@IRJ said in Large network of Windows machines without AD - GO!:

@Obsolesce said in Large network of Windows machines without AD - GO!:

At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.

Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.

I was under the impression no on-prem stuff like that.

@scottalanmiller said in Large network of Windows machines without AD - GO!:

@Obsolesce said in Large network of Windows machines without AD - GO!:

You could use ansible or something, but I'm telling you that'd be a huge PITA for a full Windows environment.

That's the beauty of outsourcing. Doesn't matter how much of a PITA it is, you can put it into monetary numbers. And the cost of using AAD is higher than the cost of "having someone else do it all." And nothing beats that. Lower cost, zero effort. It's a guaranteed win.

I suppose it's all possible, but is that MSP already set up and prepared for when they want all 200 users to use their local desktop/laptop logins to access their existing email (likely Google or Microsoft) services, printing services/follow-me printing, github/lab, network access / 802.1x, SSO/2FA everywhere, any and all other systems? Samba/Ansible/Salt supports a lot, I know, but it's a complete re-do. Rip out/ gut, and in with the new.... without anything existing breaking or having bugs, stopping work, etc.

At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.

@Dashrender said in Large network of Windows machines without AD - GO!:

@marcinozga said in Large network of Windows machines without AD - GO!:

Intune is $6/user/month, so at 200 users you're looking at $14,400 annually. Windows Server 2019 Standard license is $800 and $8000 for user CALs, or $0 is you go with Samba.

and you didn't include the AAD license. yeah that shit is hella expensive!!! and a major reason why on prem AD continues to stick around.

It's way less than having an extra IT Admin / engineer hanging around to set up and manage all the SAMBA, Ansible, on-prem, etc., crap involved in taking care of every single point.

It's all ready to go built in management, administration, app deployment / user management / policy / compliance / reporting / updating, LANless/Global/distributed/mobile, such a huge damn list of things all ready to go, that'd you'll end up needing anyways, no building from the ground up. A basic 200-user setup for all the things would be minimal.

It's not a simple "oh just install ansible and samba". That will take a ton of work to build the entire environment unless you use something like others mentioned like Zentyal if you really want to keep the on-prem mindset going.

For 200 users, you would just need one person to set it up.

You could use ansible or something, but I'm telling you that'd be a huge PITA for a full Windows environment. I wouldn't got the on-prem or SAMBA route.

@Dashrender said in Large network of Windows machines without AD - GO!:

So Scott is always talking about ditching AD - so I'm asking - how would you ditch AD from a 200+ workstation/laptop environment where the users must remain using Windows on their local devices due to application requirements (let's not bring VDI/RDS into this at this time - that could be another thread).

How do you manage and get knowledge that systems are updated?
What user accounts are on the machine - and how do they get there?
Do you have a single admin level account pre-setup on every machine?
What about situations where users roam from computer to computer?
What about mapping network resources like printers and fileshares?

AAD and Intune

@popester said in Can all phones read QR codes natively?:

AWESOME Sauce!! No more excuses about not creating a help desk ticket!! Printed and implemented.

That was my home Wifi

I was looking over my wifi settings here....

No need for that site!

@bnrstnr said in Can all phones read QR codes natively?:

A few years back I wanted to setup my home WIFI credentials as a QR code for guests, but I think that was before iOS had the built in support, I might revisit this now that I know you just need to point the default camera app at it.

https://qifi.org/

That... is extremely useful.

Looks cool and all, but I don't see it as a production type of system.

With only one dude who works on it in small spurs at a time, I seriously doubt it's going to stay usable for long.

@scottalanmiller said in how to prevent non domain users from getting ip configuration:

But what @IT-ADMIN explained is that there is, to kind of give it an overview, an overarching "no policy, policy" that basically says that by policy, people can do pretty much whatever they want. That's the one key policy here.

Given that, no, it would seem that there are very few policies beyond that. But I think making the assumption that IT is attempting to run off of policy while everyone else is attempting to work around policy is unfounded and unlikely. Possible, to be sure, but not what we'd expect given the rest of what we know. Far more likely that IT is adding challenges that it either feels are useful or just feels that it is what everyone does and isn't thinking about it at all... how many SMBs implement AD without evaluating it for their needs... easily most. Likely that is all that happened here.

I don't see the issue then. If they're allowed to do what they want without breaking any policies, and they are still doing their job and working efficiently, then what's there to fix?

Sounds like this place has no company policies or no enforced company policies.