Shrinking many domains to few or one
-
@coliver said in Shrinking many domains to few or one:
@dashrender said in Shrinking many domains to few or one:
@coliver said in Shrinking many domains to few or one:
Why not move Exchange off to Office365? It's free/inexpensive for specific use cases and this city may fall into that use case here.
Municipalities are free? That seems weird.
Not free but there is a slight discount. Looks like 15%.
Well - Wired I'm sure isn't in a position to push for this move. Also, this only solves the email problem, not any of the others. And really - I'm not sure it actually solves the problem, assuming they want to keep ADSync in place to sync local AD with O365 for email accounts (they aren't syncing email accounts with user accounts now, so perhaps that's not a real issue).
-
@dashrender said in Shrinking many domains to few or one:
@coliver said in Shrinking many domains to few or one:
@dashrender said in Shrinking many domains to few or one:
@coliver said in Shrinking many domains to few or one:
Why not move Exchange off to Office365? It's free/inexpensive for specific use cases and this city may fall into that use case here.
Municipalities are free? That seems weird.
Not free but there is a slight discount. Looks like 15%.
Well - Wired I'm sure isn't in a position to push for this move. Also, this only solves the email problem, not any of the others. And really - I'm not sure it actually solves the problem, assuming they want to keep ADSync in place to sync local AD with O365 for email accounts (they aren't syncing email accounts with user accounts now, so perhaps that's not a real issue).
It pushes the email piece off domain and makes it easier to deal with issues that come up... especially if you don't have to worry about the Exchange gorilla sitting in the corner waiting to fail.
In reality why not leave the email domain alone for now and start moving users and machines over to ad.city.gov. That makes it much less complex if you can move the users over first, the follow through with email when the initial move is done.
-
@coliver said in Shrinking many domains to few or one:
In reality why not leave the email domain alone for now and start moving users and machines over to ad.city.gov. That makes it much less complex if you can move the users over first, the follow through with email when the initial move is done.
Good point - and the purpose of this thread.
-
How important is it really to preserve security? IIRC @wirestyle22 has said that security is based on users now? So blow away all the security and start setting up folder permissions (don't do individual files) based on groups. If someone needs access to a share/folder then drop them in the group and be done. Easier to rebuild from scratch the correct way then to fight with the existing incorrect and unsustainable way.
-
@jaredbusch said in Shrinking many domains to few or one:
And @wirestyle22 cannot post his own topics why?
I did post a topic about this already. We just had a private conversation and he wanted you guys to challenge his own ideas.
-
@coliver said in Shrinking many domains to few or one:
How important is it really to preserve security? IIRC @wirestyle22 has said that security is based on users now? So blow away all the security and start setting up folder permissions (don't do individual files) based on groups. If someone needs access to a share/folder then drop them in the group and be done. Easier to rebuild from scratch the correct way then to fight with the existing incorrect and unsustainable way.
So you have a file server with 10K files on it, you can't just wipe out all permissions and then wait for people to complain so you can add them to said group - that's not really tenable. Plus users could be calling in frequently for weeks doing this.
Wired seemed to indicate to me that it's mostly folders that are set with users, not files. If a report can be run that shows the general cross over, and if they follow things like departments, they can make fewer groups when adding those permissions back to the file server.
-
@coliver said in Shrinking many domains to few or one:
@dashrender said in Shrinking many domains to few or one:
@coliver said in Shrinking many domains to few or one:
Why not move Exchange off to Office365? It's free/inexpensive for specific use cases and this city may fall into that use case here.
Municipalities are free? That seems weird.
Not free but there is a slight discount. Looks like 15%.
We priced it out and didn't end up receiving any discounts via Microsoft. It took them 1.3 years to approve a switch refresh just to give you an idea of what we are dealing with and how slow moving they are here.
-
@coliver said in Shrinking many domains to few or one:
How important is it really to preserve security? IIRC @wirestyle22 has said that security is based on users now? So blow away all the security and start setting up folder permissions (don't do individual files) based on groups. If someone needs access to a share/folder then drop them in the group and be done. Easier to rebuild from scratch the correct way then to fight with the existing incorrect and unsustainable way.
We need them to be able to access their files as they do now. After we migrate I will go through the process of setting up all of the groups and everything. We are fighting with the city right now to tell us when a person is terminated. No one wants to take responsibility to do it and we have 800 users in AD with only 400-ish that are actually active. This creates a lot of extra work for no reason for me here.
-
@dashrender said in Shrinking many domains to few or one:
So you have a file server with 10K files on it, you can't just wipe out all permissions and then wait for people to complain so you can add them to said group - that's not really tenable. Plus users could be calling in frequently for weeks doing this.
That's not what I'm suggesting. Not sure how you got that from what I'm saying.
You have an opportunity to rebuild you infrastructure here to meet best practices. You could easily, and fairly quickly if you think and plan out the system, build you AD infrastructure and file share prior to users being allowed on them. When they login they "magically" have access to things they didn't previously.
If you run a file system audit or permissions audit I bet you will find that people in the same department generally have access to the same folders. Start with generic departmental groups and start making more restrictive permissions from there. Even if a user is the only one allowed to access a file make a group for that user (but make sure it explains where that file is in the structure).
-
@wirestyle22 said in Shrinking many domains to few or one:
@coliver said in Shrinking many domains to few or one:
How important is it really to preserve security? IIRC @wirestyle22 has said that security is based on users now? So blow away all the security and start setting up folder permissions (don't do individual files) based on groups. If someone needs access to a share/folder then drop them in the group and be done. Easier to rebuild from scratch the correct way then to fight with the existing incorrect and unsustainable way.
We need them to be able to access their files as they do now. After we migrate I will go through the process of setting up all of the groups and everything. We are fighting with the city right now to tell us when a person is terminated. No one wants to take responsibility to do it and we have 800 users in AD with only 400-ish that are actually active. This creates a lot of extra work for no reason for me here.
That's really not that many users, I know it seems like it but in reality many of them will have access to the same types of files. So those 400-ish users could probably be broken down to a few dozen groups.
-
@coliver said in Shrinking many domains to few or one:
@wirestyle22 said in Shrinking many domains to few or one:
@coliver said in Shrinking many domains to few or one:
How important is it really to preserve security? IIRC @wirestyle22 has said that security is based on users now? So blow away all the security and start setting up folder permissions (don't do individual files) based on groups. If someone needs access to a share/folder then drop them in the group and be done. Easier to rebuild from scratch the correct way then to fight with the existing incorrect and unsustainable way.
We need them to be able to access their files as they do now. After we migrate I will go through the process of setting up all of the groups and everything. We are fighting with the city right now to tell us when a person is terminated. No one wants to take responsibility to do it and we have 800 users in AD with only 400-ish that are actually active. This creates a lot of extra work for no reason for me here.
That's really not that many users, I know it seems like it but in reality many of them will have access to the same types of files. So those 400-ish users could probably be broken down to a few dozen groups.
It would be more than that, but definitely less than it seems.
-
@coliver said in Shrinking many domains to few or one:
@dashrender said in Shrinking many domains to few or one:
So you have a file server with 10K files on it, you can't just wipe out all permissions and then wait for people to complain so you can add them to said group - that's not really tenable. Plus users could be calling in frequently for weeks doing this.
That's not what I'm suggesting. Not sure how you got that from what I'm saying.
You have an opportunity to rebuild you infrastructure here to meet best practices. You could easily, and fairly quickly if you think and plan out the system, build you AD infrastructure and file share prior to users being allowed on them. When they login they "magically" have access to things they didn't previously.
If you run a file system audit or permissions audit I bet you will find that people in the same department generally have access to the same folders. Start with generic departmental groups and start making more restrictive permissions from there. Even if a user is the only one allowed to access a file make a group for that user (but make sure it explains where that file is in the structure).
I'm not sure how you're starting over? Are you suggesting make a new server in the new domain, then migrating data into a whole new file structure you make? That's very disruptive to workflow.
If this is not what you're suggestion, then I'm still not getting it.
If this is what you are suggesting, then why not just go all the way and move away from fileshares altogether and move the something like NextCloud now. You'll have a much easier time with remote access where needed and be moving toward that LAN-Less design Scott loves so much.
-
Buy a netwrix license and move on.
-
@dashrender said in Shrinking many domains to few or one:
@coliver said in Shrinking many domains to few or one:
@dashrender said in Shrinking many domains to few or one:
So you have a file server with 10K files on it, you can't just wipe out all permissions and then wait for people to complain so you can add them to said group - that's not really tenable. Plus users could be calling in frequently for weeks doing this.
That's not what I'm suggesting. Not sure how you got that from what I'm saying.
You have an opportunity to rebuild you infrastructure here to meet best practices. You could easily, and fairly quickly if you think and plan out the system, build you AD infrastructure and file share prior to users being allowed on them. When they login they "magically" have access to things they didn't previously.
If you run a file system audit or permissions audit I bet you will find that people in the same department generally have access to the same folders. Start with generic departmental groups and start making more restrictive permissions from there. Even if a user is the only one allowed to access a file make a group for that user (but make sure it explains where that file is in the structure).
I'm not sure how you're starting over? Are you suggesting make a new server in the new domain, then migrating data into a whole new file structure you make? That's very disruptive to workflow.
If this is not what you're suggestion, then I'm still not getting it.
If this is what you are suggesting, then why not just go all the way and move away from fileshares altogether and move the something like NextCloud now. You'll have a much easier time with remote access where needed and be moving toward that LAN-Less design Scott loves so much.
That's exactly what I'm referring to... not sure how it would disruptive to workflows? It's a new share in a new location literally nothing else changes. The files stay exactly the same. Even the structure, for the most part, could stay exactly the same. They need this file, well it's now located here. Setup DFS and you could even do \\ad.city.gov\folder. So much easier then remembering an individual server and path.
As for the NextCloud design. That's a fantastic idea but you'd really have the redevelop workflows around that process. I'm not opposed to it but it seems like @wirestyle22 already has a slow moving organization and a change like that would be a straight up revolt.
-
@jaredbusch said in Shrinking many domains to few or one:
Buy a netwrix license and move on.
This is a great idea Netwrix Auditor could do a lot to figuring out who has what permissions where and you could do some reporting based on overlap... etc...
-
@jaredbusch said in Shrinking many domains to few or one:
Buy a netwrix license and move on.
This was one of the first things I said to @Dashrender today. It will happen regardless of what direction we go in.
-
@coliver Next cloud is such a sore subject for me. Why they won't do it:
They won't spend the maximum of $15 a year on a domain for us to use for it. so I said we can just create an a-record for nc.domain.com and port forward to our Next Cloud instance. I can even do the SSL certification for free. Management says no. Why? Because the guy who runs the website doesn't know how to do that. I'll do it. No, you can't. Why? Because you can't.
It's actually infuriating
-
@wirestyle22 said in Shrinking many domains to few or one:
@coliver Next cloud is such a sore subject for me. Why they won't do it:
They won't spend the maximum of $15 a year on a domain for us to use for it. so I said we can just create an a-record for nc.domain.com and port forward to our Next Cloud instance. I can even do the SSL certification for free. Management says no. Why? Because the guy who runs the website doesn't know how to do that. I'll do it. No, you can't. Why? Because you can't.
It's actually infuriating
That's fine you've presented it to them and they've declined. So move on.
-
@coliver said in Shrinking many domains to few or one:
@wirestyle22 said in Shrinking many domains to few or one:
@coliver Next cloud is such a sore subject for me. Why they won't do it:
They won't spend the maximum of $15 a year on a domain for us to use for it. so I said we can just create an a-record for nc.domain.com and port forward to our Next Cloud instance. I can even do the SSL certification for free. Management says no. Why? Because the guy who runs the website doesn't know how to do that. I'll do it. No, you can't. Why? Because you can't.
It's actually infuriating
That's fine you've presented it to them and they've declined. So move on.
Yeah it's just annoying that they don't want to save themselves money. The city has so many dropboxes they are paying for right now and then ask us to come up with a solution that saves them a ton of money, but they refuse.
/rant
-
It's especially annoying because I see $1300-$2000 curved wide screen monitors on their desks. Never knew how right @scottalanmiller was about local government before I worked here.
