Moving from Physical AD/Data Server to Office365
-
@PhlipElder said in Moving from Physical AD/Data Server to Office365:
tattooed to Azure AD. One cannot join a local AD anymore (IIRC).
But they will be all working remote, not need to be tied to AD anymore.
-
@Dashrender said in Moving from Physical AD/Data Server to Office365:
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@BRRABill said in Moving from Physical AD/Data Server to Office365:
a) logging into our machines
AD is only useful if you are maintaining central creds to log into multiple machines. And at just 10 users, that's considered not to make sense, even by MS standards. So even when that functionality is needed, AD isn't considered a good option for that.
Really? then what is? manually maintaining 10 logons on each machine?
Nope, maintaining just one, like any normal person.
-
@PhlipElder said in Moving from Physical AD/Data Server to Office365:
Managing more than one or two PCs without AD/Group Policy is pure PITA. No peer-to-peer here. No way.
Totally untrue. First, AD and GP are not connected. You can use either without the other.
Second, neither is even all that good for management. They kinda work, but they are far from efficient. And especially in the modern people working from home work, they fall over like never before.
Even with hundreds of machines, we only consider these sometimes, because in many scenarios you can maintain hundreds of machines better, and more easily, without them.
Even Microsoft has never, ever recommended using them at such a small scale. Below about a dozen, they are just completely in your way pretty much no matter what you do. Above a dozen, even MS only considered them "one" option. A big one, but just one. The idea that there is any scale where they simply make sense all or even nearly all of the time is just fantasy land. They are crufty, complicated tools that depend on a really niche setup that was popular in the 1990s and is almost always existing today only to shoehorn in these antiquated technologies.
-
@dbeato said in Moving from Physical AD/Data Server to Office365:
@PhlipElder said in Moving from Physical AD/Data Server to Office365:
tattooed to Azure AD. One cannot join a local AD anymore (IIRC).
But they will be all working remote, not need to be tied to AD anymore.
No reason before either, it turns out. Like most AD deployments, the reasons given for it were mistakes. From what we see in online discussions and as an MSP, the majority of AD deployments are done by mistake. Either because people believe that they are a requirement (it's common on to believe that NTFS and SMB are turned on by AD) or that it provides security or is effective for small scale user management. Some combination of the myths around it seem to drive most small deployments of it with people not understanding what they are actually deploying.
Of larger deployments, most existed so long ago that modern assessments have not been done.
-
@scottalanmiller But you gotta provide the option of an RMM Or agent correct? Because yes you can do scripting but you still need something to deliver it and not doing it manually. While GP can be used without AD, I would say that using GPOs manually is way more PITA than GPO on an AD. That is a discussion for another topic.
-
@dbeato said in Moving from Physical AD/Data Server to Office365:
@scottalanmiller But you gotta provide the option of an RMM Or agent correct? Because yes you can do scripting but you still need something to deliver it and not doing it manually. While GP can be used without AD, I would say that using GPOs manually is way more PITA than GPO on an AD. That is a discussion for another topic.
Yes, but there are a plethora of options. The question isn't "what's the right approach", the question is "do I need to do this one approach."
And at this skill, generally the best option is "do nothing". The idea that we need this kind of management at all on this scale is weird. There are cases, yes, but it is not the norm.
-
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@dbeato said in Moving from Physical AD/Data Server to Office365:
@scottalanmiller But you gotta provide the option of an RMM Or agent correct? Because yes you can do scripting but you still need something to deliver it and not doing it manually. While GP can be used without AD, I would say that using GPOs manually is way more PITA than GPO on an AD. That is a discussion for another topic.
Yes, but there are a plethora of options. The question isn't "what's the right approach", the question is "do I need to do this one approach."
And at this skill, generally the best option is "do nothing". The idea that we need this kind of management at all on this scale is weird. There are cases, yes, but it is not the norm.
That's reasonable, I do agree is a case by case basis which often than not is not super needed.
-
@JaredBusch said in Moving from Physical AD/Data Server to Office365:
@Dashrender said in Moving from Physical AD/Data Server to Office365:
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@BRRABill said in Moving from Physical AD/Data Server to Office365:
a) logging into our machines
AD is only useful if you are maintaining central creds to log into multiple machines. And at just 10 users, that's considered not to make sense, even by MS standards. So even when that functionality is needed, AD isn't considered a good option for that.
Really? then what is? manually maintaining 10 logons on each machine?
FFS.. Why the fuck would there be 10 local users on each machine?
I'll agree that in most - not just 50%, probably more than 95%, machines are frequently 1 to 1.
But I have a situation you clearly know about - it's 7 machines and 10 people over all of them. With a centralized auth setup, either, they all use one account, or I have 10 accounts on all 7 machines.
-
@PhlipElder said in Moving from Physical AD/Data Server to Office365:
Catch #1: User will not be able to remote into that PC using RDP. Third party yes, but not RDP.
Are you sure? Have you tried this?
Catch #2: The PC is tattooed to Azure AD. One cannot join a local AD anymore (IIRC).
Are you sure? I have had machines that are in AD first and then AAD joined and never had an issue. Now I've never AAD joined first, then added to AD, no clue what would happen there, though I see no reason why it wouldn't work.
As Scott mentioned - there are many options for managing machines today Salt or Intune are examples.
-
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@Dashrender said in Moving from Physical AD/Data Server to Office365:
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@BRRABill said in Moving from Physical AD/Data Server to Office365:
a) logging into our machines
AD is only useful if you are maintaining central creds to log into multiple machines. And at just 10 users, that's considered not to make sense, even by MS standards. So even when that functionality is needed, AD isn't considered a good option for that.
Really? then what is? manually maintaining 10 logons on each machine?
Nope, maintaining just one, like any normal person.
really - what about the bolded part - multiple people logging into multiple machines? I totally agree if it's a one person to one computer situation, but I quoted you in the multi user to single machine situation.
-
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@dbeato said in Moving from Physical AD/Data Server to Office365:
@scottalanmiller But you gotta provide the option of an RMM Or agent correct? Because yes you can do scripting but you still need something to deliver it and not doing it manually. While GP can be used without AD, I would say that using GPOs manually is way more PITA than GPO on an AD. That is a discussion for another topic.
Yes, but there are a plethora of options. The question isn't "what's the right approach", the question is "do I need to do this one approach."
And at this skill, generally the best option is "do nothing". The idea that we need this kind of management at all on this scale is weird. There are cases, yes, but it is not the norm.
Why do you consider it weird? So you're totally on board the users having local admin rights and running as those admins while presumably not working from the office so they can dork up their machines?
We're talking about joe user here, not your company full of IT pros who can self manage their PCs.
Right now, with my users going home and working on their home computers, I'm having to solve little issues that I generally don't worry about because they dont' have a ton of crapware installed on their work computers like they do at home. Now, if it's a BYOD - that's a completely different story, and I'll agree that less administration on their device is desirable, but then you'd also likely put the onus of supporting those devices directly on the user.
-
@Dashrender said in Moving from Physical AD/Data Server to Office365:
Why do you consider it weird?
Because it doesn't generally meet a business need. Doing extra work, taking on extra risk, without a business need is downright "weird."
-
@Dashrender said in Moving from Physical AD/Data Server to Office365:
So you're totally on board the users having local admin rights and running as those admins while presumably not working from the office so they can dork up their machines?
Whoa. How the hell did you go from the topic at hand to this? What in the world does this have to do with what we were discussing? Nothing whatsoever.
This kind of nonsense is exactly what I mean when I say it's weird and people deploy AD without understanding it. That this is your idea of what "non-AD" looks like means you can't know what AD is or this could never have been mentioned. If you think you are avoiding this because of AD, that's AD used by accident.
-
@Dashrender said in Moving from Physical AD/Data Server to Office365:
We're talking about joe user here, not your company full of IT pros who can self manage their PCs.
WE are talking about this. No one knows what you are talking about.
AD has nothing to lead us here, that you are mentioning this tells us you are talking about something unrelated.
-
@Dashrender said in Moving from Physical AD/Data Server to Office365:
Right now, with my users going home and working on their home computers, I'm having to solve little issues that I generally don't worry about because they dont' have a ton of crapware installed on their work computers like they do at home. Now, if it's a BYOD - that's a completely different story, and I'll agree that less administration on their device is desirable, but then you'd also likely put the onus of supporting those devices directly on the user.
Sure, but AD has nothing to do with that. AD doesn't easily work when you send people home, so this is a perfect example of "to get what you want" you'd do best to "not do what you are doing."
-
@Dashrender said in Moving from Physical AD/Data Server to Office365:
@PhlipElder said in Moving from Physical AD/Data Server to Office365:
Catch #1: User will not be able to remote into that PC using RDP. Third party yes, but not RDP.
Are you sure? Have you tried this?
Catch #2: The PC is tattooed to Azure AD. One cannot join a local AD anymore (IIRC).
Are you sure? I have had machines that are in AD first and then AAD joined and never had an issue. Now I've never AAD joined first, then added to AD, no clue what would happen there, though I see no reason why it wouldn't work.
As Scott mentioned - there are many options for managing machines today Salt or Intune are examples.
Yeah, that he is right. If you join to AAD Join first you cannot join AD after that. So if they need both I do the hybrid join on some customers (big ones)
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual
-
@dbeato said in Moving from Physical AD/Data Server to Office365:
@Dashrender said in Moving from Physical AD/Data Server to Office365:
@PhlipElder said in Moving from Physical AD/Data Server to Office365:
Catch #1: User will not be able to remote into that PC using RDP. Third party yes, but not RDP.
Are you sure? Have you tried this?
Catch #2: The PC is tattooed to Azure AD. One cannot join a local AD anymore (IIRC).
Are you sure? I have had machines that are in AD first and then AAD joined and never had an issue. Now I've never AAD joined first, then added to AD, no clue what would happen there, though I see no reason why it wouldn't work.
As Scott mentioned - there are many options for managing machines today Salt or Intune are examples.
Yeah, that he is right. If you join to AAD Join first you cannot join AD after that. So if they need both I do the hybrid join on some customers (big ones)
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual
Interesting.. Thanks.
-
@Dashrender said in Moving from Physical AD/Data Server to Office365:
@JaredBusch said in Moving from Physical AD/Data Server to Office365:
@Dashrender said in Moving from Physical AD/Data Server to Office365:
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@BRRABill said in Moving from Physical AD/Data Server to Office365:
a) logging into our machines
AD is only useful if you are maintaining central creds to log into multiple machines. And at just 10 users, that's considered not to make sense, even by MS standards. So even when that functionality is needed, AD isn't considered a good option for that.
Really? then what is? manually maintaining 10 logons on each machine?
FFS.. Why the fuck would there be 10 local users on each machine?
I'll agree that in most - not just 50%, probably more than 95%, machines are frequently 1 to 1.
But I have a situation you clearly know about - it's 7 machines and 10 people over all of them. With a centralized auth setup, either, they all use one account, or I have 10 accounts on all 7 machines.
While you may have a fringe case, that has nothing to do with the posted question at hand.
FFS don't conflate shit.
-
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
Whoa. How the hell did you go from the topic at hand to this? What in the world does this have to do with what we were discussing? Nothing whatsoever.
The correct response was FFS don't conflate shit (again)
-
@Dashrender said in Moving from Physical AD/Data Server to Office365:
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@Dashrender said in Moving from Physical AD/Data Server to Office365:
@scottalanmiller said in Moving from Physical AD/Data Server to Office365:
@BRRABill said in Moving from Physical AD/Data Server to Office365:
a) logging into our machines
AD is only useful if you are maintaining central creds to log into multiple machines. And at just 10 users, that's considered not to make sense, even by MS standards. So even when that functionality is needed, AD isn't considered a good option for that.
Really? then what is? manually maintaining 10 logons on each machine?
Nope, maintaining just one, like any normal person.
really - what about the bolded part - multiple people logging into multiple machines? I totally agree if it's a one person to one computer situation, but I quoted you in the multi user to single machine situation.
Right, and that's how nearly all places are. Especially when you are dealing with people taking machines home. Are there exceptions? Of course. But we've already highlighted that AD is useful when you have that special case.
I literally said it was useful in that one case, and you responded as if I'd said the opposite. And we were saying that its not useful in the general case where 90%+ of companies are.
Normal companies, the vast majority, don't have any real use for people logging into lots of machines at random. It's not normal. At all. It's a valid use case, but far from normal. So for normal shops, implementing solutions based on the niche case is crazy. For those in the niche case, there are lots of ways to handle it, AD is a good one, but just one of lots of ways to tackle it.