Business Tech Playbook

#27 – What is Active Directory?

3 months ago
Transcript
Robbz

This is the business tech playbook, your.

BJ

Source for it, help for your business.

Robbz

Welcome to the business tech playbook. I'm your host, Rob Zolsen.

BJ

And I'm William Pote, Etop technology.

Robbz

See, I can be professional too. BJ, in your face. All right, just because you have a nice doesn't mean I can't be nice too. Just kidding. Welcome to the.

BJ

You're assuming I have jeans on.

Robbz

Guys, if you haven't heard this podcast before, this is the podcast where we try to take it concepts and put them in normal layman's terms and get rid of the Alphabet soup and teach generally a c level person, a business executive, how to demystify it terminology and generally the it that your business runs on. So today we'd like to go over a little bit of what we call active directory and what it is and why you need it.

BJ

This, listen carefully because this is the topic that you didn't know you needed to pay attention to. It sounds very special. Active directory. Is that better than a passive directory?

Robbz

I actually did a search and someone in a form says, can I get a passive aggressive directory, please?

BJ

It's Microsoft. Of course, that just comes by default. It starts with a passive aggressive, and.

Robbz

So the wordplay begins. Well, first and foremost, let's, let's explain what active directory is. BJ, I'll have you take the floor.

BJ

Sure. So there's this concept that Microsoft released probably mid nineties, and effectively it's a server that holds the like the users of every single that are allowed to interact with and work inside your organization. Started out as a relatively simple thing and has gotten more complex and it's been replaced by some other tools, at least partially. We still in probably about half of our environments have active directory. Domain controller servers is what they're called, but effectively it's a container that holds like your user identities. So if you've ever gotten a username, that's we're going to go. My name is William Pote. So like for a lot of our clients, their username would be Wpote. And so the active directory is where administrators like us can manage people's usernames, people's passwords, emails, what kind of policies they're allowed to have. Like do they get access to these folders? So it's really the source of truth on anything when it comes to identity management.

Robbz

So to go backwards a little bit, if you buy a computer from a normal retail store and you bring it home, you're working in it's just that computer solo and that's what we call it being in a work group. That computer isn't tied to anything. When you set it up, you put yourself its own local username, whatever you call it. Maybe you just call it HP, or you don't even care about a username because you don't want to look at it. So you type something in and you ask for a password, and then all you use is that password. And you only may have one login on that computer ever that is only on that machine. Now, let's pretend that we did that in a business where we had 50 computers. Someone messaged in saying, I want to change my password. Well, if they don't know how, don't have the permissions to do so, that person has to physically either remote into that computer or they have to go to that computer somehow to change the password on that machine and manage that local instance on that one computer. It becomes a management nightmare if you have each computer acting as their own island.

BJ

So if you use this, you hire this guy William, and he gets a computer set up for him, and then he changes the password on you and doesn't tell you what the password is, which he shouldn't, let's be honest. But realistically, if I leave now, you're having to figure out a way to hard reset that password that I set that you didn't know about because there's no central way to manage it.

Robbz

He's locked you out of your information.

BJ

It's kind of like when people sign up for personal. And this is just kind of a continued case and areas that we see regularly. So a lot of clients have Apple phones and devices, and so people sign up for a iCloud account under either their personal email or the company email. It's a little easier to break in if you have the company email. But if they sign up with their williammail.com comma, which isn't an actual email address, well, it probably is, but it's not mine. So feel free to send as much email there as you wish.

Robbz

Poor William.

BJ

Sorry. Poor William. But what we see a lot is then that phone is bricked, which is a non technical term for unable to be used any longer simply because it's. It's attached to an email that you no longer have access to Apple recently.

Robbz

Oh, sorry, go ahead. I was gonna say Apple thinks that that account you set it up in is the owner of that, when actually the company is the one who bought it, owns it, and supposed to manage it.

BJ

And that is a big part of why central met centralized management and having the right tools is super important for companies. It feels like a waste of money sometime it maybe feels like a bit of a management and potential administrative nightmare, but the reality is, is some of the things that we can do to maximize our clients lives are really tied to having some kind of identity management tool. So for our premise based, which means people that have servers inside the building, clients that have domain controllers, that becomes our source of truth for all identity. So that flows into Microsoft, that flows into do we deploy like most people have like network drives or shared drives? Like people. I have the s drive or the l drive. It's just a folder on a server somewhere that has been shared to all of these computers. But if we don't have a policy like group, that active directory server, we're not able to deploy those things automatically. And so now we have to either log into every single machine or it's going to. My favorite is it, it breaks. And if it had, if there's a policy attached, it fixes it automatically. But if there's no policy then it's just broken until somebody has a chance to fix it. So this works for printers, this works for files and folders, this works for like what are people allowed to do to their machines? Can people install their own software? It really just, there's a lot of control that you lose by not having that active directory or identity management.

Robbz

So it's centralized management for logins. So if you have a computer that someone needs to log into, you're not just going to say, hey, here's the password for computer twelve, you're going to say, here's your password for Wpot login. And suddenly your profile is built with the stuff that you're supposed to have initially at least access to the computer without being able to see the other people's content.

BJ

Exactly.

Robbz

Then the magic of active directory, you said with group policy, group policy can do a lot of different things. You mentioned the mapped drives is certainly one of them. But a lot of other convenient settings that you can do is if you're in a company and someone you know typed in their own profile, you can add things like printer setup and have shared printers in a network. I can't tell you how much time that I've done on certain businesses that they haven't shared out or had an active directory built, set up and maintained correctly where I had to each profile install the printer for each person that logged in. Like they'll have a shared computer, they'll have eight different logins that means I have to install that printer eight different times in a lot of scenarios. Active directory can make it so that when they log in, they already know that this person gets these printers delegated out and automatically shares those printers out to them without having to worry or maintain that. So there's a lot of background steps it takes care of. And of course, you said security. We talked about another podcast, how important it is to onboard and off board clients when, let's say we have to fire William Pote because he's been naughty. What, you know, is he going out.

BJ

To dinner without asking people, okay, all.

Robbz

We got to do is contact our IT guy, and he has the tools to press a button and lock down that computer. Now that computer, they don't longer have access. They can't steal the company information. They can't maliciously delete company files that are being protected. It's full control. There's so many. Those are just the basic things that we're covering with active directory and why you should be doing it. But they're definitely what we call the lowest hanging fruit that active directory offers.

BJ

And then people might ask, what's next? I'm so glad you asked. So for our customers that are very cloud oriented, so those that have a lot of software as a service, SaaS applications, they don't need. They don't have these fat applications that we've talked about, like Quickbooks or Sage or some kind of ERP software.

Robbz

Now, he's not talking about calories when we talk about a fat application, like, a large installed program, like, Quickbooks is not an easy thing just to install on the spot.

BJ

You know, we're looking at you, Trump. Um, there's, this is the piece of software we've been fighting internally for.

Robbz

Like, not the politician.

BJ

No, it's, it's, it's literally t r u m p f. Trump. When the support goes, yeah, every single install has its own unique problems. I'm just like, then fix the installer. Like, but that's kind of beside the point.

Robbz

I get it out, brother. Get it out. Therapy.

BJ

I don't know if we have a long enough podcast to deal with the amount of anxiety and stress I've got over that, that application, but kind of what's next. So, for our. More for our cloud oriented clients, we've been moving them into something called Microsoft Entre. It's a really funny name. It used to be azure active directory, but they're really trying to get people away from the thought of calling it active directory because it's so much. It's so different in some ways than the traditional active directory. And so since it's their new cloud only approach, you can, with a caveat, sync it to your local servers, which we do for all of our clients, which keeps passwords in sync, keeps single sign on working. It makes the experience just a lot smoother.

Robbz

But for, if I may pause you here, actually we missed a step. So we talked about what active directory does and what we do without active directory, not how active directory was set up. So active directory is essentially the phone book, the controller that we have to set up on an actual server, generally physically on site, this requires a Windows server somewhere connecting to the network. It used to be where we had to keep it on site. Now we can actually spin up a server in a different location and network it properly off site. These require licensing can give average costs. If you want to know more, you can reach out to us podcasttoptechnology.com if you're not on any type of active directory and you want to know what this is, what this would cost to upgrade to you, because again, it's kind of a moving target. And we're going to talk about the entre versions that make this easier. But again, this is set up on a server and it would be something that would have to be maintained. If the active directory gets shut off, you have a timeframe that you got to get it back on so people can recommunicate to active directory to be able to log in or they'll get locked out. It's clunky, not that great. So that's how we used to do things. And now this entre. Go ahead. Now that we give him a little perspective of where we were.

BJ

Oh, for sure. Lost all train of thought there. I apologize.

Robbz

You are, you were just so excited. That's all it's gotta give us. I was gotta give him the story before.

BJ

And then I'm remembering that I really should let you, you know, you let you be the interviewer and ask me questions rather than just droning on for an hour because everybody loves talking about identity management for, for, you know, an hour.

Robbz

I don't want to kill the hype though.

BJ

Yeah, right. So ultimately, like entre, Microsoft's literal joke and statement around the marketing is it rhymes with magenta. And I'm like, you made up a word for it to rhyme with like, there is no such thing as Magentra. There's Magenta. But like, there's a lot of sarcastic it folks that make a lot of fun of Microsoft and their naming conventions. Like there's, I feel like there's an entire department that only gets paid if they rename things to a more confusing thing and then make up words that it can rhyme with.

Robbz

It's okay, we're getting entre tattoos later.

BJ

Yeah, I'm totally, I'm getting entre.

Robbz

Um, don't tell your wife. Yeah, she doesn't listen to this podcast. We're good.

BJ

Yeah, right. She doesn't listen to this podcast. It's okay. So, so entre ultimately is the new cloud oriented version of what Microsoft is doing here. There are some other. And let me back up just a step. So one thing I've said a couple of times is identity management, right? So that's what active directory is. That's what entre is. There's others like Jumpcloud, Okta. There's probably six or eight, I'll say, reasonable ones out there. Mike, Google actually has something similar inside their Google's, you know, Mdm, Google suite type of stuff. Rob is looking very proud here, but.

Robbz

We'Ll talk about that at the end. Don't worry.

BJ

Let's be perfectly honest we're ever going to do. Because at the end of the day, what makes these identity managers can be used for a lot of different things. They allow you to start tying lots of different tools together. And I think this is even more important for companies with a lot of these SaaS or software as a service, web applications. Most of these applications have the ability to do SSO. What is SSO? It's single sign on. And what that means is basically in the back end you can connect some, you know, tie some connectors together. It's not always simple, it's not always straightforward, but that you can tie connectors together. So that way whenever somebody from your company, we'll call him William again, goes to log into your Monday.com app, that person is using their William top technology.com dot that allows them to have the same passwords, the same usernames, and it's all tied behind like multi factory. So you can enforce all these different things for all of these different cloud apps because you're managing their identity well. So entre is really the next iteration of this and Microsoft's version of this identity and access management tooling. I know it's not super exciting and you might ask, why does this matter to me?

Robbz

Oh, let me answer that one. Just high level, please. You try to explain single sign on. So let's pretend that you're in a business and you're used to having a password for everything. So you have, let's say eight applications that you use daily. You would have a password for QuickBooks, you would have a password for your computer, you would have a password to get into your email, you would have a password to get into your time clock app, you would have a password to get. And you just keep going through each application. And that gives you literally what we call the book of passwords, where you begin to have password soup. And you probably just have either the same password you've typed in with all the different platforms, with maybe just a couple different number iterations at the end, or some other form of bad password management. So we don't like that. As it people, we want to make it convenient for you while still making it secure. So what if we had all of it tie in with this cool entre tool where every time you log in it says, hey, Entre, is that a cool login? Is that the actual password that we're sharing? And your time clock app, your supposedly quickbooks. In the future, your computer, all of these applications would go as a single sign on and just look at Entre as the one source of truth for your login. Keeping this not only more secure for us, but easier on the end user because they only have maybe two passwords, but most of the time it's just that one they're using from entre.

BJ

And when you terminate them, when you send the termination form to us and we disable them and sign out all sessions, the best part is there's not even a pass. The single sign on doesn't even pass passwords. It's literally passing a token that says this person is authenticated. So you log into your computer in the morning, you log into your 365, or it's probably already authenticated to that computer. So it's storing that authentication token on your trusted platform module. So it's called a TPM chip. And that that trust knows that that computer is tied to you and your identity. And so it holds that little piece of authentication knowing, okay, now, whenever that person tries to go to Monday.com, in our case, maybe connect wise for all of our different tools, they don't even.

Robbz

Have to sign it. It just sign in.

BJ

It just logs them in all the time.

Robbz

Because you already sign into your computer and that was enough to authenticate all the rest of the apps. Productivity.

BJ

Waving my hands wildly here so it looks like I'm doing something, but you can't hear that. No, you're absolutely right. Like just I'm gesturing wildly. You're right, exactly.

Robbz

So we have this cool entre tool that allows single sign on but again it takes this the abilities of active directory and puts it in the cloud where we don't have to pay for that server any longer, we don't have to maintain that server, we don't have to make sure that it's online or has to do scheduled maintenance or reboots. It's just simply part of our Office 365 subscription or excuse me now it's Microsoft 365 subscription and thank you brending. And now we can have the device management, your app identity management all in one centralized location where it was all should have been in the first place.

BJ

Right? Well and that's, and that's it like the goal is to make things simpler, right? And so, so a lot of how you make things simpler for users is by complexity on the backend. So there's a lot of things that get tied together. A lot of these things go a lot easier if we know about it ahead of time. My personal favorite is we have a client that has the enterprise version of Asana but they went ahead and gave, signed up for it, gave everyone accounts and then told us about it like four months later. And at that point it's kind of too late. But if we'd been involved in the very beginning we probably could have spent 2 hours working with them and set it up to. Anytime somebody gets added to the Asana group they get added to Asana and now they get, you know, you can probably set up permissions inside of there so you have Asana managers and Asana users. There's a lot of things that you can tie into this identity and access management that makes you a lot more secure. But typically we have to know these things ahead of time.

Robbz

So back in, let's rewind the clock here. I think I was 24 2013 I worked for an ISP and they have all different types of platforms because Internet service providers, they like to buy other Internet service providers. That is generally the business model is you just keep buying all these mom and pop shops that started in 1950 as telephone companies and you keep growing the company because you buy more and more territory. So they have all of these different companies trying to integrate into each other and there was a team at this particular ISP and they wanted to begin playing the single sign on game. So we found that when we went and reached out to all these platforms, you use Asana as a perfect example. They had all of these different platforms that each type of team used that they all paid different licensing for and when we started integrating them with single sign on, we found out that hey, some of them integrated with different teams immediately and they could drop licensing platforms because they already paid for the tool over here. That was one. And the amount of time that they used signing in and trying to move data between each other was enough to actually pay for any of the development time costs or anything else even right upfront for the first few weeks of putting any of these applications into single sign on. So you say it was 2 hours to connect to Sana. It really isn't even that bad. If you catch it up front after the fact it can be very messy. So if you have a tool that you want to implement that was a home run is talk to your it person first before implementing the tool and seeing if they can make it easier.

BJ

For your team to log in and recognize. When they say no, sometimes that is the right answer or help them walk through understanding the business case of it. So one of the biggest challenges it folks have is we're reasonably good at technology, hopefully. I mean like that's why you're in technology, right?

Robbz

It sure, sure should be.

BJ

Yeah, we're oftentimes not super great with people. And then even more often than that, most the time we don't really understand the business use case for it. Like what's it actually doing to help the company? We get told hey, here's a shiny thing, go do the shiny thing. And it's like, and we just wander off and go do it. Versus like thinking through the why a little bit more. And so like the why behind this identity access management is it allows a centralized source of truth for who somebody is. Honestly, it's even going to be even cooler. So there's something, this is a total tangent and I apologize, but it's all loosely related. So something Microsoft is working on is this, it's called a managed id. And so basically what happens is let's say we have a client, let's say we hired somebody and we have this set up. What happens is we text them a link from Microsoft. Microsoft says go ahead and install your authenticator app. It downloads it and it says gain your id. They take a picture of their id. It then gets verified with the local state verification authority for their driver's license or id or whatever. And then it sets up all of their accounts without ever having to send them a password. Like literally they can go straight into whatever computer they have with number matching.

Robbz

I can just see it now. I got robbed on the highway. My state issue id is gone. I can't get into my accounts. There's ways around it. But, you know, you better have your id, right?

BJ

Again, I'm not saying it's not without some potential challenges, and I think that's the biggest reason it hasn't taken off fully yet, is they're still trying to figure out all of the challenges. But, like, think about that from a place where you're onboarding a ton of people, you now can just have Microsoft text a, download this app, scan your id, and then it finishes setting up the account for them right there. Then you ship them a computer. They log in with, they type in William top technology.com, and their phone goes, boop. Enter the number. So their computer displays 65. They type it on their phone, and it lets them in for the first time. And they literally never even had a password. Like, we're slowly but surely moving our cloud only clients to fully passwordless. Like, at some point, like, I don't think I've logged into my computer with a password. And since I set it up the first time.

Robbz

Wow. And so you got the, you know, pin number, you have a face id, you got fingerprint. I mean, you got a RFid tap card. There's so many different ways. There's the UB keys where you can plug in a USB stick to your computer. There's so many different ways to do it. And having all that, having keys behind it. So one source of truth, you can press a button and then lock them out of all of the eight accounts, or 37 counts you have, is golden to have keys of the kingdom for each one of your users.

BJ

The owner of one of my clients called and was like, the general manager just quit. I need you to lock her out of her accounts now. And so since they're a fully cloud account, I went in, went invalidate sessions, forward email block. This was done in like under three minutes. And that person went from having full access to everything to zero access to anything. Like, this is why we do that. You manage that identity and you make sure that it all works together and it really saves you just oodles of time and a lot of headaches down the road, for sure.

Robbz

Now, while we're listening, I know we're going to have questions follow up on this, but the other conveniences of just having active directory or entre, from a sea level standpoint, what would it do for an end user besides, say, we've spoken to them about configuring a printer, mapping a network drive? What's a couple other easy ones that we could describe to them besides just access management.

BJ

So one of the core things we use intune for is policy deployment. So mapping things down to your machine, similar to the map drives, which we typically don't do with entre because there's no server to map, but they might be mapping down a sharp point.

Robbz

You said a new word, what's intune?

BJ

Good point. Thank you.

Robbz

Now you done did it.

BJ

I did it. The easier name for it is Microsoft Endpoint management. Basically we've known it as intune. It's still labeled intune in a lot of places. It doesn't really mean anything other than it's kind of like the, the policy application side of the identity management. So on a active directory server, you have the active directory which holds all of your users and folders and like security groups. And then you have group policy, which that group policy tool on the server deployed out mapped drive software settings, bookmarks, like all of that stuff on Microsoft.

Robbz

365, there's a great one. Software bookmarks can all be handled through this. And then again the names. So we have GPO, you'll hear a part of the Alphabet soup. So the group policy, what it can actually deploy to the computer and active directory, the management of the actual users and credentials. So now that, now that we have moving over Entre, is the replacement for active directory, intune, essentially high level replacement for group policy.

BJ

Correct. Typically the way we use. So one of the challenges we face with Intune is it operates very heavily in what we call jokingly and actually ask any it person, the Microsoft minute.

Robbz

That's, that is that it should be a tag term by now. It really should.

BJ

It's, it's on our university site. Robbie, like if you ever need to explain why it's taking so long, just send them a link to our Microsoft minute guide.

Robbz

May I please?

BJ

Jamie already used it with somebody.

Robbz

I'll have one of my users, they'll message into us because again, we're it support for other companies. They'll say, hey, I want you to give so and so access, calendar access, to be able to edit so and so's calendar. So I'll log in, I'll say, hey Microsoft, please give that, make this happen. And I'll use tools to make this happen and then hit deploy. Right. That setting saved. It's supposed to be live, but I still have to tell the customer, please allow up to 60 minutes for this to take full effect. Now the Microsoft minute is this mysterious timeframe between when I said please make it happen and when the customer sees that it happened. It could be five minutes, it could be 55 minutes, we don't know. But generally if it lasts longer than 60 minutes something broke and it didn't happen.

BJ

Well I mean I've had settings so you have to remember like all of these settings are replicating through all of Microsoft data centers everywhere in the world. So when you consider that it takes anywhere from like instantly to a day. So for example, one of the things we've used intune the group like the policy management side of 365, it can take like up to a day to deploy out like OneDrive links or Sharepoint sites to people's computers and that's basically the equivalent of a mapped drive which locally is completely instant. So we've started using Intune as the connector. So like the people log in with their entre credentials that forces Autopilot, which is another Microsoft term, but basically it takes that machine through what they call the out of box experience. So if you've ever set up a new computer, you go next, next, next account, join it to the Wifi, that kind of thing.

Robbz

It's that lovely little wizard at the front. When you first open a computer for.

BJ

The first time, Autopilot basically intercepts it and then joins it to the company's entre account and then it lets intune come in and finish the policies. What we do and you can do a lot more with intune than we individually do, but we found a better and faster way to make it work. So we use a tool called imibot. It folks like having weird named tools, we know we're sorry, it's because we spell everything wrong Leet hacks or kind of thing, but basically we use intune to deploy ImiBot and that typically happens in ten minutes or less. And then we let imibot do the rest of the deployment for like all of their software applications because the logging inside of imibot and the speed of deployment is at such a pace that it's, you know, computer, a computer could be completely set up in 2030 minutes.

Robbz

There's no longer that Microsoft minutes plural that we have to deal with and wait a day for most stuff to show up.

BJ

It's basically instant application of policy. And so we even have to work around Microsoft's tools and find out like the, what's the best combination of making this work so, but still use it for the areas that makes the most sense.

Robbz

To answer the question again of what actor directory slash entrepreneurs other tools like Intune can do for you. More of the not automated setup, but at least company used assets and policies. So if there's an application that you want, it can certainly check and auto deploy that. There's certain settings, bookmarks that you have to have. Like, for instance, everybody needs access to this particular site, Monday.com. you can make sure that it's on everybody's browsers and deploy certain login credentials to each browser. There's a lot of controls that we can have and preset up, and it just gives that granular control that if something's going to be somewhat of a repeatable process to everybody's profile, you can deploy it from there.

BJ

Exactly. And so this is really just all of these different tools. They sound complicated people, and oftentimes in the backside, they can be somewhat complicated. But they ultimately, their goal of all of these tools is to bring it a lot of, ideally, simplification, because then we can start making things the exact same for everyone. We can. Like, there's so much we can do around just tying everything together. Like, that's. That's what makes it magical, is by having. Being involved in the entire process, having enough time and energy to tie things together, and it helps prevent the need to fight fires, having these tools set up this way. You know what makes it magical, Robbie?

Robbz

I'm listening.

BJ

You're listening? Okay.

Robbz

All right. I'm excited now. So you don't use the word magical? I don't.

BJ

I know. It's.

Robbz

I'm right here, baby.

BJ

It's magical fairy dust. So what makes it kind of magical is that now we stop having to worry about endpoints. Like, the computer doesn't matter anymore. If somebody's having a problem with their computer, you have them a new one, they log in and all their stuff is there. If they're having a problem with it, we just factory reset it at 05:00 when they're done, and they come back the next morning and it's all done, or they log in and about 20 minutes later it's all finished. Obviously, this is a little bit dependent on how many applications they have, that kind of thing. But it starts making the laptop, the computer, whatever that people are working from, relatively irrelevant. Like, you need to make sure it stays up to date, you need to make sure you have enough power. But it makes the change process so much less painful because everything is, you know, high, 90%, the exact same as when they left it. One of the best use cases we had was somebody's laptop literally got run over. They didn't tell us this for like two days, but we saw this old asset come back online and start working. We're like, that's weird. And they were like, oh, yeah, this laptop got run over. We need to replace it. Can you send us a quote? I'm like, what are you working on? I pulled an old computer out of the back and logged into it, and everything's there. And we're just like, this is amazing. Like, we didn't even know that this was working, and it was working. Talk about making life easier for them. Like, she was able to pick up and keep working without having to even reach out to it. And can you do that without it? Probably not. But, like, it was. It felt user. It felt magical to the user that it just all worked. It felt pretty magical to us. And this is what we do.

Robbz

We had one of our customers that we onboarded, and I'll never forget they described it once the light bulb went off and they had that opportunity where they could just try another computer, and suddenly they logged in a little after the stuff deployed. It just looked like the other machine. They literally told me, like, so let me get this straight. Are you telling me I can be ambidextrous between computers? And I'm like, it took me a minute to figure that out. I'm like, ambidextrous? Mean, I can use my left or my right hand? I'm like, I guess that's a, that's a decent description for it, but, yeah, you can log into any company computer and your stuff will be there. And they just. Their mind exploded. They were just that. This is the best day ever.

BJ

Yeah. And that's one of the challenges we've had with active directory, is there's not really a good way to do that, because if it. If you did, you were doing something called redirected profiles, which was an abysmal failure. In most cases. It worked okay if you had a fast enough server and you had fast enough local machines, and it was all on a local network, but it fell apart the second you started putting people on laptops and people took them home with this, with, with the entre intune, like OneDrive, like sync setup that we have going. Like, it doesn't matter. Like, take the laptop with you, switch laptops, log you into a Windows 365 virtual computer. Like, it doesn't matter. You log into the same credentials anywhere, and it's going to look almost exactly the same after about 30 minutes.

Robbz

Now we got to talk about what this is, why you should be using it, and then gave you a little touch of what we do without it, essentially, like your computer, you use at home. Now, we didn't talk about a couple things that you shouldn't be using it for and you shouldn't be using it and use active directory for shared accounts. I continually see people put up just, they put just, you know, generic users, like they put front desk and then they have three people share the same login. That kind of defeats the purpose of the controls that you're paying for. If you want to lock it out, you're suddenly locking out a group of users under a group of computers all using the same login. If you need to audit something to see who did something, not to say like who did something wrong, but just to find out where something went, and you're trying to look up like an audit log, and you see that front desk did it. Oh, that could be Kathy, Karen, John, or Jim. I don't, again, you're not using your tools. And I've had a continual error issue where one person changes a password, it changes it for everybody and they can no longer use. The most important step is multi factor authentication. If someone has that, you know, app on their phone or the key or the methods that we talked about, and someone needs to log in and it prompts the one phone that has it, they have to suddenly message and ask, hey, can you tell me what code popped up on the phone so I could log in? These accounts are intended for one user and one user purpose and never to share those multi factor authentication accounts. So when you try to do this as a shared account, the whole process fails and you're bypassing the entire reason why you're using this identity.

BJ

Well, and so there are shared things that you should have, like a shared mailbox, like accounting. It's one thing to have a front desk at the company, but it's a completely different story to have people actually using that to log into the computer. I do highly recommend against shared accounts simply because it now, if you get a virus or something happens, you can't track where it came from. It's just front desk. Well, great. Was it William? Was it Robbie? Was it Brandon? Was it, you know, Bob, Jane Taylor? It doesn't matter. It just came from that generic front desk. And it could have been, you know, you wrote the. It could have been something if you wrote a password on it. It could be your ups guy or girl. It's just, you know, things like that.

Robbz

So if you have a business case where you say, hey, I don't, it doesn't make sense to have this person fully logged in. All I need them to access is one app and to do one thing ever, that's all this person does. Then number one, they still, in my opinion, should have a login. So really have the business case about still having a login, but still talk to your it professional about the business case of a kiosk mode. If that's how it's going to work, there's no reason you need to give a full identity to a computer when instead you can change that computer into all it does is give that one thing out appropriately and nothing else.

BJ

Well, and actually that's a great point. Like we use kiosk mode for like frontline users. So like, let's say they need to be a cashier or something at a. One of our clients is a motorcycle dealer. So let's say one of their front desk people, they need to be able to run like three applications, their dealer management system, their credit card application and the browser so they can get access to their email. Like they're not using office, they're not using any of these tools. Like, honestly, it's a really good use case for a kiosk mode where we literally just say these three applications launch every single time. And then every time that computer logs out or restarts, it basically clears all the cookies and cache, as it were. If a, you know, Bob goes and uses that computer logs in, does their checks, their email and stuff, like a lot of the identity management is happening.

Robbz

On the, the email login page.

BJ

At the email login page. Exactly. And so the computer doesn't matter, but then they also can't do anything to the computer. So, you know, they're not going to go place all of their on it because they can't.

Robbz

Yeah, it's not that we as it people want to stop you from doing what you're doing, it's that we have tools to do it in the correct manner, to do it in the secure manner that it was intended to be done. So if you want to tell us a business case and more like, hey, we have this easier solution that'll work a lot better. Talk to them about kiosk mode if they didn't have the light bulb go off already in that conversation.

BJ

Exactly. But with all that being said, any other things you can think of that we should cover there? Robbie?

Robbz

Trying to think of any other bad practices? Oh, if you haven't done active directory or entre or any type of directory for your employees, pretend that you're going to grow. If you're listening to this and you're a small business, a lot of times we see this commonly where they just say everybody puts everybody in the system as a first name. You're going to grow if you're doing this right. It's just a matter of when. So put first initial, last name and really plan to have a database that has gonna have three johns at your company as an it guy. Please don't do this to us. That you have John one, two and three. And we have to figure out which one was which.

BJ

Oh, leave the four johns and three peters and four mikes at the towel company alone, man.

Robbz

Oh, yeah, yeah, it works.

BJ

As long as there's Jo Hn. Jo and I don't care.

Robbz

Every company, you know.

BJ

Right.

Robbz

I've seen a company with twelve total people and they still had like three people with the same name. So I'm like, you know, plan around it. Okay. My mother is named Rhonda. I don't consider that that super common of a first name, but she still matched, has the first and matching last name. So they had to put a middle initial and all kinds of craziness. But, you know, still plan around that that you're, even though it's, you know, maybe five people in an office plan that you're going to grow and make sure to build your usernames appropriately at the first step. So I think those are like the three low hanging fruit. The top of my head I can think of for those dabbling in actor directory or entre.

BJ

Exactly. Well, been a good conversation. Next time you come to town. We were talking about Peru before we got on. If anyone comes to Redlands and wants to go get peruvian food, let me know. I'd be happy to go and grab some lunch.

Robbz

Now, what is like a peruvian staple? Specifically? Before we go, I'm kind of. I need to know, man.

BJ

Corn is one of them. Trying to remember. It's been a while since I've been there. Makes me want to go get some. Now, this place is called Red Panca here in Redlands.

Robbz

Shout out.

BJ

Shout out. Right, exactly.

Robbz

He's been hangry this entire podcast.

BJ

Yeah, I actually ate before I got here. Oh, so they have a lot of, it is very kind of latin american flavor anyway. Like saltado, chicharron, quinoa. I mean, quinoa is more.

Robbz

I recognize one word out of all of that.

BJ

Exactly.

Robbz

I'm excited.

BJ

Right? It's so good. Uh, we'll bring you a gallon of milk and some mayonnaise, Robbie, so that way you don't die.

Robbz

The mayonnaise is just for the skin, so don't suntan.

BJ

Oh, right. Wow. They had these red panka fries. I'm trying to remember what they were. All I know is that they were good. There we go. I'm gonna find their website. Sorry, I'm running really slow right now.

Robbz

No worries.

BJ

Needless to say, it's good if you come to town, hit me up and we'll go get peruvian food.

Robbz

Peruvian food indeed. Well, if you have more questions again, podcasttoptechnology.com, if you got more more questions for us, we'd happily chit chat with you and we'll see you in the next podcast, guys.

BJ

Sounds good. Look forward to it. Talk to you soon.

Episode Notes

For more episodes got to http://businesstechplaybook.com

Find more on LinkedIn: https://www.linkedin.com/in/william-pote-75a87233

This podcast is provided by the team at Etop Technology: https://etoptechnology.com/

Special thanks to Giga for the intro/outro sounds: https://soundcloud.com/gigamusicofficial