For you Enterprise Windows guys...

Discussion in 'Technical Corner' started by DaleB, Jun 4, 2021.

  1. DaleB

    DaleB Final Approach

    Joined:
    Aug 24, 2011
    Messages:
    5,893
    Location:
    Omaha, NE

    Display name:
    DaleB
    First off, I am not (a Windows guy, that is). I'm not anti-Windows; Windows has its place. I just haven't had to deal with it other than as a desktop user for many years, since NT4 was replaced by Server 2003 or so. My MCP certification probably expired before some current licensed pilots were born.

    That said, let us assume that we have a small company, under 50 or so employees, that will eventually be a not so small company with a couple thousand employees on at least two continents. They're so small now that everyone is using G suite apps for email, calendar, meetings, etc. Some are using Chromebooks. All are working remotely. And let us further assume that their newly hired Benevolent Dictator of All Things Infrastructure has been chest-deep in Linux for years and has no recent experience with AD, Microsoft products, Azure, and the like. Your first job is to get everyone migrated off of Google apps and onto Office. You're going to need AD, device management, and so on. What route would you take? Azure AD? On-prem AD in 2-3 physical locations, with a VPN? Something else?

    For my next trick, watch me set up an entire phone infrastructure for a multinational corporation out of thin air.
     
  2. tspear

    tspear En-Route

    Joined:
    Dec 10, 2010
    Messages:
    3,097

    Display name:
    Timothy
    I would first ask why? What business need is driving the change.

    Second, for small companies Office 365 with everything outsourced is the cheapest, easiest solution. They even cover the phone system.
    If you are big enough, or plan to be big enough or have enough security concerns build your own infrastructure.
    Depending on the current state, I would build AD servers in some cloud location where I can install a VPN concentrator and use as the central WAN point for users and to connect offices.
    For file servers, go with prebuilt solutions such as MS OnrDrive through MS Teams which makes it really easy to manage, or if you want to stand up your own, use a solution such as NetCloud.

    Tim
     
  3. denverpilot

    denverpilot Tied Down PoA Supporter

    Joined:
    Nov 8, 2009
    Messages:
    55,440
    Location:
    Denver, CO

    Display name:
    DenverPilot
    First question is what's driving the move off of GSuite? The current joke in the biz is Microsoft 365 is really Microsoft 357 and worsening with outages. Google outages are exceedingly rare.

    Outlook connector to GSuite is a thing and it works. Our division that is hopelessly Office addicted uses it. Everyone else comtinues to enjoy GSuite. There's only a small list of limitations with one-off calendar stuff. The Outlook users rarely notice they're really using Google servers.

    That said, if a small shop is hopelessly addicted to Office then yeah... Just go whole hog Microsoft 365 with the license level that gets you Azure AD and Intune and be done with it.

    Good luck EVER properly managing or integrating Macs to it. Don't believe the sales brochure on that one.

    Frankly just ban Macs outright if you go that route or plan an entire body to deal with the integrations or buy JAMF and manage them separately. Do NOT try to use Azure SAML to authenticate Mac logins if you need SSO. Been there done that it sucks. So does Google actually. But not quite as hard.

    Really need to know more about requirements, especially regulatory or security audits, for machine access and drive encryption and such... to recommend any more specifics but Azure AD and Intune can handle an all Win 10 shop fairly well. And at that license level you'll get Teams. And OneDrive. And a bunch of stuff. Maybe even stuff your data flow analysis won't want people using. But you can disable most of it except Teams and OneDrive which will constantly badger users to log in. And start saving data maybe where it doesn't belong in cloud storage. Depending on your security requirements.

    And since you mentioned phones... There is a bring your own carrier circuit thing that can plug into Teams. Haven't tried that one. I suspect significant brain damage getting that right. But could be done...

    I like to keep the phones working when the PCs are down but that's me... And a call center.

    Main concern with MSFT is down time. But we work with lots of places who are just living with whole days down with authentication failures for all MSFT services because they don't need a dedicated IT staff or are too small to have them. It works. Just expect 5-10 days off a year. Lol.

    Pricing went up on all of them roughly $8/mo/user higher. Covid caused a cash cow for both Google and Microsoft.

    Oh. We do Gsuite and pay the very lowest MSFT per user licenses that get us Office 365 desktop licenses just for the Office addicted. Nobody else. Ask for it we buy it. Variable license plan. We lose numerous "Enterprise" features like Intune because we are handling that stuff a different way. But an all Windows shop starting out... I'd pay the Enterprise level and use everything they offer.

    But if you need an auditable Mac solution, forget it. And most companies end up with developers on Macs. That's the dept that needs them quite often and will screw up a plan to stay 100% MSFT. Often rightly so for what they do...

    Got more details you can share, can offer more free advice without doing the proper analysis. Lol. Those are expensive. Ha.
     
  4. denverpilot

    denverpilot Tied Down PoA Supporter

    Joined:
    Nov 8, 2009
    Messages:
    55,440
    Location:
    Denver, CO

    Display name:
    DenverPilot
    This requires a pre-login VPN. I wouldn't bother if it's a new setup, just Azure AD and call it done. It works anywhere without the need for the VPN at all. But if you have to prove it all to auditors then Intune comes into play.
     
  5. kyleb

    kyleb Final Approach

    Joined:
    Jun 13, 2008
    Messages:
    6,791
    Location:
    Marietta, GA

    Display name:
    Drake the Outlaw
    We moved from Microsoft to GSuite about 10 years ago. People bitched and moaned, but ultimately came around to liking Gsuite and its connectivity. Our reason for changing was supposedly that GSuite was better on the cloud and would be less expensive. I bet the transition costs were far more than our annual savings on microsoft licenses. So, now, we're switching back to Microsoft. Again, transition cost (lost work, retraining, redoing stuff) wasn't figured into the analysis. We're supposedly moving back because so much 3rd party software is written for Microsoft and very little is written that plays well with Google.

    Personally, I think our IT folks are idiots.
     
  6. luvflyin

    luvflyin Touchdown! Greaser!

    Joined:
    May 8, 2015
    Messages:
    13,399
    Location:
    Vancouver, WA

    Display name:
    Luvflyin
    Ain’t got a clue. All that is like a foreign language to me. But wondering. How does the Ransom thing figure into all this?
     
  7. DaleB

    DaleB Final Approach

    Joined:
    Aug 24, 2011
    Messages:
    5,893
    Location:
    Omaha, NE

    Display name:
    DaleB
    I wasn't super clear in the first post. I should have learned long ago not to multitask when I post, but I'm just a slow learner. This really isn't so much about office applications. This is about the authentication, fine grained access control, device management for Windows devices, that sort of thing. It's all going to be needed, and soon. This currently small company might be highly regulated and subject to numerous and stringent audit and security requirements, and that's really all I can say about it.

    I won't be the one personally running all of this over the long term, but it's on me to figure out the architecture for the first phase and either build it, or supervise the people who do build it. So I'm really playing catch-up on the AD stuff. Like I said -- I've been dedicated to systems running Linux for a long, long time, in a very siloed huge corporate setting. My only Windows experience in the past decade has been as a desktop user.

    It looks like either our own AD servers, or Azure AD and Intune might do the job. There are factors involved that might swing it definitely one way or the other. Studying that will make for some fun nights while we're on vacation next week.
     
    denverpilot likes this.
  8. denverpilot

    denverpilot Tied Down PoA Supporter

    Joined:
    Nov 8, 2009
    Messages:
    55,440
    Location:
    Denver, CO

    Display name:
    DenverPilot
    I bet they need the features of Intune and want to lower security costs. Lots of places have decided dedicated security desktop software isn't worth it... The ransomware will get thru anyway.

    Load the cheap Microsoft stuff and check the security audit checkbox and move on is where a lot of non sensitive businesses are at now. Huge sums for ineffective security software that the rest of us have to run, is an expense they don't need.

    Switching also gets them better control if it's an all Windows fleet. Super granular compared to GSuite. Hundreds of security settings and if the machine has internet of any sort it'll get the message and do it.

    With work from home exploding Azure AD and Intune were perfectly timed.
     
  9. Ghery

    Ghery Touchdown! Greaser!

    Joined:
    Feb 25, 2005
    Messages:
    10,798
    Location:
    Olympia, Washington

    Display name:
    Ghery Pettit
    I read this stuff and I am so glad that a) I wasn't in IT, just a user; and b) I retired 6 years ago, so I don't have to care in any case. I have no idea what Intel is using today, but back before I retired they were using MS Office and our phones ran through our laptops. If you had a high speed internet connection it didn't matter where in the world you were, your phone worked. Very convenient when I was on the other side of the planet from home.
     
  10. tspear

    tspear En-Route

    Joined:
    Dec 10, 2010
    Messages:
    3,097

    Display name:
    Timothy
    @DaleB

    Based on the info provided, I am less inclined toward either Azure AD or your own. I would need more info on the regulatory rules and which audits are a concern.

    I would be more inclined to utilize a dedicated 3rd party universal directory or identity system. There are three major types from an industry perspective.
    1. MFA add on. Really designed to enhance and extend the existing authentication system. Largely depends on existing structure for authorization.
    2. Universal directory which is tuned as the single source of truth for the organization.
    3. Authentication system designed around a federated model to integrate multiple silos of authentication sources.

    Have fun reading. Be aware the tech around identity management has changed a lot in the past three to five years. The standards are much older and we'll established, but how it is done has had a dramatic change in the last few years.


    Tim

    Sent from my HD1907 using Tapatalk
     
  11. DaleB

    DaleB Final Approach

    Joined:
    Aug 24, 2011
    Messages:
    5,893
    Location:
    Omaha, NE

    Display name:
    DaleB
    Thanks, guys. Appreciate the input. Obviously the answer is, “Bonanza”.