Moving from Physical AD/Data Server to Office365
-
-
@BRRABill said in Moving from Physical AD/Data Server to Office365:
Just
a) logging into our machines
b) network securityAD provides NO security. Not a thing.
-
@BRRABill said in Moving from Physical AD/Data Server to Office365:
a) logging into our machines
You don't need AD to log into your machines. In fact, it only makes that harder.
AD is only useful if you are maintaining central creds to log into multiple machines. And at just 10 users, that's considered not to make sense, even by MS standards. So even when that functionality is needed, AD isn't considered a good option for that.
So for logins, AD is considered to work against you, not for you, till you get another user or two. And just break even at that point.
-
@Obsolesce said in Moving from Physical AD/Data Server to Office365:
uses Office365 email and Office suite. Nothing more than that, at all. Only going by that, then sure, if you want to keep using
Personally, I'd ditch AD (the stuff you get from on-prem Windows Server - or colo'ed and likely VPN connected server) - you don't need it anymore.
If everyone is working from home, you don't even need to bother with people logging their machines themselves into AAD unless you want to manage those machines - then, might be worth while. Plus, but logging Windows10 into an AAD account, using O365 services all just go, no extra logons required.
Definitely push all personal files to ODfB, and shared to Sharepoint.
Now for the backup solution.
Yes, we know that AD does not provide security - But AD does provide the user list that other things like NTFS or share permissions do use. Of course those things aren't limited to only using AD for their user list, but it's the most common. -
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@BRRABill said in Moving from Physical AD/Data Server to Office365:
a) logging into our machines
AD is only useful if you are maintaining central creds to log into multiple machines. And at just 10 users, that's considered not to make sense, even by MS standards. So even when that functionality is needed, AD isn't considered a good option for that.
Really? then what is? manually maintaining 10 logons on each machine?
-
Now, that said - in this situation I too would ditch AD, it's just extra you don't need.
Since you have O365, you can join the Win10 machines to ADD. then your users can log into their machines using their ADD accounts. You do get some level of control from the free version of ADD included in O365, but nothing like GPO on AD.
-
@Dashrender said in Moving from Physical AD/Data Server to Office365:
Now, that said - in this situation I too would ditch AD, it's just extra you don't need.
Since you have O365, you can join the Win10 machines to ADD. then your users can log into their machines using their ADD accounts. You do get some level of control from the free version of ADD included in O365, but nothing like GPO on AD.
The one caveat that I don't think is resolved as of yet:
Local PC set up. User logs on first time with Azure AD. PC is Azure AD joined. User then has MFA. User can then log on and work without MFA prompts going forward.
Catch #1: User will not be able to remote into that PC using RDP. Third party yes, but not RDP.
Catch #2: The PC is tattooed to Azure AD. One cannot join a local AD anymore (IIRC).Managing more than one or two PCs without AD/Group Policy is pure PITA. No peer-to-peer here. No way.
-
@Dashrender said in Moving from Physical AD/Data Server to Office365:
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@BRRABill said in Moving from Physical AD/Data Server to Office365:
a) logging into our machines
AD is only useful if you are maintaining central creds to log into multiple machines. And at just 10 users, that's considered not to make sense, even by MS standards. So even when that functionality is needed, AD isn't considered a good option for that.
Really? then what is? manually maintaining 10 logons on each machine?
FFS.. Why the fuck would there be 10 local users on each machine?
-
@Dashrender said in Moving from Physical AD/Data Server to Office365:
but it's the most common.
Which alone means you should question it heavily, because "most common" means "everyone who doesn't do a good job defaults to this". That doesn't make it wrong to use, but should mean that it is highly suspect and requires serious vetting to consider.
-
@PhlipElder said in Moving from Physical AD/Data Server to Office365:
tattooed to Azure AD. One cannot join a local AD anymore (IIRC).
But they will be all working remote, not need to be tied to AD anymore.
-
@Dashrender said in Moving from Physical AD/Data Server to Office365:
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@BRRABill said in Moving from Physical AD/Data Server to Office365:
a) logging into our machines
AD is only useful if you are maintaining central creds to log into multiple machines. And at just 10 users, that's considered not to make sense, even by MS standards. So even when that functionality is needed, AD isn't considered a good option for that.
Really? then what is? manually maintaining 10 logons on each machine?
Nope, maintaining just one, like any normal person.
-
@PhlipElder said in Moving from Physical AD/Data Server to Office365:
Managing more than one or two PCs without AD/Group Policy is pure PITA. No peer-to-peer here. No way.
Totally untrue. First, AD and GP are not connected. You can use either without the other.
Second, neither is even all that good for management. They kinda work, but they are far from efficient. And especially in the modern people working from home work, they fall over like never before.
Even with hundreds of machines, we only consider these sometimes, because in many scenarios you can maintain hundreds of machines better, and more easily, without them.
Even Microsoft has never, ever recommended using them at such a small scale. Below about a dozen, they are just completely in your way pretty much no matter what you do. Above a dozen, even MS only considered them "one" option. A big one, but just one. The idea that there is any scale where they simply make sense all or even nearly all of the time is just fantasy land. They are crufty, complicated tools that depend on a really niche setup that was popular in the 1990s and is almost always existing today only to shoehorn in these antiquated technologies.
-
@dbeato said in Moving from Physical AD/Data Server to Office365:
@PhlipElder said in Moving from Physical AD/Data Server to Office365:
tattooed to Azure AD. One cannot join a local AD anymore (IIRC).
But they will be all working remote, not need to be tied to AD anymore.
No reason before either, it turns out. Like most AD deployments, the reasons given for it were mistakes. From what we see in online discussions and as an MSP, the majority of AD deployments are done by mistake. Either because people believe that they are a requirement (it's common on to believe that NTFS and SMB are turned on by AD) or that it provides security or is effective for small scale user management. Some combination of the myths around it seem to drive most small deployments of it with people not understanding what they are actually deploying.
Of larger deployments, most existed so long ago that modern assessments have not been done.
-
@scottalanmiller But you gotta provide the option of an RMM Or agent correct? Because yes you can do scripting but you still need something to deliver it and not doing it manually. While GP can be used without AD, I would say that using GPOs manually is way more PITA than GPO on an AD. That is a discussion for another topic.
-
@dbeato said in Moving from Physical AD/Data Server to Office365:
@scottalanmiller But you gotta provide the option of an RMM Or agent correct? Because yes you can do scripting but you still need something to deliver it and not doing it manually. While GP can be used without AD, I would say that using GPOs manually is way more PITA than GPO on an AD. That is a discussion for another topic.
Yes, but there are a plethora of options. The question isn't "what's the right approach", the question is "do I need to do this one approach."
And at this skill, generally the best option is "do nothing". The idea that we need this kind of management at all on this scale is weird. There are cases, yes, but it is not the norm.
-
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@dbeato said in Moving from Physical AD/Data Server to Office365:
@scottalanmiller But you gotta provide the option of an RMM Or agent correct? Because yes you can do scripting but you still need something to deliver it and not doing it manually. While GP can be used without AD, I would say that using GPOs manually is way more PITA than GPO on an AD. That is a discussion for another topic.
Yes, but there are a plethora of options. The question isn't "what's the right approach", the question is "do I need to do this one approach."
And at this skill, generally the best option is "do nothing". The idea that we need this kind of management at all on this scale is weird. There are cases, yes, but it is not the norm.
That's reasonable, I do agree is a case by case basis which often than not is not super needed.
-
@JaredBusch said in Moving from Physical AD/Data Server to Office365:
@Dashrender said in Moving from Physical AD/Data Server to Office365:
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@BRRABill said in Moving from Physical AD/Data Server to Office365:
a) logging into our machines
AD is only useful if you are maintaining central creds to log into multiple machines. And at just 10 users, that's considered not to make sense, even by MS standards. So even when that functionality is needed, AD isn't considered a good option for that.
Really? then what is? manually maintaining 10 logons on each machine?
FFS.. Why the fuck would there be 10 local users on each machine?
I'll agree that in most - not just 50%, probably more than 95%, machines are frequently 1 to 1.
But I have a situation you clearly know about - it's 7 machines and 10 people over all of them. With a centralized auth setup, either, they all use one account, or I have 10 accounts on all 7 machines.
-
@PhlipElder said in Moving from Physical AD/Data Server to Office365:
Catch #1: User will not be able to remote into that PC using RDP. Third party yes, but not RDP.
Are you sure? Have you tried this?
Catch #2: The PC is tattooed to Azure AD. One cannot join a local AD anymore (IIRC).
Are you sure? I have had machines that are in AD first and then AAD joined and never had an issue. Now I've never AAD joined first, then added to AD, no clue what would happen there, though I see no reason why it wouldn't work.
As Scott mentioned - there are many options for managing machines today Salt or Intune are examples.
-
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@Dashrender said in Moving from Physical AD/Data Server to Office365:
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@BRRABill said in Moving from Physical AD/Data Server to Office365:
a) logging into our machines
AD is only useful if you are maintaining central creds to log into multiple machines. And at just 10 users, that's considered not to make sense, even by MS standards. So even when that functionality is needed, AD isn't considered a good option for that.
Really? then what is? manually maintaining 10 logons on each machine?
Nope, maintaining just one, like any normal person.
really - what about the bolded part - multiple people logging into multiple machines? I totally agree if it's a one person to one computer situation, but I quoted you in the multi user to single machine situation.
-
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@dbeato said in Moving from Physical AD/Data Server to Office365:
@scottalanmiller But you gotta provide the option of an RMM Or agent correct? Because yes you can do scripting but you still need something to deliver it and not doing it manually. While GP can be used without AD, I would say that using GPOs manually is way more PITA than GPO on an AD. That is a discussion for another topic.
Yes, but there are a plethora of options. The question isn't "what's the right approach", the question is "do I need to do this one approach."
And at this skill, generally the best option is "do nothing". The idea that we need this kind of management at all on this scale is weird. There are cases, yes, but it is not the norm.
Why do you consider it weird? So you're totally on board the users having local admin rights and running as those admins while presumably not working from the office so they can dork up their machines?
We're talking about joe user here, not your company full of IT pros who can self manage their PCs.
Right now, with my users going home and working on their home computers, I'm having to solve little issues that I generally don't worry about because they dont' have a ton of crapware installed on their work computers like they do at home. Now, if it's a BYOD - that's a completely different story, and I'll agree that less administration on their device is desirable, but then you'd also likely put the onus of supporting those devices directly on the user.