ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Joining/Binding Macs to AD Domain - Should I Bother?

    Scheduled Pinned Locked Moved IT Discussion
    26 Posts 8 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • art_of_shredA
      art_of_shred @wrx7m
      last edited by

      @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

      @Minion-Queen said in Joining/Binding Macs to AD Domain - Should I Bother?:

      Binding them is easier now that it used to be, but if your current system is working... why fix what's not broke?

      That is generally my line of thought. However, I was wondering if it is a best practice thing and if there was something I hadn't considered as a benefit.

      In a sense, I think joining to a domain becomes a necessary evil. There are obvious access and control benefits, but at the cost of added complexity and security risk. If the Macs are set up in such a way as to be happy where they are, why introduce the security risk? Is there any real gain from being on AD that you are feeling pain from not currently having?

      wrx7mW 1 Reply Last reply Reply Quote 0
      • wrx7mW
        wrx7m @art_of_shred
        last edited by

        @art_of_shred said in Joining/Binding Macs to AD Domain - Should I Bother?:

        @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

        @Minion-Queen said in Joining/Binding Macs to AD Domain - Should I Bother?:

        Binding them is easier now that it used to be, but if your current system is working... why fix what's not broke?

        That is generally my line of thought. However, I was wondering if it is a best practice thing and if there was something I hadn't considered as a benefit.

        In a sense, I think joining to a domain becomes a necessary evil. There are obvious access and control benefits, but at the cost of added complexity and security risk. If the Macs are set up in such a way as to be happy where they are, why introduce the security risk? Is there any real gain from being on AD that you are feeling pain from not currently having?

        I was not aware of a security risk by joining them to the domain. How does it increase risk?

        I am trying to ascertain if there is something that is missing from them not being bound to AD. Are there ADMX templates for GPO?

        IRJI 1 Reply Last reply Reply Quote 1
        • art_of_shredA
          art_of_shred
          last edited by

          The basic security risk is inherent in creating an opportunity for a single breach to affect multiple endpoints. A lone computer can only be compromised itself. An entire network can be compromised through the breaching of a single account (if it's the right account).

          J 1 Reply Last reply Reply Quote 1
          • IRJI
            IRJ @wrx7m
            last edited by

            @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

            @art_of_shred said in Joining/Binding Macs to AD Domain - Should I Bother?:

            @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

            @Minion-Queen said in Joining/Binding Macs to AD Domain - Should I Bother?:

            Binding them is easier now that it used to be, but if your current system is working... why fix what's not broke?

            That is generally my line of thought. However, I was wondering if it is a best practice thing and if there was something I hadn't considered as a benefit.

            In a sense, I think joining to a domain becomes a necessary evil. There are obvious access and control benefits, but at the cost of added complexity and security risk. If the Macs are set up in such a way as to be happy where they are, why introduce the security risk? Is there any real gain from being on AD that you are feeling pain from not currently having?

            I was not aware of a security risk by joining them to the domain. How does it increase risk?

            It doesn't. If someone hacks your network, I doubt they would try to login to Macs through Active Directory. The paydirt is on servers and network storage anyway. Hackers aren't going to go after your marketing team's Macs.

            art_of_shredA 1 Reply Last reply Reply Quote 0
            • art_of_shredA
              art_of_shred @IRJ
              last edited by

              @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

              @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

              @art_of_shred said in Joining/Binding Macs to AD Domain - Should I Bother?:

              @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

              @Minion-Queen said in Joining/Binding Macs to AD Domain - Should I Bother?:

              Binding them is easier now that it used to be, but if your current system is working... why fix what's not broke?

              That is generally my line of thought. However, I was wondering if it is a best practice thing and if there was something I hadn't considered as a benefit.

              In a sense, I think joining to a domain becomes a necessary evil. There are obvious access and control benefits, but at the cost of added complexity and security risk. If the Macs are set up in such a way as to be happy where they are, why introduce the security risk? Is there any real gain from being on AD that you are feeling pain from not currently having?

              I was not aware of a security risk by joining them to the domain. How does it increase risk?

              It doesn't. If someone hacks your network, I doubt they would try to login to Macs through Active Directory. The paydirt is on servers and network storage anyway. Hackers aren't going to go after your marketing team's Macs.

              Because they are Macs and not real business computers, I yield to your point.

              IRJI 1 Reply Last reply Reply Quote 2
              • IRJI
                IRJ @art_of_shred
                last edited by

                @art_of_shred said in Joining/Binding Macs to AD Domain - Should I Bother?:

                @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

                @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

                @art_of_shred said in Joining/Binding Macs to AD Domain - Should I Bother?:

                @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

                @Minion-Queen said in Joining/Binding Macs to AD Domain - Should I Bother?:

                Binding them is easier now that it used to be, but if your current system is working... why fix what's not broke?

                That is generally my line of thought. However, I was wondering if it is a best practice thing and if there was something I hadn't considered as a benefit.

                In a sense, I think joining to a domain becomes a necessary evil. There are obvious access and control benefits, but at the cost of added complexity and security risk. If the Macs are set up in such a way as to be happy where they are, why introduce the security risk? Is there any real gain from being on AD that you are feeling pain from not currently having?

                I was not aware of a security risk by joining them to the domain. How does it increase risk?

                It doesn't. If someone hacks your network, I doubt they would try to login to Macs through Active Directory. The paydirt is on servers and network storage anyway. Hackers aren't going to go after your marketing team's Macs.

                Because they are Macs and not real business computers, I yield to your point.

                In theory you are right about mo devices mo problems. I just don't see the Macs as a particular threat.

                1 Reply Last reply Reply Quote 0
                • J
                  Jason Banned @art_of_shred
                  last edited by

                  @art_of_shred said in Joining/Binding Macs to AD Domain - Should I Bother?:

                  The basic security risk is inherent in creating an opportunity for a single breach to affect multiple endpoints. A lone computer can only be compromised itself. An entire network can be compromised through the breaching of a single account (if it's the right account).

                  Only true to some degree.. Computers inherently trust each other even not on a domain they will always try pass through authentication first. actually requesting pass through and getting NTLM or Kerberos tickets are some of the easiest ways into a network.

                  1 Reply Last reply Reply Quote 0
                  • J
                    Jason Banned
                    last edited by

                    We have a few macs. They are not domain joined. The have local accounts, and are encrypted (preventing single user mode bypass/reset of passwords without damaging files), they just store their AD account in keychain. They have to change their password via RDP. Heck most of their tasks are still done via RDP. The macs they just use for internet and outlook. Pretty dumb if you ask me but Marketing Director seems to like it. Guess he fits in at Starbucks with other marketing folks.

                    IRJI J 2 Replies Last reply Reply Quote 4
                    • IRJI
                      IRJ @Jason
                      last edited by

                      @Jason said in Joining/Binding Macs to AD Domain - Should I Bother?:

                      We have a few macs. They are not domain joined. The have local accounts, and are encrypted (preventing single user mode bypass/reset of passwords without damaging files), they just store their AD account in keychain. They have to change their password via RDP. Heck most of their tasks are still done via RDP. The macs they just use for internet and outlook. Pretty dumb if you ask me but Marketing Director seems to like it. Guess he fits in at Starbucks with other marketing folks.

                      It's hard to argue actual business usage for a Mac unless you are really doing some heavy music or video editing.

                      DashrenderD 1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @IRJ
                        last edited by

                        @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

                        It's hard to argue actual business usage for a Mac unless you are really doing some heavy music or video editing.

                        is that even still true? Macs and Windows machines run the same hardware. Most, if not all of the editing software that used to be Mac-centric is also available on Windows. What I don't know - all things being equal except price, is the Mac faster?

                        IRJI J 2 Replies Last reply Reply Quote 2
                        • IRJI
                          IRJ @Dashrender
                          last edited by

                          @Dashrender said in Joining/Binding Macs to AD Domain - Should I Bother?:

                          @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

                          It's hard to argue actual business usage for a Mac unless you are really doing some heavy music or video editing.

                          is that even still true? Macs and Windows machines run the same hardware. Most, if not all of the editing software that used to be Mac-centric is also available on Windows. What I don't know - all things being equal except price, is the Mac faster?

                          I am sure you can do use alot of browser based tools, but I am sure you would probably run into unsupported hiccups. You say except price like there is only a $50 or $100 difference in pricing per unit. Generally you are paying double if not triple for a Mac.

                          Grandma can use a Lamborghini to get the groceries, but that doesn't make a Lamborghini the best choice for Grandma.

                          DashrenderD J 2 Replies Last reply Reply Quote 2
                          • DashrenderD
                            Dashrender @IRJ
                            last edited by

                            @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

                            @Dashrender said in Joining/Binding Macs to AD Domain - Should I Bother?:

                            @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

                            It's hard to argue actual business usage for a Mac unless you are really doing some heavy music or video editing.

                            is that even still true? Macs and Windows machines run the same hardware. Most, if not all of the editing software that used to be Mac-centric is also available on Windows. What I don't know - all things being equal except price, is the Mac faster?

                            I am sure you can do use alot of browser based tools, but I am sure you would probably run into unsupported hiccups. You say except price like there is only a $50 or $100 difference in pricing per unit. Generally you are paying double if not triple for a Mac.

                            Grandma can use a Lamborghini to get the groceries, but that doesn't make a Lamborghini the best choice for Grandma.

                            I'm not sure if you are talking about the Mac software versus the Windows software - I was talking more about the hardware. Windows hardware that is on par (i.e. business class machine with similar specs) generally seem to be pretty close to the same cost as a Mac.

                            I have no clue regarding software side of the house.

                            1 Reply Last reply Reply Quote 0
                            • wrx7mW
                              wrx7m
                              last edited by

                              OK. Based on the replies, I will just keep it as is. One less project.

                              1 Reply Last reply Reply Quote 1
                              • donaldlandruD
                                donaldlandru
                                last edited by

                                Install Windows over the OS. Join domain, for non-intensive or specific tasks MacBooks make the best Windows machines.

                                At least this is what we do for users that insist they must have them.

                                1 Reply Last reply Reply Quote 0
                                • wrx7mW
                                  wrx7m
                                  last edited by

                                  The point for these users is the Mac OS

                                  donaldlandruD 1 Reply Last reply Reply Quote 0
                                  • J
                                    Jason Banned @Dashrender
                                    last edited by

                                    @Dashrender said in Joining/Binding Macs to AD Domain - Should I Bother?:

                                    @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

                                    It's hard to argue actual business usage for a Mac unless you are really doing some heavy music or video editing.

                                    is that even still true? Macs and Windows machines run the same hardware. Most, if not all of the editing software that used to be Mac-centric is also available on Windows. What I don't know - all things being equal except price, is the Mac faster?

                                    It hasn't been true for years.. People just assume that still.

                                    1 Reply Last reply Reply Quote 1
                                    • J
                                      Jason Banned @IRJ
                                      last edited by

                                      @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

                                      @Dashrender said in Joining/Binding Macs to AD Domain - Should I Bother?:

                                      @IRJ said in Joining/Binding Macs to AD Domain - Should I Bother?:

                                      It's hard to argue actual business usage for a Mac unless you are really doing some heavy music or video editing.

                                      is that even still true? Macs and Windows machines run the same hardware. Most, if not all of the editing software that used to be Mac-centric is also available on Windows. What I don't know - all things being equal except price, is the Mac faster?

                                      I am sure you can do use alot of browser based tools, but I am sure you would probably run into unsupported hiccups. You say except price like there is only a $50 or $100 difference in pricing per unit. Generally you are paying double if not triple for a Mac.

                                      Grandma can use a Lamborghini to get the groceries, but that doesn't make a Lamborghini the best choice for Grandma.

                                      Browser based? No audio or video editing professional app runs in the browser. Avid Pro Tools is the Standard for Music, for Video it's Avid Media Composer and Adobe Premiere Pro. Final Cut Pro used to be a choice but after the switch from 7 to X it was a consumer app. When there was Final Cut Pro and the integration with Logic Pro, SoundStage their was some argument for macs not anymore. Adobe used to run better on Mac but now Mac OS X is such a bloated OS it runs better on Windows. Font Rendering used to be better than windows, now it's the same.

                                      IRJI 1 Reply Last reply Reply Quote 0
                                      • J
                                        Jason Banned @Jason
                                        last edited by

                                        @Jason said in Joining/Binding Macs to AD Domain - Should I Bother?:

                                        We have a few macs. They are not domain joined. The have local accounts, and are encrypted (preventing single user mode bypass/reset of passwords without damaging files), they just store their AD account in keychain. They have to change their password via RDP. Heck most of their tasks are still done via RDP. The macs they just use for internet and outlook. Pretty dumb if you ask me but Marketing Director seems to like it. Guess he fits in at Starbucks with other marketing folks.

                                        To be clear are marketing department is not a graphic design, web design, video or audio editing team. They work on campagins, corporate account pitches etc. All the other stuff is outsourced.

                                        1 Reply Last reply Reply Quote 0
                                        • donaldlandruD
                                          donaldlandru @wrx7m
                                          last edited by

                                          @wrx7m said in Joining/Binding Macs to AD Domain - Should I Bother?:

                                          The point for these users is the Mac OS

                                          Is this business case or just the users want to have it?

                                          If there is no business case behind it why add the complexity of managing another OS?

                                          Now to @Minion-Queen point if it isn't broke don't fix it, I agree with that stance, but when it comes time for refresh I would be having the conversation.

                                          1 Reply Last reply Reply Quote 1
                                          • scottalanmillerS
                                            scottalanmiller
                                            last edited by

                                            Binding is not hard, if adding a new machine and AD is in place already, might make sense. No cost, not much effort.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post