Solved Is not bringing PCs in Domain is a sin?
-
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
@DustinB3403 said in Is not bringing PCs in Domain is a sin?:
Managing more than 10 or so individually is vastly more time consuming than using GPO from a DC to manage the workstations.
Individually is hard, yes. But GPO isn't the only alternative, not even the only MS alternative. AD + GPO is just one of many "group management" options for Windows desktops. A common one, even a good one, but just one of many.
Considering this is a post asking if having AD or not - I'm surprised you didn't list any alternatives...
-
@openit said in Is not bringing PCs in Domain is a sin?:
We have windows server 2012, AD installed and using for File Server, now slowly we have some 75 computers, and very less home editions.
At 75 machines, assuming all Windows, AD is a pretty obvious choice. Not the only, but if that's all on one LAN it's a pretty good way to go in nearly all cases.
AD itself doesn't provide file sharing, though. You can do that in a number of ways. People often associate SMB file sharing with AD because of the simple integration, but they are unrelated services.
-
@flaxking said in Is not bringing PCs in Domain is a sin?:
@JaredBusch said in Is not bringing PCs in Domain is a sin?:
@dbeato said in Is not bringing PCs in Domain is a sin?:
@coliver Yup, and it is all based on registry settings so it shouldn't be dependent of Microsoft only.
Umm... Microsoft is the only system with a "registry"
Other operating systems have other means of doing things.
I think @dbeato means that GPOs mostly just configures registry settings, so Group Policy is not required for managing Windows systems.
Well, that's certainly true, GPO is not required for managing Windows systems, but it's a pretty good one, at least in my eye.
Though for centrally managing Windows clients - I'd love to see what other people are using, and the associated costs?
I know Intune can do it - but that's very spendy.
Salt stack will get there some day
Salt in general can probably do it - but requires a lot on the administrators side to know how to create (are they called playbooks?) and the specifics of registry entries to create those playbooks.
Local Powershell with list of PCs and local admin username/passwords (assuming no centralized password setup) -
@DustinB3403 said in Is not bringing PCs in Domain is a sin?:
He could also setup a domain controller (it's not AD) on Fedora at no cost and centralize the user administration. Won't help with GPO, but could limit some of the issues I imagine he's having with 75 workstation systems. .
That's a great option. But it is very worth noting that it is AD, it's just not Microsoft AD. It's AD from Samba. But it's full AD. It does GPO as well, even though GPO isn't part of AD. The Samba solution implements GPO as well. It's actually all handled by SMB.
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
@DustinB3403 said in Is not bringing PCs in Domain is a sin?:
@Dashrender said in Is not bringing PCs in Domain is a sin?:
Also, to save significantly on licensing, you could ditch the Windows Server and install a Fedora Server with an SMB share. To the Windows machines it would look identical. Heck you could seutp AD using all Fedora on the server side removing all server side licensing and still having AD - you can even use the Windows AD tools in most cases. (FYI - DHCP/DNS are not AD tools, so you'd have to use the Linux tools for that assuming you ran those from the Fedora box)
He could also setup a domain controller (it's not AD) on Fedora at no cost and centralize the user administration. Won't help with GPO, but could limit some of the issues I imagine he's having with 75 workstation systems. .
It simulates AD's functions - and as I understand it - it does provide GPO, because GPOs are just a folder structure that Windows Pro/Enterprise machines pull off DCs and apply locally. So as long as Fedora's implementation of a domain controller creates the needed folders in SMB file shares, then the workstations should pull that data just fine.
That's correct. It's full AD, not a simulation. And GPO, being just an SMB share structure, it does that natively as well. It actually did GPO decades before it did AD.
The AD portion doesn't need to do it, though. You can do it by hand.
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
huh? Does anything other then MS Products use registry settings? or is compatible with MS registry settings?
No, but it is MS workstations that we are talking about
-
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
@Dashrender said in Is not bringing PCs in Domain is a sin?:
huh? Does anything other then MS Products use registry settings? or is compatible with MS registry settings?
No, but it is MS workstations that we are talking about
Out of context it looks like I'm talking weird... I was pretty sure nothing else did/does... but Daniel's comment was weird and pulled my question.
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
@Dashrender said in Is not bringing PCs in Domain is a sin?:
huh? Does anything other then MS Products use registry settings? or is compatible with MS registry settings?
No, but it is MS workstations that we are talking about
Out of context it looks like I'm talking weird... I was pretty sure nothing else did/does... but Daniel's comment was weird and pulled my question.
Why? He was talking about GPO, and GPO manages registry settings on Windows. What about his statement made you ask about other OSes?
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
Salt stack will get there some day
Salt in general can probably do it - but requires a lot on the administrators side to know how to create (are they called playbooks?) and the specifics of registry entries to create those playbooks.one can say the same thing about GPO. GPO isn't trivial, you just already learned it. And it's ridiculously hard to manage. Salt isn't any harder, it's actually probably a bit easier.
-
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
@Dashrender said in Is not bringing PCs in Domain is a sin?:
Salt stack will get there some day
Salt in general can probably do it - but requires a lot on the administrators side to know how to create (are they called playbooks?) and the specifics of registry entries to create those playbooks.one can say the same thing about GPO. GPO isn't trivial, you just already learned it. And it's ridiculously hard to manage. Salt isn't any harder, it's actually probably a bit easier.
Really? Is there a GUI that walks you through all of the options with full explanations on those options? Perhaps there are - but what I saw was that you had to hand write everything for Salt, lookup everything - know the reg keys to reference, etc. not true?
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
@Dashrender said in Is not bringing PCs in Domain is a sin?:
huh? Does anything other then MS Products use registry settings? or is compatible with MS registry settings?
No, but it is MS workstations that we are talking about
Out of context it looks like I'm talking weird... I was pretty sure nothing else did/does... but Daniel's comment was weird and pulled my question.
It was certainly a weird comment and I apologize. I was well meaning to saying Windows Devices.
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
Is there a GUI that walks you through all of the options with full explanations on those options?
You ask this as if the GPO GUI makes this easy. It doesn't.
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
Perhaps there are - but what I saw was that you had to hand write everything for Salt, lookup everything - know the reg keys to reference, etc. not true?
Right. Which is REALLY easy. Easier than the GPO GUI for a lot of people. Certainly for me. GPO is easy for some tasks, and really hard for others. The GUI makes it unnecessarily hard. Sure you can do it without the GUI, but that's not easy like Salt.
You are associating GUI with easy and text with hard, which is simply not the case at all.
-
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
@Dashrender said in Is not bringing PCs in Domain is a sin?:
Perhaps there are - but what I saw was that you had to hand write everything for Salt, lookup everything - know the reg keys to reference, etc. not true?
Right. Which is REALLY easy. Easier than the GPO GUI for a lot of people. Certainly for me. GPO is easy for some tasks, and really hard for others. The GUI makes it unnecessarily hard. Sure you can do it without the GUI, but that's not easy like Salt.
You are associating GUI with easy and text with hard, which is simply not the case at all.
I guess we are just on opposite sides of this. I do consider the GUI to make using GPOs easy... you can sift through them looking for options - you can also google through to find where to set options.. whatever suits your fancy.
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
I do consider the GUI to make using GPOs easy...
Except it doesn't make it easy. The GUI is necessary to make GPOs "not as hard". That's not the same.
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
you can sift through them looking for options - you can also google through to find where to set options.. whatever suits your fancy.
RSOP needed as a tool kind of shows just how hard it is. GPO is considered one of those beastly things to track with any size shop.
-
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
@Dashrender said in Is not bringing PCs in Domain is a sin?:
you can sift through them looking for options - you can also google through to find where to set options.. whatever suits your fancy.
RSOP needed as a tool kind of shows just how hard it is. GPO is considered one of those beastly things to track with any size shop.
Yeah, group policy can be set to target an object in many ways. The only way to know every GPO targeted to an object is checking on the client itself with gpresult, or rsop otherwise.
-
@Obsolesce said in Is not bringing PCs in Domain is a sin?:
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
@Dashrender said in Is not bringing PCs in Domain is a sin?:
you can sift through them looking for options - you can also google through to find where to set options.. whatever suits your fancy.
RSOP needed as a tool kind of shows just how hard it is. GPO is considered one of those beastly things to track with any size shop.
Yeah, group policy can be set to target an object in many ways. The only way to know every GPO targeted to an object is checking on the client itself with gpresult, or rsop otherwise.
Right, but if doing anything beyond extreme basics, GPO gets really hard to track and finding settings can be a bear.
Working as an MSP, GPOs are a nightmare because everyone uses them differently and settings are so easy to be buried so deeply. Text files with everything clear and exposed that you can just audit with easy searches seems leaps and bounds easier.
-
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
Right, but if doing anything beyond extreme basics, GPO gets really hard to track and finding settings can be a bear.
Working as an MSP, GPOs are a nightmare because everyone uses them differently and settings are so easy to be buried so deeply. Text files with everything clear and exposed that you can just audit with easy searches seems leaps and bounds easier.Keeping your GPOs simplified and concise makes them super easy to manage and navigate. We only do one task per GPO. We often have a hundred GPOs in AD.
Here's a sample list of GPOs
And here is an entire GPO:
Super easy to manage. I'm not saying opening the XML is not also easy. But the GUI is stupid easy.
-
@JasGot said in Is not bringing PCs in Domain is a sin?:
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
Right, but if doing anything beyond extreme basics, GPO gets really hard to track and finding settings can be a bear.
Working as an MSP, GPOs are a nightmare because everyone uses them differently and settings are so easy to be buried so deeply. Text files with everything clear and exposed that you can just audit with easy searches seems leaps and bounds easier.Keeping your GPOs simplified and concise makes them super easy to manage and navigate. We only do one task per GPO. We often have a hundred GPOs in AD.
Here's a sample list of GPOs
And here is an entire GPO:
Super easy to manage. I'm not saying opening the XML is not also easy. But the GUI is stupid easy.
Yes, but the point isn't that it can be done well, the point is that it's most often NOT done well, therefore causing a lot of work for people coming in after the fact.
There's always a correct/best and efficient way to do things. But with Microsoft tech, it's too easy to do it bad and incorrectly due to ignorance, so that's often the case.
