better to remove at all ?)
b. Local Admin account
c. Standard Domain Account - In use
d. Separate Domain Admin AccountAnd End users after migrating to Domain:
a. Local Standard account - not in use (maybe better to remove at all after copying everything?)
b. Local Admin account - with no access
c. Standard Domain Account - In useam I correct ?
-
Boy, that seems like a long way to write it, but yeah.
Though I think I rather look at it like this:
Domain accounts: users - user level account IT Admins - user level account - admin level account Account on PC: Single local account with admin rights - only IT admins know the password. this account is for fall back purposes only
domain user accounts are automatically added to the local user group on all domain PCs, And the Domain Admin group is added to the local Administrators group.
-
If the usernames for the staff are going to be the same on the domain as they were when the PC was in a workgroup, then I advise that you delete the local profile before you log in as the user the first time.
If you don't do this, you'll end up with two folders in c:\users, username and username.001 or something like this. In the future it will be easy to become confused which folder is the active one.
-
Heck, considering that - I have what I consider a better situation, though I'm sure others will disagree with me.
Since you're making some pretty big changes, now might be a good time to rebuild all of these computers. If you you can move them all to the same OS.
Not sure you're aware, but all of the machines you listed (7/8/8.1/10) qualify to be on Windows 10. Any reason they weren't upgraded during the free upgrade window?Personally, I'd take an image of each system using Clonezilla, and upgrade them to Windows 10. Assuming the machines are granted a free upgrade to Windows 10, then I would purchase one Windows 10 Open License granting you imaging rights, purchase the needed upgrades for your home licensed computers bringing them legally to Windows 10 Pro, then create and deploy a Windows 10 image.
I skipped a lot of steps here, ask if you want, need more details.
-
Of course, after writing that - I wonder, do you really need a domain at all? What will you gain from having it?Would you be better offer using something like Atera RMM and NextCloud or O365 with Sharepoint/OneDrive for Business, etc?yeah nevermind, I was confusing threads.
-
You should really buy a block of 3-4 hours to talk with a consultant to help you map out and understand Active Directory. It would go a long way to save you and your company time and money down the road.
-
@Dashrender said in Moving to Domain from Workgroup. How to be prepared ?:
Of course, after writing that - I wonder, do you really need a domain at all? What will you gain from having it?
Would you be better offer using something like Atera RMM and NextCloud or O365 with Sharepoint/OneDrive for Business, etc?
I am assuming they have multiple IT admins which means they have a decent sized network. Could you manage a network that size without a domain, certainly. However managing workstations from a domain is much easier.
If you aren't familiar with group policy and scripting, I couldn't see how you could effectively manage a network like that. An experienced tech could manage a large workgroup using PDQ deploy and inventory just fine. Although there would be challenges such as standardizing IE settings, local GPO, etc. Some of these things are best managed through Active Directory.
Not to mention that workgroups suck from a security aspect. You pretty much have no choice, but to use standardized admin accounts and service accounts. All of which are security risk. Not to mention the fact that you can pretty much through auditing out the window for your users.
TLDR version. You can do it without AD, but you're gonna have a bad time and your business will lose money in the long run.
-
-
@Dashrender said in Moving to Domain from Workgroup. How to be prepared ?:
If the usernames for the staff are going to be the same on the domain as they were when the PC was in a workgroup, then I advise that you delete the local profile before you log in as the user the first time.
If you don't do this, you'll end up with two folders in c:\users, username and username.001 or something like this. In the future it will be easy to become confused which folder is the active one.
I understand, I will do the same way.
-
@Dashrender said in Moving to Domain from Workgroup. How to be prepared ?:
Heck, considering that - I have what I consider a better situation, though I'm sure others will disagree with me.
Since you're making some pretty big changes, now might be a good time to rebuild all of these computers. If you you can move them all to the same OS.
Not sure you're aware, but all of the machines you listed (7/8/8.1/10) qualify to be on Windows 10. Any reason they weren't upgraded during the free upgrade window?Personally, I'd take an image of each system using Clonezilla, and upgrade them to Windows 10. Assuming the machines are granted a free upgrade to Windows 10, then I would purchase one Windows 10 Open License granting you imaging rights, purchase the needed upgrades for your home licensed computers bringing them legally to Windows 10 Pro, then create and deploy a Windows 10 image.
I skipped a lot of steps here, ask if you want, need more details.
Why I didn't upgraded all to Windows 10 ?
Yes, we upgraded so many computers to Wins 10. But mostly preferred to upgrade Windows 8/8.1. Not upgraded for all, because it was still 1 year old, cannot say how stable it is and don't want to do at that much quantity (100pcs). And some users are happy with Windows 7, better to not touch them if they are going fine.
-
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@Dashrender said in Moving to Domain from Workgroup. How to be prepared ?:
Heck, considering that - I have what I consider a better situation, though I'm sure others will disagree with me.
Since you're making some pretty big changes, now might be a good time to rebuild all of these computers. If you you can move them all to the same OS.
Not sure you're aware, but all of the machines you listed (7/8/8.1/10) qualify to be on Windows 10. Any reason they weren't upgraded during the free upgrade window?Personally, I'd take an image of each system using Clonezilla, and upgrade them to Windows 10. Assuming the machines are granted a free upgrade to Windows 10, then I would purchase one Windows 10 Open License granting you imaging rights, purchase the needed upgrades for your home licensed computers bringing them legally to Windows 10 Pro, then create and deploy a Windows 10 image.
I skipped a lot of steps here, ask if you want, need more details.
Why I didn't upgraded all to Windows 10 ?
Yes, we upgraded so many computers to Wins 10. But mostly preferred to upgrade Windows 8/8.1. Not upgraded for all, because it was still 1 year old, cannot say how stable it is and don't want to do at that much quantity (100pcs). And some users are happy with Windows 7, better to not touch them if they are going fine.
That's a very bad was to think about software. Windows 10 is not "one year old", it is the update to Windows 8.1 which is the update to Windows 8 which is the update to Windows 7 which was the update to Windows Vista. Windows 10 is the most mature of that family. Windows 7 is the "one year old" release (but patched since then.) Windows 10 is the one with the most time of people testing the code because it is a decade old. You are actually doing the opposite of what you are thinking... you are staying on young "immature" code and avoiding the most stable, most tested code. And you are not trusting a vendor on whom you have decided to depend. That's a bad combination.
-
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@Dashrender said in Moving to Domain from Workgroup. How to be prepared ?:
Heck, considering that - I have what I consider a better situation, though I'm sure others will disagree with me.
Since you're making some pretty big changes, now might be a good time to rebuild all of these computers. If you you can move them all to the same OS.
Not sure you're aware, but all of the machines you listed (7/8/8.1/10) qualify to be on Windows 10. Any reason they weren't upgraded during the free upgrade window?Personally, I'd take an image of each system using Clonezilla, and upgrade them to Windows 10. Assuming the machines are granted a free upgrade to Windows 10, then I would purchase one Windows 10 Open License granting you imaging rights, purchase the needed upgrades for your home licensed computers bringing them legally to Windows 10 Pro, then create and deploy a Windows 10 image.
I skipped a lot of steps here, ask if you want, need more details.
Why I didn't upgraded all to Windows 10 ?
Yes, we upgraded so many computers to Wins 10. But mostly preferred to upgrade Windows 8/8.1. Not upgraded for all, because it was still 1 year old, cannot say how stable it is and don't want to do at that much quantity (100pcs). And some users are happy with Windows 7, better to not touch them if they are going fine.
I don't work for the users, I work for my company. The best thing for your company is for all computers to be on the same version as much as possible. This reduces costs and complexities.
Oh and all those things Scott said that I haven't read yet
-
@scottalanmiller said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@Dashrender said in Moving to Domain from Workgroup. How to be prepared ?:
Heck, considering that - I have what I consider a better situation, though I'm sure others will disagree with me.
Since you're making some pretty big changes, now might be a good time to rebuild all of these computers. If you you can move them all to the same OS.
Not sure you're aware, but all of the machines you listed (7/8/8.1/10) qualify to be on Windows 10. Any reason they weren't upgraded during the free upgrade window?Personally, I'd take an image of each system using Clonezilla, and upgrade them to Windows 10. Assuming the machines are granted a free upgrade to Windows 10, then I would purchase one Windows 10 Open License granting you imaging rights, purchase the needed upgrades for your home licensed computers bringing them legally to Windows 10 Pro, then create and deploy a Windows 10 image.
I skipped a lot of steps here, ask if you want, need more details.
Why I didn't upgraded all to Windows 10 ?
Yes, we upgraded so many computers to Wins 10. But mostly preferred to upgrade Windows 8/8.1. Not upgraded for all, because it was still 1 year old, cannot say how stable it is and don't want to do at that much quantity (100pcs). And some users are happy with Windows 7, better to not touch them if they are going fine.
That's a very bad was to think about software. Windows 10 is not "one year old", it is the update to Windows 8.1 which is the update to Windows 8 which is the update to Windows 7 which was the update to Windows Vista. Windows 10 is the most mature of that family. Windows 7 is the "one year old" release (but patched since then.) Windows 10 is the one with the most time of people testing the code because it is a decade old. You are actually doing the opposite of what you are thinking... you are staying on young "immature" code and avoiding the most stable, most tested code. And you are not trusting a vendor on whom you have decided to depend. That's a bad combination.
I see, so I was wrong at this point
That's benefit of being active in community , learning things
Anyway, still I have chances I think, I seen somewhere to upgrade still to Windows 10 for free and second option is, we need to get Pro versions for some Home Editions, so I will get Windows 10 Pro.
-
@Dashrender said in Moving to Domain from Workgroup. How to be prepared ?:
@openit said in Moving to Domain from Workgroup. How to be prepared ?:
@Dashrender said in Moving to Domain from Workgroup. How to be prepared ?:
Heck, considering that - I have what I consider a better situation, though I'm sure others will disagree with me.
Since you're making some pretty big changes, now might be a good time to rebuild all of these computers. If you you can move them all to the same OS.
Not sure you're aware, but all of the machines you listed (7/8/8.1/10) qualify to be on Windows 10. Any reason they weren't upgraded during the free upgrade window?Personally, I'd take an image of each system using Clonezilla, and upgrade them to Windows 10. Assuming the machines are granted a free upgrade to Windows 10, then I would purchase one Windows 10 Open License granting you imaging rights, purchase the needed upgrades for your home licensed computers bringing them legally to Windows 10 Pro, then create and deploy a Windows 10 image.
I skipped a lot of steps here, ask if you want, need more details.
Why I didn't upgraded all to Windows 10 ?
Yes, we upgraded so many computers to Wins 10. But mostly preferred to upgrade Windows 8/8.1. Not upgraded for all, because it was still 1 year old, cannot say how stable it is and don't want to do at that much quantity (100pcs). And some users are happy with Windows 7, better to not touch them if they are going fine.
I don't work for the users, I work for my company. The best thing for your company is for all computers to be on the same version as much as possible. This reduces costs and complexities.
Oh and all those things Scott said that I haven't read yet
I understand about stability etc. as mentioned by Scott, but didn't understand how having same versions is useful ? how reduces costs and complexities ?