https://worldofeuc.com logo
Join Slack
Powered by
This message was deleted.
# _general
s
This message was deleted.
šŸ˜± 1
s
oh god, so then he basically creates an OU structure with AD groups instead? And all GPOs get scoped to those groups? That sounds awful. You've tried the 'this goes against best practice and is terribly inefficient' talk?
maybe deploy WEM so you dont have to use GPM?
m
yeah, we said ā€œliterally nobody does thisā€
they want a write up on what issues it might cause now
I have never had to even think about it
s
soon as that guys leaves it will be #techDebt
m
I mean how will loopback work?
you now need to filter on user groups as well
s
yeah
m
oooof
s
troubleshooting and overhead nightmare
m
right, you essentailly have to run rsop all the time to even figure out whatā€™s applying
s
yeah
might help to alternatively ask him to provide any documentation that he thinks would benefit from this setup.
m
lol, they arenā€™t doing that
I alsed why they want to do it this way and they said that AD is for identity management only, not applying settings to apps
s
he must have heard it form somewhere...or did he hear about this in the latest episode of stranger things ?
yeah, hard to argue logic with someone that doesn't use logic to get where they are šŸ™‚
m
heā€™s been doing AD since AD was a thing!
surely that must mean heā€™s doing it right
s
your making me want to quit IT
m
oh dude, I want to quit this project
this isnā€™t even the most insane thing thatā€™s happened
l
I would push back from a security perspective. A machine in AD in an OU gets its settings because its in AD and in an OU with policies. If you do it group based, then if a machine doesnt get added to the group, it is missing policies and could be a risk.
m
yeah, thatā€™s exactly what we said, they said they will just create an internal policy that says everyone has to put these machines in this group
l
perfect. policies never fail
šŸ˜‚ 1
m
What happens when MCS creates the machines via AutoScale?
l
you'll have to have some script that runs to check for new machines every xx minutes and then adds them to a group, or create a script that does it when the machine gets generated
m
now we need to add additional automation in to make sure they are a member of a group?
l
but yuck
m
yeah
l
im glad to know im not the only one that deals with arbitrary decisions that have no foundation in logic šŸ™‚
s
similar to that, I work for a Bank who has a policy to never nest an AD group inside another AD group.
m
That one makes more sense
I donā€™t nest more than 1 level deep if I can help it
untangling nested group issues can be a nightmare
s
well, when everything is so partitioned off and responsibilities are splintered it makes it much harder. I look into the group I want to add my users to and I see 1000s of user objects, so are service accounts, so are people, it's really more of a mess, IMO
m
yeah, not allowing nesting at all is a bit silly, but at the same time you donā€™t want like 5 levels of nesting
s
and it's actually ro apply GPOs.
oh, sure. i get that
m
itā€™s these places with no flexibility at all that drive me nuts, and itā€™s always people in charge of AD with the most insane ideas about how itā€™s ā€œsupposedā€ to work
s
or like you said , They've been doing it since AD 2000, so it must be the right way.
d
But you all said that he is an AD guy since the beginning: the retirement is getting closer and closerā€¦ šŸ˜œ
l
It gets even more fun when your computers are in one domain, users in another, there's no trust, unless it's a selective trust, but wait, don't forget about the OTHER 12 domains, some with one way, some with 2 way, and some with selective trust. Yeah, those are fun.
2 Views
Open in Slack
PreviousNext
Powered by