domain controller in the cloud for small office?
-
@mike-davis I've been using JumpCloud on Scott's recommendation from a few months ago. It's worked well for what I needed for my team but I don't have HIPAA requirements.
-
@mike-davis said in domain controller in the cloud for small office?:
@gjacobse said in domain controller in the cloud for small office?:
HIPAA security without it.
How do you create a password change policy that gets enforced without a domain controller?
Enforcement is always local, never from the controller. The Local Group Policy Editor is the standard tool for setting this on a Windows machine, or the Local Security Policy console.
With the LSP:
- To open Local Security Policy, on the Start screen, type secpol.msc, and then press ENTER.
- Under Security Settings of the console tree, do one of the following:
- Click Account Policies to edit the Password Policy or Account Lockout Policy.
- Click Local Policies to edit an Audit Policy, a User Rights Assignment, or Security Options.
- When you find the policy setting in the details pane, double-click the security policy that you want to modify.
- Modify the security policy setting, and then click OK.
With the LGPE
- Open the Local Group Policy Editor (gpedit.msc).
- In the console tree, click Computer Configuration, click Windows Settings, and then click Security Settings.
- Do one of the following:
- Click Account Policies to edit the Password Policy or Account Lockout Policy.
- Click Local Policies to edit an Audit Policy, a User Rights Assignment, or Security Options.
- In the details pane, double-click the security policy setting that you want to modify.
- Modify the security policy setting, and then click OK.
-
You get baseline AzureAD by using O365 (anything other than hosted Exchange only). This is what I use at one of my clients, works great!
As for managing the machines, you can use Salt for that versus the expense of a Windows VM and licensing. though you'll have to learn Linux unless there is a Salt Master that runs on Windows - and then you're right back to the licensing issue.
-
@dashrender said in domain controller in the cloud for small office?:
You get baseline AzureAD by using O365 (anything other than hosted Exchange only). This is what I use at one of my clients, works great!
Does that allow for GPO? I think you still have to do GPO locally when using that. Which is fine, just use PS and you are done.
-
@dashrender said in domain controller in the cloud for small office?:
As for managing the machines, you can use Salt for that versus the expense of a Windows VM and licensing. though you'll have to learn Linux unless there is a Salt Master that runs on Windows - and then you're right back to the licensing issue.
I don't think that there is, but you can just run without a master.
-
This post is deleted! -
@reid-cooper said in domain controller in the cloud for small office?:
Does that allow for GPO? I think you still have to do GPO locally when using that. Which is fine, just use PS and you are done.
What do you mean by "just use PS"? Is there a way to export a local group policy and push it to the rest of the machines so I don't have to log on to every desktop and do it manually?
-
@dashrender said in domain controller in the cloud for small office?:
You get baseline AzureAD by using O365 (anything other than hosted Exchange only). This is what I use at one of my clients, works great!
I tried looking this up. Do I understand that you install the Azure AD Connect client on all the computers and it lets them sign in with their o365 credentials?
-
@dustinb3403 said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dustinb3403 said in domain controller in the cloud for small office?:
In line with this topic does SAMBA have some kind of tie in with GPO, where you can create / edit / delete GPO's from within SAMBA?
Tie in? Samba does GPO exactly like any other AD does.
So there is a Group Policy Editor that operates on CentOS or something? (no windows involved)
When you create a Samba 4 (SAMBA 4 is the key) domain, you can use the exact same tools to administer it that you would any Windows Domain controller. The caveat is it must be a Samba 4 Domain which is at a Windows 2008 functional level. You can open up RSAT on your Windows box and create new users, open up Group Policy and start pushing out GPOs. It is not hard at all, many many how-tos on how to do this. Here is one of the first links from Google.
https://www.howtoforge.com/tutorial/samba-4-domain-controller-installation-on-centos/ -
@mike-davis said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
You get baseline AzureAD by using O365 (anything other than hosted Exchange only). This is what I use at one of my clients, works great!
I tried looking this up. Do I understand that you install the Azure AD Connect client on all the computers and it lets them sign in with their o365 credentials?
No, Windows 10 will join an Azure AD just like it joins a local onsite AD. Then any users in your O365 system can log into the computers.
-
My friend who is a tech director for my kids school is having his budget slashed by a superintendent who doesn't think that much of technology. About 750 kids in the district (rural area) he has about 400-500 machines to manage. His budget is $20,000 for the year. So we are moving him to all open source. Moving from Novell eDirectory to a Samba 4 domain. Doing anything and everything to save him money.
-
@reid-cooper said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
You get baseline AzureAD by using O365 (anything other than hosted Exchange only). This is what I use at one of my clients, works great!
Does that allow for GPO? I think you still have to do GPO locally when using that. Which is fine, just use PS and you are done.
While I haven't dove into it, Scott and others have mentioned that the base level of Azure AD that comes with O365 does support some GPO stuff for Windows 10 clients. I have no idea how comprehensive it is though.
That said, Passwords being the main thing that @Mike-Davis asked about, that's handled through O365 itself, no GPOs needed.
-
@penguinwrangler said in domain controller in the cloud for small office?:
My friend who is a tech director for my kids school is having his budget slashed by a superintendent who doesn't think that much of technology. About 750 kids in the district (rural area) he has about 400-500 machines to manage. His budget is $20,000 for the year. So we are moving him to all open source. Moving from Novell eDirectory to a Samba 4 domain. Doing anything and everything to save him money.
So that means he quit right? $20K won't even cover his salary, so I'm guessing that means he's looking for a new job.
-
@penguinwrangler said in domain controller in the cloud for small office?:
When you create a Samba 4
If you have the CentOS box in the cloud, are you running a site to site VPN directly to the CentOS box from the router onsite and setting the clients to use the CentOS box for DNS?
-
@mike-davis said in domain controller in the cloud for small office?:
@penguinwrangler said in domain controller in the cloud for small office?:
When you create a Samba 4
If you have the CentOS box in the cloud, are you running a site to site VPN directly to the CentOS box from the router onsite and setting the clients to use the CentOS box for DNS?
This would be one option. ZeroTier would be the other option.
-
@dashrender said in domain controller in the cloud for small office?:
That said, Passwords being the main thing that @Mike-Davis asked about, that's handled through O365 itself, no GPOs needed.
This is true. o365 admin center lets you create password change policies. If the Azure AD will let me create shares based on o365 usernames, I'll be all set.
-
@dashrender said in domain controller in the cloud for small office?:
@penguinwrangler said in domain controller in the cloud for small office?:
My friend who is a tech director for my kids school is having his budget slashed by a superintendent who doesn't think that much of technology. About 750 kids in the district (rural area) he has about 400-500 machines to manage. His budget is $20,000 for the year. So we are moving him to all open source. Moving from Novell eDirectory to a Samba 4 domain. Doing anything and everything to save him money.
So that means he quit right? $20K won't even cover his salary, so I'm guessing that means he's looking for a new job.
Not including his salary of course. All he has is $20,000 to cover any repairs or new purchases.
-
@penguinwrangler said in domain controller in the cloud for small office?:
My friend who is a tech director for my kids school is having his budget slashed by a superintendent who doesn't think that much of technology. About 750 kids in the district (rural area) he has about 400-500 machines to manage. His budget is $20,000 for the year. So we are moving him to all open source. Moving from Novell eDirectory to a Samba 4 domain. Doing anything and everything to save him money.
In all seriousness, $20K may or may not be enough for this particular year - we really don't know. One thing we do know, that would be enough to replace only about 20 PCs (30 if you scrimp), so let's hope for his sake that he doesn't need to replace much equipment.
-
@mike-davis We are doing his on-site, but you would most likely want to use a VPN or like @Dashrender said ZeroTier would be an option.
-
@mike-davis said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
That said, Passwords being the main thing that @Mike-Davis asked about, that's handled through O365 itself, no GPOs needed.
This is true. o365 admin center lets you create password change policies. If the Azure AD will let me create shares based on o365 usernames, I'll be all set.
They aren't shares in the normal sense. You'll have SharePoint sites and ODfB sharing.
I don't believe that Windows Server 2016 can participate with Azure AD (though I could be wrong, heck probably am) so you can't (as far as I know) setup shares on a local server that would then map to a user.
Remember, LANLess is the desire now.. so no local servers unless absolutely required - use things like ODfB or Nextcloud.