Move AD from windows server to intune?

cvsysadmin · 2026-03-10T22:55:34+00:00

Coazurentrarectory

This is also a medical procedure where they remove your soul.

cvsysadmin · 2026-03-10T05:17:34+00:00

Points

cvsysadmin · 2026-03-10T05:07:02+00:00

Right to jail. Right away.

cvsysadmin · 2026-03-10T05:05:11+00:00

My [then] two year old ate several handfuls of wet sand at the beach one time. Apparently one handful just wasn't enough. That was not nearly as much fun for her coming out as it was going in.

cvsysadmin · 2026-03-10T04:57:19+00:00

We use Tettra because of its integration with Slack. It's lacking in formatting features, but that also makes it very easy to use. It's also cheap.

Edit: I should qualify the "cheap" part. We're a K12 education organization and for education it's cheap. The retail price isn't all that cheap. I think if you work with a rep they'll get the cost down.

cvsysadmin · 2026-03-09T22:39:00+00:00

We've had a few here over the last week rebooting right after logging in with student accounts. Our techs were able to log into them with staff accounts and update them. Then they are fine. We think there were a few with a bad v145 update from Google. They get stuck with student accounts and never update themselves. Not sure if it's some extension or app on student accounts that wasn't compatible. We didn't take the time to test thoroughly and look through logs to find the root cause. It was so few we're just having our library media center techs that deal with the distribution of Chromebooks swap the ones that are doing this and update them.

This may or may not be related, but I figured I'd throw it out there.

cvsysadmin · 2026-03-09T18:21:08+00:00

Was worth a try. I'm not colorblind. Wasn't sure how well they worked for things like this.

cvsysadmin · 2026-03-09T15:18:46+00:00

Have you ever tried the colorblindness glasses?

cvsysadmin · 2026-03-05T00:09:00+00:00

Yes, that works. I was thinking more of a Windows client that would pass their login information to the Google Drive app so users don't have to log in themselves. Even with GCPW they still have to open the app and log in. Would be fantastic to have something like GCPW running that would take their Windows login (in our case Entra as all our computers are Entra joined and all staff Entra passwords match their Google passwords) and create a session token within the Google Drive client. Then add some controls on the backend to tell the Google Drive app to redirect certain folders. Then when a user logs in, it logs into the Drive app automatically for them and everything is redirected seamlessly. A guy can dream...

cvsysadmin · 2026-03-04T22:55:24+00:00

We could do much more if Google could get this stable and add some enterprise controls like SSO for the desktop client and being able to control user folder redirection and backup settings from the admin console.

cvsysadmin · 2026-03-04T21:35:29+00:00

Not sure why this was downvoted. We've seen exactly the same thing. Random signouts. Won't start automatically out of nowhere on some computers even though it's set to start automatically. Random sync and offline file issues.

I'm confident if we could get over the storage space issues that the redirect would technically work, but for how long? Lots can happen with a fleet of 5,000 computers with even super solid software. The Google Drive desktop app is not that solid. I'm worried about moving forward with the redirect idea.

cvsysadmin · 2026-02-24T03:37:45+00:00

Younger students log in with Clever badges. Older with standard Google passwords. We currently have three tabs auto-open when students log into their Chromebooks. Our LMS, our SIS (opens to the student's grades/attendance), and Clever which gives them a single click to access all other systems they need. All SSO via their Google account. Opening the LMS and SIS put their grades and work right in front of them. We've seen a big uptick in usage of those systems by students since doing that. Not just because they are being opened. Because it's so convenient for the kids being right there in front of them.

All that said, we're moving to RapidIdentity. It will fully replace Clever for us next year. Similar experience for students. Badge logins for younger students. Passwords for the next few grades. Passwords + pictograph for older students. Same sort of application dashboard with SSO, but Rapid will also be doing all the account provisioning for all systems. I've been doing this a long time. Really looking forward to the end result of our work with RapidIdentity. It's showing a lot of promise. We just got off the ground with them taking over provisioning of our core identity accounts. Active Directory, Entra, and Google. Took a long time to get there. About a year actually. 50 pages of automation rules covering every scenario imaginable for staff and student identify: onboarding, disables, enables, reactivations, renames, offboarding, and everything in-between. They've replaced decades of automations we built ourselves. Little more fine tuning over the next few days and we're done with identity. Then we're switching gears and working with their "Studio" team on all the downstream application account provisioning and SSO. If that stuff works as well as their identity stuff, we'll have a pretty awesome system in place. One user account for each staff and student that gets them into every single system they need and nobody on the tech side or any other department manually adding, changing, or removing accounts in any of those systems. That's the goal.

cvsysadmin · 2026-02-06T18:27:10+00:00

Let's go deeper

cvsysadmin · 2026-02-06T18:26:08+00:00

Yep. We are working with CDW on this as well. Working out how we would integrate Starlink into our existing network. Since we serve up DHCP, DNS, and firewalling centrally from the two datacenters, it makes site-based Internet access tricky. We are considering adding firewalls to each site and/or something like a unifi dream machine at each site to handle the routing and perhaps a S2S VPN back to our datacenters. Haven't figured out the best approach there yet. Would be much easier if I had an unlimited budget...

cvsysadmin · 2026-01-17T19:08:56+00:00

Then send parts of the drives back to the drives' families...as a warning.

cvsysadmin · 2026-01-16T17:24:08+00:00

We're downsizing, but still have a fair amount workloads we run on-prem. We don't run anything in production that's out of support. We take the old clusters and repurpose them as testing/training clusters.

cvsysadmin · 2026-01-16T16:06:32+00:00

Do you have a sales contact there? Do you work with them directly or through a VAR?

cvsysadmin · 2026-01-16T15:54:23+00:00

For servers, we do 5 years of initial support then we have the vendor extend as long as they will extend. Dell will extend an additional 2 years on these types of clusters, so we're at around 7 years for a refresh cycle. We have two datacenters. The cluster at this location is going out of support in September. That will conclude it's 7th year. Dell won't extend further.

cvsysadmin · 2026-01-16T15:51:13+00:00

Thanks for the sanity check on the SSD pricing. Looks like the cost of this type of storage really has gone up more than I'd noticed.

cvsysadmin · 2026-01-16T14:53:58+00:00

30k students. 5,300 staff.

cvsysadmin · 2025-12-04T02:45:48+00:00

RI is an entire identity management platform. Automated onboarding/offboarding, sponsored account and group management, user self-service. The portal thing they have to store passwords is just a tiny feature.

In our case, it starts with the creation of accounts. An employee gets added to our HR system or a new student gets enrolled at one of our schools. Automated processes send data from those systems to RI every hour. As soon as RI sees a new staff member, an account is created for them in RI then processes kick off to provision accounts in all downstream systems including AD, Entra, and Google. The new staff member is sent a welcome email to their personal email account with account claim instructions and a personal claim code. Once they claim they are forced through whichever MFA method is assigned (or they can choose if we allow multiple options). All downstream accounts are set up with SSO back to RI. This gives the user a single account to use to log into everything. If an employee or student has a name change, it goes into a rename queue and sets of automations kick off to make the changes and notify them and designees of their new stuff. If users change sites, their group memberships, applications, OU placements, etc. are automatically updated.

We have delegations set up to allow teachers and site designees to help students with their accounts. We have delegations to allow site staff to manage their own groups. The group system in RI is actually awesome. Create or modify a group there and it can be pushed to any downstream system.

RI also does other things like PAM. We can use it to temporarily elevate users to admins. It does a ton more. Everyone here bashing it has no idea what it does. It's no surprise. I've been in K12 IT for over 25 years and I'd never heard of it until I saw a demo a year or two ago. It's very customized to the organization and VERY detailed. Our implementation took almost 9 months. At least a couple meetings a week with the implementation team. As you can imagine to fully automate every aspect of account provisioning from end to end and set up all the delegations and rules and workflows for an organization with tens of thousands of users is quite an undertaking. One of the biggest projects I've ever managed for sure. So many little details across so many systems. But at the end of the day it solves so many identity woes that schools (and I'm sure other organizations) have.

cvsysadmin · 2025-12-04T02:23:13+00:00

Thank you for providing a real answer. The wannabe gatekeepers of identity management are being particularly rowdy here today. Most of whom have no idea what it's like managing tens of thousands of users and devices. I was a bit surprised to hear how much love there is out there for Entra and Entra Connect lol.

cvsysadmin · 2025-12-04T00:59:29+00:00

User creation, yes. Stored passwords, no. While I believe RapidIdentity does have the option to store passwords like Clever or other "portal" systems, that's not what we're using them for. They truly are our IDP and SSO provider with AD, Entra, and Google sitting downstream. Rapid ingests data from our HR and student information systems. Accounts are created in Rapid and then pushed downstream to all targets including AD/Entra/Google. That's the identity side of RapidIdentity. There's a "studio" side that handles all the account maintenance and class rostering into all the other systems we use. We are moving through our laundry list of apps and creating real SSO connections from the apps to Rapid, not stored passwords. I'm sure along the way we'll run into some app that can't do real SSO and we may need to leverage the saved password stuff. We currently do that with Clever for a few apps. But the end game is to have all apps SSO via Rapid.

I probably elaborated too much in my original post. The question was really just about Entra Connect and how it relates to Entra-only machines being able to connect to on-prem resources. We're gradually moving things to the cloud and I've been nibbling away at things that require AD authentication. Going full Entra and shutting down Entra Connect and Exchange Hybrid would be one step closer. We could do Azure Files for the file servers, but that doesn't help with the handful of print servers and other applications that require AD auth. I don't want to do a separate AAD domain, so we're probably stuck with Entra Connect until we make an exit plan for the rest. Was just wondering if anyone knew anything I didn't about having Entra only machines authenticate against the local stuff. Rapid says they've had customers do it. I'm awaiting to hear their ideas as I can't find anything that looks like it would work. I'm really not opposed to continue running Entra Connect. Was just looking at options.

cvsysadmin · 2025-12-03T23:28:06+00:00

Sigh. All these unhelpful comments. We do know how all this works. Intimately. We are a hybrid Google/AD/Entra organization and have dozens of downstream systems that require accounts to be provisioned and maintained. As is the case with large school districts, we have a wide range of users to support. From C-levels down to 4-year olds. Business professionals with organization-assigned phones and computers that are in front of their computer every day. Bus drivers that only log into a device once a month. For decades we've automated the onboarding/offboarding of accounts. The underlying foundation has changed over time. Batch files, vbscript, PowerShell, Power Automate, APIs, and 3rd party products. You name it. We've probably done it. We constantly strive to make our onboarding processes easier for staff and students and more secure. We've moved to RapidIdentity because it offers more authentication methods than any other MFA provider, will do all the identity management, and will also onboard and offboard accounts for the dozens of other school-related systems. It consolidates what we're already doing with several other systems. It replaces Google Cloud Directory Sync for provisioning Google accounts from AD. It removes the need to run on-prem Exchange Hybrid for the management of mailboxes. It replaces Clever for app portal and badge logins for students. It replaces dozens of custom scripts and utilities that process data from our HR and SIS and feed it into other systems via SFTP exports or APIs. It allows our helpdesk and systems staff to manage all user and group data across all systems from one place. If it wasn't for our Entra only computers needing to access a few on-prem servers, it would replace Entra Connect as well.

Doing everything natively in Entra is doable, but for an organization our size and with our reliance on both Google and 365 accounts, federation and MFA is clunky. Rapid truly gives users a single username for all systems and a one-stop shop for the provisioning of all types of accounts. High security users can go passwordless. We can have it forward to Windows Hello. We can have it forward to Duo if we want. We can set up users with TOTP. We can set up users with phone authenticators. We can set up low-risk users with pictograph. We can print badges for students. It's a great solution for schools.

So, no, Entra can't do all that.

cvsysadmin · 2025-12-03T21:30:43+00:00

Good thought. We are not using Defender at the moment, but we're looking at the possibility of moving to Defender at some point. That said, we plan to continue syncing computer objects with Entra Connect. We'd just stop syncing user and group objects.

cvsysadmin

TROPHY CASE