Shrinking many domains to few or one

coliver

@dashrender said in Shrinking many domains to few or one:

So you have a file server with 10K files on it, you can't just wipe out all permissions and then wait for people to complain so you can add them to said group - that's not really tenable. Plus users could be calling in frequently for weeks doing this.

That's not what I'm suggesting. Not sure how you got that from what I'm saying.

You have an opportunity to rebuild you infrastructure here to meet best practices. You could easily, and fairly quickly if you think and plan out the system, build you AD infrastructure and file share prior to users being allowed on them. When they login they "magically" have access to things they didn't previously.

If you run a file system audit or permissions audit I bet you will find that people in the same department generally have access to the same folders. Start with generic departmental groups and start making more restrictive permissions from there. Even if a user is the only one allowed to access a file make a group for that user (but make sure it explains where that file is in the structure).

coliver

@wirestyle22 said in Shrinking many domains to few or one:

@coliver said in Shrinking many domains to few or one:

How important is it really to preserve security? IIRC @wirestyle22 has said that security is based on users now? So blow away all the security and start setting up folder permissions (don't do individual files) based on groups. If someone needs access to a share/folder then drop them in the group and be done. Easier to rebuild from scratch the correct way then to fight with the existing incorrect and unsustainable way.

We need them to be able to access their files as they do now. After we migrate I will go through the process of setting up all of the groups and everything. We are fighting with the city right now to tell us when a person is terminated. No one wants to take responsibility to do it and we have 800 users in AD with only 400-ish that are actually active. This creates a lot of extra work for no reason for me here.

That's really not that many users, I know it seems like it but in reality many of them will have access to the same types of files. So those 400-ish users could probably be broken down to a few dozen groups.

wirestyle22

@coliver said in Shrinking many domains to few or one:

@wirestyle22 said in Shrinking many domains to few or one:

@coliver said in Shrinking many domains to few or one:

How important is it really to preserve security? IIRC @wirestyle22 has said that security is based on users now? So blow away all the security and start setting up folder permissions (don't do individual files) based on groups. If someone needs access to a share/folder then drop them in the group and be done. Easier to rebuild from scratch the correct way then to fight with the existing incorrect and unsustainable way.

We need them to be able to access their files as they do now. After we migrate I will go through the process of setting up all of the groups and everything. We are fighting with the city right now to tell us when a person is terminated. No one wants to take responsibility to do it and we have 800 users in AD with only 400-ish that are actually active. This creates a lot of extra work for no reason for me here.

That's really not that many users, I know it seems like it but in reality many of them will have access to the same types of files. So those 400-ish users could probably be broken down to a few dozen groups.

It would be more than that, but definitely less than it seems.

Dashrender

@coliver said in Shrinking many domains to few or one:

@dashrender said in Shrinking many domains to few or one:

So you have a file server with 10K files on it, you can't just wipe out all permissions and then wait for people to complain so you can add them to said group - that's not really tenable. Plus users could be calling in frequently for weeks doing this.

That's not what I'm suggesting. Not sure how you got that from what I'm saying.

You have an opportunity to rebuild you infrastructure here to meet best practices. You could easily, and fairly quickly if you think and plan out the system, build you AD infrastructure and file share prior to users being allowed on them. When they login they "magically" have access to things they didn't previously.

If you run a file system audit or permissions audit I bet you will find that people in the same department generally have access to the same folders. Start with generic departmental groups and start making more restrictive permissions from there. Even if a user is the only one allowed to access a file make a group for that user (but make sure it explains where that file is in the structure).

I'm not sure how you're starting over? Are you suggesting make a new server in the new domain, then migrating data into a whole new file structure you make? That's very disruptive to workflow.

If this is not what you're suggestion, then I'm still not getting it.

If this is what you are suggesting, then why not just go all the way and move away from fileshares altogether and move the something like NextCloud now. You'll have a much easier time with remote access where needed and be moving toward that LAN-Less design Scott loves so much.

JaredBusch

Buy a netwrix license and move on.

coliver

@dashrender said in Shrinking many domains to few or one:

@coliver said in Shrinking many domains to few or one:

@dashrender said in Shrinking many domains to few or one:

So you have a file server with 10K files on it, you can't just wipe out all permissions and then wait for people to complain so you can add them to said group - that's not really tenable. Plus users could be calling in frequently for weeks doing this.

That's not what I'm suggesting. Not sure how you got that from what I'm saying.

You have an opportunity to rebuild you infrastructure here to meet best practices. You could easily, and fairly quickly if you think and plan out the system, build you AD infrastructure and file share prior to users being allowed on them. When they login they "magically" have access to things they didn't previously.

If you run a file system audit or permissions audit I bet you will find that people in the same department generally have access to the same folders. Start with generic departmental groups and start making more restrictive permissions from there. Even if a user is the only one allowed to access a file make a group for that user (but make sure it explains where that file is in the structure).

I'm not sure how you're starting over? Are you suggesting make a new server in the new domain, then migrating data into a whole new file structure you make? That's very disruptive to workflow.

If this is not what you're suggestion, then I'm still not getting it.

If this is what you are suggesting, then why not just go all the way and move away from fileshares altogether and move the something like NextCloud now. You'll have a much easier time with remote access where needed and be moving toward that LAN-Less design Scott loves so much.

That's exactly what I'm referring to... not sure how it would disruptive to workflows? It's a new share in a new location literally nothing else changes. The files stay exactly the same. Even the structure, for the most part, could stay exactly the same. They need this file, well it's now located here. Setup DFS and you could even do \\ad.city.gov\folder. So much easier then remembering an individual server and path.

As for the NextCloud design. That's a fantastic idea but you'd really have the redevelop workflows around that process. I'm not opposed to it but it seems like @wirestyle22 already has a slow moving organization and a change like that would be a straight up revolt.

coliver

@jaredbusch said in Shrinking many domains to few or one:

Buy a netwrix license and move on.

This is a great idea Netwrix Auditor could do a lot to figuring out who has what permissions where and you could do some reporting based on overlap... etc...

wirestyle22

@jaredbusch said in Shrinking many domains to few or one:

Buy a netwrix license and move on.

This was one of the first things I said to @Dashrender today. It will happen regardless of what direction we go in.

wirestyle22

@coliver Next cloud is such a sore subject for me. Why they won't do it:

They won't spend the maximum of $15 a year on a domain for us to use for it. so I said we can just create an a-record for nc.domain.com and port forward to our Next Cloud instance. I can even do the SSL certification for free. Management says no. Why? Because the guy who runs the website doesn't know how to do that. I'll do it. No, you can't. Why? Because you can't.

It's actually infuriating

coliver

@wirestyle22 said in Shrinking many domains to few or one:

@coliver Next cloud is such a sore subject for me. Why they won't do it:

They won't spend the maximum of $15 a year on a domain for us to use for it. so I said we can just create an a-record for nc.domain.com and port forward to our Next Cloud instance. I can even do the SSL certification for free. Management says no. Why? Because the guy who runs the website doesn't know how to do that. I'll do it. No, you can't. Why? Because you can't.

It's actually infuriating

That's fine you've presented it to them and they've declined. So move on.

wirestyle22

@coliver said in Shrinking many domains to few or one:

@wirestyle22 said in Shrinking many domains to few or one:

@coliver Next cloud is such a sore subject for me. Why they won't do it:

They won't spend the maximum of $15 a year on a domain for us to use for it. so I said we can just create an a-record for nc.domain.com and port forward to our Next Cloud instance. I can even do the SSL certification for free. Management says no. Why? Because the guy who runs the website doesn't know how to do that. I'll do it. No, you can't. Why? Because you can't.

It's actually infuriating

That's fine you've presented it to them and they've declined. So move on.

Yeah it's just annoying that they don't want to save themselves money. The city has so many dropboxes they are paying for right now and then ask us to come up with a solution that saves them a ton of money, but they refuse.

/rant

wirestyle22

It's especially annoying because I see $1300-$2000 curved wide screen monitors on their desks. Never knew how right @scottalanmiller was about local government before I worked here.

Dashrender

@wirestyle22 said in Shrinking many domains to few or one:

@coliver said in Shrinking many domains to few or one:

@wirestyle22 said in Shrinking many domains to few or one:

@coliver Next cloud is such a sore subject for me. Why they won't do it:

They won't spend the maximum of $15 a year on a domain for us to use for it. so I said we can just create an a-record for nc.domain.com and port forward to our Next Cloud instance. I can even do the SSL certification for free. Management says no. Why? Because the guy who runs the website doesn't know how to do that. I'll do it. No, you can't. Why? Because you can't.

It's actually infuriating

That's fine you've presented it to them and they've declined. So move on.

Yeah it's just annoying that they don't want to save themselves money. The city has so many dropboxes they are paying for right now and then ask us to come up with a solution that saves them a ton of money, but they refuse.

/rant

So the next time they are whining about drop box costs, tell them, we have a solution ready to bang out, it only costs $x and will take me 2 hours to get up and running - etc.

wirestyle22

@dashrender said in Shrinking many domains to few or one:

@wirestyle22 said in Shrinking many domains to few or one:

@coliver said in Shrinking many domains to few or one:

@wirestyle22 said in Shrinking many domains to few or one:

@coliver Next cloud is such a sore subject for me. Why they won't do it:

They won't spend the maximum of $15 a year on a domain for us to use for it. so I said we can just create an a-record for nc.domain.com and port forward to our Next Cloud instance. I can even do the SSL certification for free. Management says no. Why? Because the guy who runs the website doesn't know how to do that. I'll do it. No, you can't. Why? Because you can't.

It's actually infuriating

That's fine you've presented it to them and they've declined. So move on.

Yeah it's just annoying that they don't want to save themselves money. The city has so many dropboxes they are paying for right now and then ask us to come up with a solution that saves them a ton of money, but they refuse.

/rant

So the next time they are whining about drop box costs, tell them, we have a solution ready to bang out, it only costs $x and will take me 2 hours to get up and running - etc.

It's sitting on one of my hyper-v hosts, 100% ready. Only thing I need is the port forwarding and a-record. It would take 2 mins.