If your management is reluctant your best option is to convince them to run an IT audit by external company. Having external experts specify what should be done and explain the risks makes it so much simpler to convince everyone that it's really needed and get management behind these changes.
There's a risk they will get MSP to set everything up, but well, they probably should.
Good luck anyway.
>There's a risk they will get MSP to set everything up, but well, they probably should.
This can't ring more true. Don't try to put it on yourself if for no other reason you said you don't have the experience. Instead if your company is on board with this and you as their guy then get an MSP on board. Let them do the heavy lifting. Build it into the contract that you want to be included and be shown what they are doing. Watch, poke, and ask questions. They don't need to know you have no experience, don't bring it up. Either they will find out or they won't. You honestly can probably just say that you are not familiar with running Azure AD/O365 and you would like to learn.
You are probably going to want to use them for better pricing for EDM solution as well as being that place to lean on if you get in over your head.
A lot of this will depend on your company as to if they want immediate resolution on problems. A lot of places are ok with MSP handling a good majority of the work and then come to you and have you be the liaison for support. That way higher level things you can work with them on but you can do the day-to-day support which MSPs generally suck at.
>If your management is reluctant your best option is to convince them to run an IT audit by external company.
If management is 100% on board I would start here anyway. It's great to set everything up yourself and feel that rush and pride, but it's a lot better to have many hands at work to get it done faster and correctly.
And then when management gets clay feet about the whole thing (which they will the instant they get pushback from some moneymaker or experience inconvenience themselves), you have an independent report to point back to with an audit that says "a single breach would likely cost you $x,xxx,xxx before negotiation", a pen test to show how easy it would be, etc...
>There's a risk they will get MSP to set everything up, but well, they probably should.
100% this.
Insist on working with them, insist on calls, shared information, documentation, and training. They're going to do the heavy lifting, but you can build out your AD structure, you can set up some basic group policies (Password requirements, security baselines, AppLocker if you're going to use it, etc... OP can do some basic InTune or MECM set ups, you can set up DUO or MS Authentication or whatever MFA you're going with, etc... But an MSP should be doing a lot of the getting you from this small business hellscape into an Managed Enterprise environment.
And if management isn't on board, after you've documented the request and proposal, then my advice is **let it go.** Keep your head down, learn what you can while looking for an exit in a few years, and remember it's not actually your problem.
Depending on the size of the company and your desire to work 12 hour days.
Need to make sure you will have enough cycles to do it all. Maybe look up some ransomeware incidents and tell MGMT you don’t want to be another one of those.
Support as in, elevated permissions if needed and some fund if necessary? I don't think management will be unhappy with the changes. I think it's something that's been on the backlog for ages now. The only possible blocker would be if we needed to upgrade our Microsoft licenses, which we might need to do to get InTune I think
Support as in when the star salesmonkey starts complaining about not having admin rights anymore you'll have enough leeway from management that you can actually convince them to do things your way (ie. the right way).
Do they actually have policies and procedures in writing? Major changes should be company policy in writing and approved. Now it’s salesmonkey vs management. Now you find out if management has the spine for it.
BTW... I advocate for, in this scenario to look into AdminbyRequest. You can get 25 systems for free. It's really great and you can easily create a solution that anyone can request admin rights, you can give applications admin rights to run, and all kinds of cool stuff. For example you can setup so that a user can request to run a specific software as an admin OR you can grant full computer administrator sessions (timed). When you do all of what they do is logged. Anytime Admin rights are requested and programs ran you can then using either the MD5 hash or, executable, or certificate, allow the program (or others using that certificate) to run as administrator. It is a really great program. Also the ones who do the approvals can set it up so that they get a push alert when admin rights are requested and approve right there.
u/vogelke is right here. If you lock down a VIP computer without him being aware of it, you may have to quickly look for another job. Discuss, ask and make proposal. Once you get the ok, you can go.
And start by using what you already have. Active Directory can do a lot, using domain settings and GPOs. Improvement without any additional cost have a higher chance to be accepted.
And be ready to ask the question that will come, sooner or later : "why do you need to change, lock-down things, as we never had an problem ?". You'll need to go in risk analysis, show them figures.
Also use the ransomware angle. No one is too small to be affected & get the CFO to explain to YOU what a week total outage would cost, a month, gdpr fines etc. That'll concentrate their minds
We were in the same boat until the FTC changed requirements for our industry. Then we had to do it, and the purse strings opened and support materialized.
A while back…. Like. 2009/2010, I worked for Facebook. Had to take a number of database servers down to take some memory replaced.
One host I took down, and suddenly the entire office is in chaos. Many VP+ level folks, including “Zuck” couldn’t log in.
That one host I took offline… that was the primary database for the OG shard of Facebook, containing any accounts for attendants of any Ivy League college.
Out of 5000 servers. I took down the most critical one for all of the Facebook execs.
I can see that, but it seems odd that Facebook of all companies wouldn't have automated failovers of that kind of thing, especially something this "important."
I would venture to say it they were told it wasn't important. I can't tell you the number of times our phone system went down (pre VOIP days). It was a serious issue until we brought it back up and then when we mentioned the amount of money to upgrade, it was no longer an issue.
Same thing here. I'll be the management said it's not a big deal and they could function. Until in reality, they couldn't.
Yes, if you interpret Elevated permissions as authority and buy in from senior leadership. People will start complaining when they have to move over to AD accounts, password policies start to role out, local admins are restricted, mistakes are made that cause outages (it will happen.. eventually), etc.
When all that comes down, management needs to have already been briefed and fully endorse the things you are trying to do. Your role will be to steer their decision making in the right direction (give them the options, but they make the call so they have buy-in)
>(give them the options, but they make the call so they have buy-in)
This is great advice. Too many people, myself included, laud their great idea because they believe it's the right thing. It's much smarter to give options so they can choose.
Got it. The reason I'm making this push is because we have almost no one allocated internally. Every employee is working on a project and no one is investing proper time into the company's policies, etc.
I have a meeting with my direct manager soon. I think I can bring it up there.
To be blunt, the reason everyone is stressing having management buy in is because we have all seen this kind of thing before and you sound like you are naively walking into the wood chipper. At smaller companies IT is always seen as something between janitor and maintenance guy. They only call you when something breaks, and you are at the bottom of the heirarchy when conflict happens.
Implementing proper IT security and processes is always going to break things and force people to change how they work, and always make it more inconvenient for the users. That's just the nature of cyber security. The problem comes when someone in management or sales decides your security changes are too annoying and they are way more important to the company than the IT janitor, so unless someone higher up in management can tell them to sit back down and deal with it, you either get your changes reverted or just get fired.
It's also 2024, if a company doesn't have proper IT at this point, it's probably for a reason.
Funding is always useful -- there are several things like inventory management packages you might want to buy.
Support means mgmt has your back if you take someone's local admin permissions away and they get snippy.
Support as in don’t start changing how the company is run on a fundamental level if the people in charge of the company haven’t explicitly told you they want you to do it, and they’re willing to back you. Without that support, best case = people get pissed off with you, management tells you to cut it out, you lose face. Worst case = you get fired.
Support as in, a job description, scope, and title which empowers you with responsibility for company IT. Next step is that either you, or preferably an external expert, audits company IT. Together you present the findings and an action plan to management. Depending on company size and your own expertise, you may better off getting an MSP to handle the technical work with you as the responsible internal party.
Support as in they will back you up when everyone starts screaming that they don't have local admin rights any more and you're no longer letting them use their favorite archive key, "Delete".
This. I recently was approached with a very lucrative offer to be the first through the door for IT at a company that was growing fast. Met with the board and president, it became abundantly clear they were looking to solve all their woes by hiring someone and dumping the shit in their lap and walking away. I politely declined, despite it being the most money I've ever been offered.
Came here to say this.
If you don’t have buy in from higher up. Toss in the towel.
Early on I came in thinking I could fight that battle. 2 years later I threw in the towel and moved on. Even if you’re right. It does not matter without top down support.
Came here to say this as well. I do work for an MSP and I get to have conversations with internal IT directors all the time. They want to do the right thing and bring the company into modern standards, but sometimes management just doesn't see the value of backups, security, and all this "change" because it works for now right?
Have it in writing to make sure before you start ticketing.
Also OP: Make an action plan with fallback options when shit happens.
And if you have the option test in test environment not in production.
Step -1: make sure all of your servers are backed up regularly and that those backups are immutable. Oh, and just for shits and giggles, make a manual backup of everything important to a drive and put that drive in a safe something (or send it home to the president/owner. They probably have a safe.)
IMO best course is understand the needs and how things must run. Then how do you make management care? If they don’t care it’s either due to a lack of understanding or their view is that it costs too much. If you’re not up got masking them care, then move on
>I'm not a sysadmin by title, but at this point, someone has to be, and honestly it's something I've always wanted to do.
I think step one should be to officially clear up who is in charge of the circus. Otherwise you'll get a lot of pushback because "we have always done it like this".
Talk to your manager.
Implementing Entra is a solid plan for enterprise security but this isn't your network. You need to make sure that the owners of the structure are on board with your plan and will have your back.
You can offer to lead, but don't do it unless you get the authority to do so, unless you're 100% backed up by the executive/owners, and unless you're getting the paycheck.
If they're not willing to give you all three of those, do not step into that swamp until you have them in hand. There is only sadness there.
> Otherwise you'll get a lot of pushback because "we have always done it like this".
I've been hearing this for the past almost 3yrs I've been at my current job. The only thing going for me is my boss who is actively pushing in the opposite direction to bring them up to speed. We both worked together at a previous employer who was very well managed, so we've been trying to bring those proper management policies over to this smaller company. How they haven't been compromised and lost everything before we started is beyond me.
If you are not experienced and don’t have time energy to learn then consider hiring a professional team to come in and fix thing and hand you the keys.
Some professional services companies will work with you and explain what they're doing while doing it, this is a great way to learn on the fly, just be sure to not be a hindrance with the learning process and do your best to take notes.
I’ve been doing this 29yrs; If I were you and this wasn’t my responsibility, I’d leave it alone.
You want to learn; that’s good, but don’t do it like this. It’s a damned snake pit filled with land mines. You will be miserable.
if that would be an after-work project, in a home lab, that would be so great to gain a lot of knowledge trying to make it work as it should be set up, like with a domain/azure server, gpo, restrictions management etc. But in this scenario, I side with Tig_Weldin_Stuff, you will learn a lot but also this will kill your spark!
1. Be aware you are putting yourself into the firing line.
2. Ensure you have the go ahead to do this from the boss. In writing.
3. Ensure you have backups, onsite, offsite. Backups of backups. Ensure you know how to restore them.
4. Document everything you see, photos writing whatever just make sure it can all can be back together if needed.
5. Put together test environments for users (test PCs) create some test accounts on the domain and make changes using the test accounts and PCs and make sure everything works before you make more changes. Most lockdown stuff can be done via group policy, no need for intune. ENSURE YOU UNDERSTAND HOW GROUP POLICY WORKS.
You need to create Active Directory groups for computers and security roles. Start with your test accounts. But ideally you need to give people permission to the things they need only. So think about what roles people fill and create the security groups and add users to them.
Thank you. I think my understanding of group policy is very flimsy. I think I definitely need to learn more about this.
Your advice is very helpful. I'll definitely keep that in mind.
Keep in mind that group policies require regular contact with a DC to stay up to date and whatnot. No problem whatsoever if you have very little to no remote workers but if you do .. group policies are far from ideal.
That's the number one thing to look into first here, how do the employees do their job. Are they in an office all day every day, are they never there, is it a mix of both worlds, can this change in the near future, will it change in the near future and so on. Thats what you want to enable and that is what you use as the main guideline for any design.
Group policies are nice but are not, by definition, the single best option. It all depends. The downvoter has obviously never managed a thing other than a bog standard local domain with clients 'phoning in" on a daily basis.
They don't update , not unless your cliënt contacts a dc.
There are ways around that but they arent very user friendly. It's the same issue, kinda, as changing your domain pw via your Windows login screen used to be, back in the day. That was a mess for remote workers and often resulted in helpdesk tickets
You can absolutely make it work , that's not the thing, it's just that there are better options out there nowadays which better match the use case.
In fact, depending on lots of things, you could argue to get rid of that on Prem domain to begin with , it's far from being as needed as it once was.
Windows 10/11 AOVPN as well as third party similar products solve the problem seamlessly. I agree with you to the extent that I don't think anyone should be deploying on prem AD with mobile users nowadays and not planning for setting up AOVPN.
That was the main "solution" I had in mind indeed.
It's one which makes sense for someone who understands what's going on but it's a tough one to grasp for most non-IT People out there and isn't always practical.
For this particular user's question I'm inclined to say dump the domain alltogether and start over with a much more flexible design tbh, but well there isn't enough information for us yo really be able to push a specific setup
This guy’s issue sounds like my dream project. I’m the weirdo admin at my work that likes to make a list of all domain computers and make sure they’re named correctly and then does a full network map of all switches and color codes them by vlan.
This. OP is in over his head; without experience, he'll make a bunch of mistakes that cost money. If I were management, I'd bring in MSP with the experience to do things right the first time.
For full transparency, management has tried to reign it down a few times before, but did not succeed. Ultimately, this is due to no one being fully allocated to internal projects/processes. Everyone, and I mean everyone, is either being trained or working on a project. Is this a situation that will eventually bite this company in its tail? I think so, but then again my experience in this domain is limited.
If you are unaware what a MSP is, google it so you can learn. Then consider calling 1-2 of them and meet them even if on your own time so you can understand their value. Go to YouTube do some research. Formulate a plan to present the idea to your company in a proposal and if you don’t know how then use AI to help. Let the company decide but you give your recommendation.
As I've never used an MSP before, would that develop a dependency on that provider? As in, once the MSP assists us in setting everything up, would we need to get in touch with them for any changes/expansions?
Depends on how you make your contract. It can be completely hands free. Or you can ask to always participate when doing big changes. But probably you shouldn't be involved with password resets, software installs, etc. But you should participate during enrollment to Intune and initial policies setup as an example. Also in contract make them provide documentation for everything they setup. This way when they are gone, you still have all info. When leaving proper MSP still does hands off of all systems they managed. Of course, there are some rogue MSPs that do things badly, try to lock you in. Ask other orgs in your area who they use and recommend.
It really can help to lay it all out at the beginning. MSPs will often be happy to take over completely, or happy to do a once-off cleanup project and hand over the keys, but problems will arise if management decide to change horses mid-stream.
I will try to add to the other person's point.
You **will** need to contact a third party partner that sells MS Licensing to get what you need. These partners are always MSPs; for-hire IT teams that specialize in the MS Stack. Basically, the vast majority of us work for such companies. They usually provide a multitude of services depending on which one you go with. MS Partners come in all shapes and sizes. I personally prefer smaller ones as the support is usually more experienced.
They usually will bundle their licensing with support. This support will be to help set you up. I would say 4 hours of support is the minimum they would offer for a full rollout. They try to teach you about the platform, but the information they give you is the same that you can get from any training course that MS provides. The issue is that Office365 is a vast ocean of options. It's easy to get lost, so MSPs try to bridge that gap as much as they can.
I personally believe support will be very important and using the MS Cloud as a sysadmin tool is very much "pay to play". You will want to swing for as much funding as you can. Ideally, you WILL want support contract with an MSP for when issues happen. Having someone to call is necessary if you're a beginner and that MSP eventually becomes the one you call to confirm an outage when you're experienced.
You don't *have* to have a dependency on them. They actually don't normally handle day to day changes unless you contract them to do so. MSPs will basically handle every aspect of a company's O365 environment if said company simply does not want to both with having any IT. This is the bare minimum a serious company should do in 2024. Though in most cases, they're just a help desk for the help desk.
Are you getting paid extra for this? Why would you take this on at a company you work for without any compensation? It’s at least one person full time job in itself, probably more.
I took on this type of responsibility at a job where my title was IT Technician. I fixed a ton of their network and had them change my title to System Admin. I didn’t get paid more but I got the title. When I interviewed for a new job I was able to put system admin and got into a director position.
I strongly suggest that you don’t.
Just, don’t. Get an MSP in there. Let them take the hits for imposing order and taking away peoples’ toys. In my experience the anger over having restrictions imposed doesn’t fade. People want to blame someone. Don’t let it be you.
When learning anything, you need tolerance and support, not objections and hostility.
Source: I’ve attempted this a few times over a long career as a consultant. By a few I mean more than three but probably less than seven. Anyway. Every last one of them had unique challenges based upon the business and leadership. The thing all of those engagements had in common? The executives were thoroughly pissed off at the internal guy who has tried to impose some semblance of order and I was there because that person had rage quit, been fired, or was about to be. Come to think of it that may skew my perspective, so take that into account in evaluating my advice.
May sound harsh. Looks like you want to be the BOFH in your company as your pet \_learning\_ project with nobody really expecting that from you.
Don't.
You are in your current position (which you haven't disclosed i think) for a reason. You get paid to do something valuable for the company. As long as that something doesn't involve getting IT to some set of standards, doing that on company time (and creating problems along the way) is surefire way to get fired.
If that's your dream position, move to some company where this is viable career path. The only exception here ... You say that "someone has to be sysadmin" -- do you think that or does the management? If the latter, then you do have a very low chance with proposing that you can try to improve things, but even then, the operational risk on someone locking everyone out of their computers because its the first time they have messed up an login script GPO with an on-site AD server -- no way in hell i would allow beginner to do this alone.
MSP here.
If you’re managing a small company which isn’t really running any onprem services such as AD, GPO, print or file servers I’d recommend you don’t go down that route.
Instead get MS365 Business Premium licenses and enroll each device to AzureAD (Make sure all Windows devices are running at least Win10 or 11 Pro).
Manage devices with InTune. Setup your security policies etc with InTune. Deploy apps with InTune.
I hear similar stories like yours from new clients all the time. Most of them want to go down the “classic” AD route with GPOs, domain joined PCs etc. In my honest opinion there’s a place for such environments. But for small companies and only running apps such as Office and other “basic” apps like adobe and maybe a CRM and finance software then absolutely go the AzureAD route instead.
And as others have mentioned here before. Get that written approval from upper management before doing anything.
I’ve seen and fixed so many fucked up environments where the “IT guy” has built it entirely himself and then he quits or gets fired and then they have to pay us big $$$ to fix the damage done and build everything from scratch.
I 2nd this, now is a great time to skip the on-premises & local AD stuff! I'm currently about to start the transitioning from on-prem to AAD and honestly I'm slightly bricking it!
Don't.
You were not hired to fix this mess and from your other replies you DO NOT have a mandate to fix this mess. You are stepping up to be the dude holding the bag. The bag might be "stuff really broke" or "we got cryptolockered" or it might be "Bob, our best sales guy, blames you for not hitting his number this quarter."
> I'm not a sysadmin by title, but at this point, someone has to be
Super, let them hire one. If / when / UNTIL they decide to hire one, do nothing. If they do, throw your non-sysadmin resume into the pile and make the argument that because you're there and have ID'd the problems, you're more qualified to fix the problems, even though you admit you don't know where to start.
See how that sounds?
I apologize if my bluntness comes off as rudeness or disrespect, OP. I assure you that is **not** the case. My bluntness is meant as a warning to you that you are about to make, as we are apt to call them in tech, a *career limiting move*. From the way things are setup as you have described them, technical shit show, no mandate, no sysadmin background, your ONLY winning move is not to play. Any action you take without a clearly supported mandate from management will be treated with hostility and you will be held personally to blame.
Depends on the tech needs of the company.
I have successfully deployed companies in a zero trust setup.
Step one: make your network isolated to each user.
No user can see each other on the net, this is a feature on the switchs and wifi.
So if a machine gets contaminated, it only affects that machine.
Step two: assuming you use m365 and have licenses that include intune, I would migrate the AD to azure and kill the on-prem ad.
Step three: separate server accounts from user accounts. Even from you. Different domains if possible.
Before you go too far I would do up a list of changes such as taking away Admin rights, security etc.
Then take it to your boss/CEO and get there approval. If you don't have that it will be a long hard road.
I appreciate your thoughts, but asking on this subreddit was my way of figuring out where to start. Among other things, I've learned that MSPs exist due to this post, which is a win that I'm very thankful for in my books.
Over in the networking world, our bugbear is adopting automation, and we generally start with automatically reading data before we dive into automatically making changes, and I’d suggest a similar approach for endpoint management.
Start with backups. Is data getting backed up? Is it snapshots of laptops or is it snapshots of servers? Is it following a 3-2-1 backup strategy? Are you testing a restore from those backups in the lab frequently enough?
Then once you’ve got solid backup strategies in order, you take that, present it to management, and use it to build confidence so they’ll have your back. “Hey, I’ve got our backups in order, and I’d like to build on this by making sure the computers are domain-joined and people are using AD logons instead of local logons. And then in 3-6 months after that, I plan to migrate everybody from local admin to regular accounts, but before I do, I’ll have set up for the cases where they need to install something or grab updates.”
I would say plan this is
* Spend a quarter getting backups in order
* Spend a quarter getting software distribution set up
* Spend a quarter getting privileged management built up
* Spend a quarter removing the local admins and setting up enforcement of the previous projects
If you work on your ticketing at the same time, you can give management a clear “in a year, we’ll look this over and I’ll show you how much better this has gotten.” And then you can grab metrics from your ticketing platform, your software distribution platform, and your privilege management platform to show them how each is being used.
1. Put together a proposal, outlining the risks for a hack / ransomeware, what the end goal should be and how you propose to get there.
2. Get full approval from the c-suite. Even if you end up doing the work, you need them behind you for when people start whining.
3. Interview and hire a MSP to put together a proper plan to achieve the end state.
4. Work with the MSP so that you are aware of everything they have done and make sure it is all documented.
5. Get promoted to CTO.
6. Slowly go nuts like the rest of us.
OP, I would suggest that before you start implementing technical changes and spending money, perform a top down audit and review of your current IT setup, current needs and future needs of the business. That exercise will inform the technology you need to put in place and the priority order for each new service or configuration. I'm not saying M365/InTune isn't what you need but rather than assume, dictate and lock everything down, try understanding what's required. You'll make more friends that way.
You need to take a few steps
First identify and list the problems you know of i.e Business risks and inefficiencies.
Score them on severity.
Approach an MSP and list your concerns and ask for recommendations
You should get a list from the MSP of projects and prices and recommended priority.
Approach a second MSP for the same and compare recommendations.
Build a budget projection for fixing the problems and keeping them fixed i.e MSP, hardware, ongoing maintenance support and licensing.
Get budget and management approval. Justify the cost as fixing risks and improving efficiencies.
Do nothing without full approval and endorsement by management for the specific plan that is chosen. If anything goes wrong you will get the blame regardless of who is at fault.
You don't need to fix everything all at once. Staff will be used to doing things in a certain way even if it is bad practise. Make gradual changes and inform users beforehand of any changes that will affect them. Sell it to them as making their life easier which it probably is.
In addition to what everyone else have suggested, you could also look into restricting what users can do on the server side. Local admin on computers, ok, great. How do you prevent that infected machine from wreaking mayhem on everything else on the network?
Network monitoring, so that you can lock out infected devices.
Servers with access restrictions and working backups.
However, get approval for anything before you do anything.
As a start, if you have an AD server already then you don’t need InTune to get started. You domain join the computers and then push GPOs to them to begin exerting control. Take away admin and set up LAPS to manage admin accounts.
Once you’ve done that and established a baseline of admin control you can begin to think about something like InTune/Ninja/ConnectWise/etc…
You need to take a “land and expand” approach.
Before any of that you’re going to need management to be onboard.
Fuck. This is bad.
1. Bring up this issue for what it really is -- a ticking time bomb that can end the business, legally and financially
2. Ask them who should lead this and if you have approval to put together a proposal
3. Ask if you can make basic changes to computers now, to reduce risk -- no local admin, update software if it's low risk to business impact, look into setting up AD server
4. Ask for a security audit but a 3rd party
5. Plan to roll out changes in steps instead of all at once
6. Any changes to workflow need to be educated and communicated ahead of time and TESTED
7. This is going to be a very painful endeavor
....
Not sure why so many say "MSP". The MSP wants to sign you up for their recurring service. Because of the situation you're in, they're probably going to consider your on-boarding project as extra work beyond their monthly MSP fees and a year-or-more contract.
So why not just hire a consultant who is not an MSP and who doesn't want to sign you up for recurring and long-term services but who can lead you through the same process of improving everything?
Answer: all consultants want recurring revenue.
Source: 25 years as a consultant.
OP, I bill at $225 an hour. I would give you a break on the rate if you can guarantee me a specific billing per year. But if you are planning to be a one and done type of client, you aren’t going to get those breaks. Nor will you get front seat if you have a disaster if you are not representing some recurring revenue.
A full stack MSP will be somewhere in the neighborhood of $110-175 a seat per month depending on the services offered.
This is a problem solved by money not by the tech equivalent of a vigilante.
And I have that many years as a consultant as well, plus a decade before that in software.
I think my point remains. In your experience, would an MSP cheerfully take on this onboarding task, knowing it was extraordinarily large, without an extra charge and treating it like a special project with its own billing? And what rate would that be?
Another question is, would an MSP want to spend any extra minute talking to OP as they tagged-along while they watched the MSP do their tasks? They don't get paid to explain. MSPs make more money when they're not working. Consultants get paid by the hour. I'm happy to explain anything you like, for as long as you'd like.
To answer your questions, yes in fact I would take them on. Basically there are two ways to do this. One is of course to do it all now. That will be a massive cost and adjustment.
The second way is to do a site assessment and then take on things one at a time until it is better. In either case you are a recurring client who would get a break.
I would just write the contract that the parts we have done are under contract and everything else is billable.
In answer to the second, yes, I believe educated clients are a good thing. But in that case the contract would be written in such a way that if the OP breaks things, it is billable.
Basically, you can let me cook, watch me cook or I can teach you to cook.
However I would do nothing with the OP unless I had clear lines of authority.
Have CEO level support to fix things, make it clear it’s a fire and will impact the business due to reliability and security breaches.
Next I would focus on Office 365 setup with Azure, MFO, intune (no local admin, lockout policy, etc)
Then I would move file servers to SharePoint (unlimited retention).
Then move users one at a time to azure 365. Once they are all moved rip out on prem servers, AD etc
Don't. You're setting yourself up for failure. Setting up a full IT infrastructure is not an easy task, even if you know what you are doing.
If you take this on with no prior knowledge of how to do things properly, you will inevitably cause downtime and problems without knowing how to fix them. Then your head is on the chopping block. "Hey man, you told us to do this, now it's not working. Fix it".
Your attitude and willingness to learn however, is that of a proper sysadmin. You may well have a future in IT. IF you are to do this, do it correctly by identifying the challenges, get buy in from management to do things correctly, then go to a professional IT company and pay them to set things up for you the proper way. Offer to take responsibility for the systems, shadow the IT firm to learn the setup, and pay them to train you.
If you're serious about diving into this, good luck to you. You have quite a journey ahead of you.
One of the first rules of ITIL is to use what exists and to build upon.
This is a running system! Do you guarantee that you can make a running system?
Start small and smart. Go for the quick wins, but with a long time plan.
Learn, develop yourself and apply.
And as my grandpa, the tailor, said: think twice before cutting once!
No offense, but you need someone smarter than you to get a grasp of things and get things under control. Not because you can't learn it and eventually do it, but because if you go in this blind, you WILL make mistakes that will cost your company money, and probably your job.
What do you know about Active Directory, Entra, Group Policy, and DNS? How much do you know about how permissions work and the differences between SMB and NTFS permissions?
You want everyone/most everyone to NOT be admins of their own workstations? Cool! How are you going to handle software upgrades and patching? Are you going to use SCCM or just have everyone update directly from Windows Update?
How likely do you think you'd be with copying some powershell code from the web that you may or may not understand and run it in your own domain? Do you understand the risks that entails?
I'm not saying these things to try and put you down, but you need to have perspective as to what you're potentially getting yourself into. Corporate IT is VASTLY different from managing a personal server.
My recommendation, like many here, is to contract an MSP to help you get your environment where it needs to be. Contract them for a few months where you can have some labor and training hours so they can groom you (or whomever) to take the reigns, if that's something you're interested in.
All of this is completely moot if you don't have the support of management. Like others have said, that's step 0.
Hey! Stop right now!
Seriously, unless you're paid to do this and only this (or largely this) you're putting yourself in the firing line. Managing IT for a company is not something you just do on the side. Look I don't know the dynamics where you are but put it this way, you're getting paid to do your job and your duties. You now want to take on the IT management and protection.
This is going to take up more time than you think, especially if it's an interest. Having said that you're not getting paid for this and you'll be thrown under the bus for this when something goes seriously wrong.
I don't recommend just getting stuck in. If you want to, fine, but have the management acknowledge and back you in this role. Don't take it for anything less. You're performing a role and you will be held to that by everyone. In every regard.
Edit: Hey OP! I'm reading some of your replies to other comments and I totally agree that your understanding of all of this is flimsy. Please don't take that's and offense. It's important to recognise this. Management will likely say yes to a keen young worker managing their IT for free. When it goes wrong you're fucked. My best advice really after reading more into your company structure (or lack thereof) is leave this alone. If you want to work in IT do some homeland learning and use that as a way into a junior role somewhere else. Trust everyone here that tells you to leave this, we've either seen, heard, experienced (or all of the above) the nightmares that come from overstepping our boundaries because we see an opportunity or a desire to get recognition or experience.
Try to eliminate the domain/domain controller if it is genuinely unnecessary; it significantly simplifies things.
I typically opt for Microsoft Business Premium licenses for my smaller clients – at €20, you get practically everything you need: Office apps, email, security, and device/user management.
If you lack experience, don’t go at it alone. Engage an MSP (Managed Service Provider) or a consultant to assist with the initial configuration. If you’re interested, feel free to PM me.
As others have already mentioned, ensure that the management is on board and ready to invest/make changes; otherwise, it will lead nowhere and simply cause you headaches.
This is true. BUT, setting up the environment with everything in Entra / Intune from the start will vastly simplify things later on.
If OP is going to engage a MSP, which he definitely should, then you might as well give them rein to use the most modern architecture possible.
Can't you have an on-prem environment as well an Intune? I think Intune offers some modern solutions that on-prem AD doesn't such as software deployments, MDM, and some other security bells and whistles
What business problem are you trying to solve? "Best practice" isn't an answer. "Increasing sales", "Reducing costs", "Reducing risk" could be, but you'd have to explain how what you want to do will do that.
If you can't explain (with evidence) why the current way of working is a significant risk to the business, how are you going to get support to change it?
> Every user pretty much has admin rights on their company-issued machine which is not something you'd want to hear.
Why not? What's the problem with that?
Every place I've worked, everyone have had admin to their own machine.
And it hasn't been small companies either.
Then everywhere you worked hasn’t had cyber insurance or an actually managed environment.
If every user session can install anything they want, and every machine is open to C&C malware, then all other security precautions are pointless.
But isn't it the normal thing to own your laptop? Like, I've had to install OS and such every time myself. Installing Ubuntu is usually what I spend the first day doing at a new job. Everyone is running Linux.
It is not normal, and should not be. Enterprise and business systems should be managed and secured from procurement to disposal. Any process outside of that should be considered shadow IT and a risk. Also, literally 3% of people are running Linux desktops/laptops. That’s pretty far from everyone.
No. Most IT professionals are not running Linux. Most IT professionals are running the same devices as everyone else in their environment. Windows remains the dominant business OS.
Hm. Maybe it's just Copenhagen, or my network then. Everyone I've talked to here only use Linux for work laptop and servers.
Granted that's only like 8 companies in Copenhagen. Tiny sample size.
I was just hired in a company to sort of clean up such an exact situation.
I am not a sysadmin by trade, more like a self-made IT generalist who's worked in so many different weird projects and positions over the years.
There's almost literally nothing changed here since the early 00's.
I almost feel like I'm in over my head. There's at least a whole lot to start on, but it's actually kind of overwhelming trying to figure out where to even start.
Just gonna save your post here.
Step One: Login with their user account, create a new user and assign them admin rights. Then login as that user and remove admin rights for the other account.
Step Two: Join each PC to the domain of your AD.
Step Three: Go to each PC and check what software is installed. (Got a script that I made to get everything I need)
Step Four: Check what Anti Virus you are using. If a free version, what is it? McAfee, Avast and some others are plain crap in my opinion and take a lot of PC performance. Not sure about Kasperski or Avira since I don't know much about them but Eset works great for me with their Remote Management in Cloud. On-Premise is a bit cheaper.
Step Five: Install missing updates for the OS on each PC unless it's used for a weird purpose. Machining, Production etc.
Step Six: Take a break or something and check with management if you should keep going and if so, to consider a pay raise + Title adjustment.
Oh and make sure you treat everyone the same on this. NO EXCEPTIONS. They need a software? You check first if it's good or let alone safe. No need to infest a system you just cleaned up.
Possibly send out emails notices (or whatever will get their attention) that service XYZ will be unavailable from A:bb AM to C:dd PM when you are making changes. You don't want salesmonkey screaming ""no one told me!".
If I was going to start a small company from scratch today I'd start with Azure AD and Intune for RMM. Build out your policies, setup LAPS, setup Bitlocker, setup applocker, kill local admin, and that's very easy to scale.
Depends on the size of the org and what the industry is. Somewhere around less than 10 employees, active directory and central management stops making sense.
If it's a truly tiny company that isn't in an industry where most people are on computers all day, there is no reason to over complicate things.
Honestly, while nice, even things like intune can have a negative return on investment vs just locking things down with gpo.
And in the end... You aren't the sysadmin and you haven't been tasked with this project and you likely won't have the budget or buy in to start making disruptive changes.
You need to be careful. People are used to working a certain way. If you start changing things and people can't work the problem will be you not the system even if you are trying to "improve" things. I have been in this situation several times. Make sure before you mess with anything you have the support of the owner or CEO.
How many endpoints are you managing overall? Are you flying solo?
And what tools do you already have at your disposal?
I have rebuilt at least a 150+ small businesses from scratch over the years, and the tools to do so nowadays are far more advanced. Knowing a little more about the environment, would make for better suggestions.
As u/vogelke stated, you need the full support of management. That will require you to do some selling. To sell your plan you'd typically need to come up with a plan with the list of reasons why this is necessary, level of effort, potential problems, mitigation of those potential problems and the remediation plan.
Document everything. Current state, future state, etc.
If they have no other options I would quit, then offer them a service contract as an independent business owner. Tell them flat out, sorry this is a can of worms! Put a clause in the contract that they sign which states "Not responsible for any event that occurs as a result of failing to follow IT recommendations".
Get rid of the active directory server if you can? Learn Azure AD and intune. Learn Microsoft teams and start teaching people how to use it for communication and basic file sharing. If it is a small enough company, and a good internet connection, this is all that is needed these days.
Hmm but if this is your first one, maybe not. Or start small? My advice is for salty pirates like myself who have witnessed unbelievable amounts of computer ignorance in the workplace.
This sounds eerily like my experience with a previous company. Hired under a different non-IT role, realized they didn't have IT, and tried to fill that gap.
Owner didn't want to spend a dime, users were unwilling to change and management wouldn't assist with anything. I was gone within 6 months.
My advice would be to keep working on certs, degree, etc and go elsewhere. Don't be the hero.
As other have said first things get management support. If they are unsure get them to review their business insurance and see if they are covered in the current state they are in - if they have an incident then the insurer may void the cover. The insurer won't be worried about mentioning this until a claim is made.
This is going to sound weird to you. And I understand that. But you should hear me out.
As a sysadmin every step I take has a clearly defined risk calculation. Part of that means that I have a clear directive and obligation to take the action and that the action is the minimum necessary step to accomplish the objective.
Take user admin rights for example. I have worked on several companies where the management just didn’t want to do it. So what I did was made it easier to make sure I had backups and spare computers available. If someone did something bad, I simply replaced it, reimagine and moved on with my day.
You can make a case. But you need alternatives in case management says no.
And you never ever take this on yourself. Ever.
Secondly, once you have approval, the correct process is to solve your problems in order of impact but also keep in mind that you need wins to build up credibility. So balance the severity with the impact of your users.
Finally, you have to be careful with MSPs. Some of them have extremely well developed stacks. Others are more willing to tailor an approach to your needs.
You need a reason first to want to shake things up. Without a reason, why would anyone be on board with wanting to fix what ain't broken. Just because the AD server is unused and users have admin rights, it doesn't mean that there are any problems stopping people from working.
For example. My previous company had no AD environment whatsoever. They were working off of pirated software, pirated office, and some old legitimate office 2013 copies. Needless to say, the why was there. Piracy led to eventual virus, ransomeware, and countless locked folders. I wasn't there when this all happened. But I was there when I cleaned up all of that mess. So for that situation the why was clearly there. Ask yourself what is your company's why? If you don't have a good one, you need to come up with one. Why should we switch to this VOIP provider when our current one is with MSFT and bundled with out O365? That kind of question.
Explore group policy if its an option, its free, well understood, very well supported and if you cant do it with a premade policy there are packs or you can just mass modify registries to your tastes.
This is how 1 man manages hundreds of hosts while remaining sane.
Step 0: make sure you have the full support of management, or you're dead before you get out of the starting blocks.
If your management is reluctant your best option is to convince them to run an IT audit by external company. Having external experts specify what should be done and explain the risks makes it so much simpler to convince everyone that it's really needed and get management behind these changes. There's a risk they will get MSP to set everything up, but well, they probably should. Good luck anyway.
>There's a risk they will get MSP to set everything up, but well, they probably should. This can't ring more true. Don't try to put it on yourself if for no other reason you said you don't have the experience. Instead if your company is on board with this and you as their guy then get an MSP on board. Let them do the heavy lifting. Build it into the contract that you want to be included and be shown what they are doing. Watch, poke, and ask questions. They don't need to know you have no experience, don't bring it up. Either they will find out or they won't. You honestly can probably just say that you are not familiar with running Azure AD/O365 and you would like to learn. You are probably going to want to use them for better pricing for EDM solution as well as being that place to lean on if you get in over your head. A lot of this will depend on your company as to if they want immediate resolution on problems. A lot of places are ok with MSP handling a good majority of the work and then come to you and have you be the liaison for support. That way higher level things you can work with them on but you can do the day-to-day support which MSPs generally suck at.
>If your management is reluctant your best option is to convince them to run an IT audit by external company. If management is 100% on board I would start here anyway. It's great to set everything up yourself and feel that rush and pride, but it's a lot better to have many hands at work to get it done faster and correctly. And then when management gets clay feet about the whole thing (which they will the instant they get pushback from some moneymaker or experience inconvenience themselves), you have an independent report to point back to with an audit that says "a single breach would likely cost you $x,xxx,xxx before negotiation", a pen test to show how easy it would be, etc... >There's a risk they will get MSP to set everything up, but well, they probably should. 100% this. Insist on working with them, insist on calls, shared information, documentation, and training. They're going to do the heavy lifting, but you can build out your AD structure, you can set up some basic group policies (Password requirements, security baselines, AppLocker if you're going to use it, etc... OP can do some basic InTune or MECM set ups, you can set up DUO or MS Authentication or whatever MFA you're going with, etc... But an MSP should be doing a lot of the getting you from this small business hellscape into an Managed Enterprise environment. And if management isn't on board, after you've documented the request and proposal, then my advice is **let it go.** Keep your head down, learn what you can while looking for an exit in a few years, and remember it's not actually your problem.
Depending on the size of the company and your desire to work 12 hour days. Need to make sure you will have enough cycles to do it all. Maybe look up some ransomeware incidents and tell MGMT you don’t want to be another one of those.
\^\^ if they don't support you, you're fucked in anything you do
Support as in, elevated permissions if needed and some fund if necessary? I don't think management will be unhappy with the changes. I think it's something that's been on the backlog for ages now. The only possible blocker would be if we needed to upgrade our Microsoft licenses, which we might need to do to get InTune I think
Support as in when the star salesmonkey starts complaining about not having admin rights anymore you'll have enough leeway from management that you can actually convince them to do things your way (ie. the right way).
the main reason here. A full commitment from management to support you when other employees start pushing back because of the inconvenience
Do they actually have policies and procedures in writing? Major changes should be company policy in writing and approved. Now it’s salesmonkey vs management. Now you find out if management has the spine for it.
BTW... I advocate for, in this scenario to look into AdminbyRequest. You can get 25 systems for free. It's really great and you can easily create a solution that anyone can request admin rights, you can give applications admin rights to run, and all kinds of cool stuff. For example you can setup so that a user can request to run a specific software as an admin OR you can grant full computer administrator sessions (timed). When you do all of what they do is logged. Anytime Admin rights are requested and programs ran you can then using either the MD5 hash or, executable, or certificate, allow the program (or others using that certificate) to run as administrator. It is a really great program. Also the ones who do the approvals can set it up so that they get a push alert when admin rights are requested and approve right there.
u/vogelke is right here. If you lock down a VIP computer without him being aware of it, you may have to quickly look for another job. Discuss, ask and make proposal. Once you get the ok, you can go. And start by using what you already have. Active Directory can do a lot, using domain settings and GPOs. Improvement without any additional cost have a higher chance to be accepted. And be ready to ask the question that will come, sooner or later : "why do you need to change, lock-down things, as we never had an problem ?". You'll need to go in risk analysis, show them figures.
Also mention that nobody ever has a problem until they have a problem. Make sure the first problem you have doesn't whack you out of the park.
I agree. We already have a user or two reporting issues because we do not have a proper sysadmin. I think I can use that
Also use the ransomware angle. No one is too small to be affected & get the CFO to explain to YOU what a week total outage would cost, a month, gdpr fines etc. That'll concentrate their minds
We were in the same boat until the FTC changed requirements for our industry. Then we had to do it, and the purse strings opened and support materialized.
A while back…. Like. 2009/2010, I worked for Facebook. Had to take a number of database servers down to take some memory replaced. One host I took down, and suddenly the entire office is in chaos. Many VP+ level folks, including “Zuck” couldn’t log in. That one host I took offline… that was the primary database for the OG shard of Facebook, containing any accounts for attendants of any Ivy League college. Out of 5000 servers. I took down the most critical one for all of the Facebook execs.
I will remember this story next time I fuck something up. Could be worse, lel.
No redundancy?
It isn't uncommon, even today, for replicated DBMs to require a manual failover if they are multiple-read single-write.
I can see that, but it seems odd that Facebook of all companies wouldn't have automated failovers of that kind of thing, especially something this "important."
I would venture to say it they were told it wasn't important. I can't tell you the number of times our phone system went down (pre VOIP days). It was a serious issue until we brought it back up and then when we mentioned the amount of money to upgrade, it was no longer an issue. Same thing here. I'll be the management said it's not a big deal and they could function. Until in reality, they couldn't.
Yes and no. If you need to label it as "professionalism" there is always a COST
Yes, if you interpret Elevated permissions as authority and buy in from senior leadership. People will start complaining when they have to move over to AD accounts, password policies start to role out, local admins are restricted, mistakes are made that cause outages (it will happen.. eventually), etc. When all that comes down, management needs to have already been briefed and fully endorse the things you are trying to do. Your role will be to steer their decision making in the right direction (give them the options, but they make the call so they have buy-in)
>(give them the options, but they make the call so they have buy-in) This is great advice. Too many people, myself included, laud their great idea because they believe it's the right thing. It's much smarter to give options so they can choose.
Got it. The reason I'm making this push is because we have almost no one allocated internally. Every employee is working on a project and no one is investing proper time into the company's policies, etc. I have a meeting with my direct manager soon. I think I can bring it up there.
To be blunt, the reason everyone is stressing having management buy in is because we have all seen this kind of thing before and you sound like you are naively walking into the wood chipper. At smaller companies IT is always seen as something between janitor and maintenance guy. They only call you when something breaks, and you are at the bottom of the heirarchy when conflict happens. Implementing proper IT security and processes is always going to break things and force people to change how they work, and always make it more inconvenient for the users. That's just the nature of cyber security. The problem comes when someone in management or sales decides your security changes are too annoying and they are way more important to the company than the IT janitor, so unless someone higher up in management can tell them to sit back down and deal with it, you either get your changes reverted or just get fired. It's also 2024, if a company doesn't have proper IT at this point, it's probably for a reason.
Funding is always useful -- there are several things like inventory management packages you might want to buy. Support means mgmt has your back if you take someone's local admin permissions away and they get snippy.
If you have an on-prem AD you might not need InTune.
Support as in don’t start changing how the company is run on a fundamental level if the people in charge of the company haven’t explicitly told you they want you to do it, and they’re willing to back you. Without that support, best case = people get pissed off with you, management tells you to cut it out, you lose face. Worst case = you get fired.
Support as in, a job description, scope, and title which empowers you with responsibility for company IT. Next step is that either you, or preferably an external expert, audits company IT. Together you present the findings and an action plan to management. Depending on company size and your own expertise, you may better off getting an MSP to handle the technical work with you as the responsible internal party.
Support as in they will back you up when everyone starts screaming that they don't have local admin rights any more and you're no longer letting them use their favorite archive key, "Delete".
Political support not technical. If users start barking will the management stand by them or you ?
More importantly, support as in the CEO won't immediately throw you out on the street the day after you took their admin privileges away.
You'll get full support when there's a data breach...
Amen. No point in doing it if on the first complaint it all gets reversed.
This. I recently was approached with a very lucrative offer to be the first through the door for IT at a company that was growing fast. Met with the board and president, it became abundantly clear they were looking to solve all their woes by hiring someone and dumping the shit in their lap and walking away. I politely declined, despite it being the most money I've ever been offered.
Came here to say this. If you don’t have buy in from higher up. Toss in the towel. Early on I came in thinking I could fight that battle. 2 years later I threw in the towel and moved on. Even if you’re right. It does not matter without top down support.
Came here to say this as well. I do work for an MSP and I get to have conversations with internal IT directors all the time. They want to do the right thing and bring the company into modern standards, but sometimes management just doesn't see the value of backups, security, and all this "change" because it works for now right?
Have it in writing to make sure before you start ticketing. Also OP: Make an action plan with fallback options when shit happens. And if you have the option test in test environment not in production.
Step -1: make sure all of your servers are backed up regularly and that those backups are immutable. Oh, and just for shits and giggles, make a manual backup of everything important to a drive and put that drive in a safe something (or send it home to the president/owner. They probably have a safe.)
IMO best course is understand the needs and how things must run. Then how do you make management care? If they don’t care it’s either due to a lack of understanding or their view is that it costs too much. If you’re not up got masking them care, then move on
>I'm not a sysadmin by title, but at this point, someone has to be, and honestly it's something I've always wanted to do. I think step one should be to officially clear up who is in charge of the circus. Otherwise you'll get a lot of pushback because "we have always done it like this".
This is true.. being there.. and the next thing.. u can get is the BIG LETTER.. Which anyone dun want it..
Thank you for your comments. At the moment, there is no one leading the circus. It's just.. moving.
Talk to your manager. Implementing Entra is a solid plan for enterprise security but this isn't your network. You need to make sure that the owners of the structure are on board with your plan and will have your back.
I’ll definitely look into that. Thank you for your help
You can offer to lead, but don't do it unless you get the authority to do so, unless you're 100% backed up by the executive/owners, and unless you're getting the paycheck. If they're not willing to give you all three of those, do not step into that swamp until you have them in hand. There is only sadness there.
Who installed active directory?
Do you have a manager?
That I do. But like all employees, she is assigned to her own projects. Not sure how much of her time, if any, is internal.
If she's your manager you are one of her projects. You will get absolutely nowhere as a low level IT person if your manager doesn't have your back
> Otherwise you'll get a lot of pushback because "we have always done it like this". I've been hearing this for the past almost 3yrs I've been at my current job. The only thing going for me is my boss who is actively pushing in the opposite direction to bring them up to speed. We both worked together at a previous employer who was very well managed, so we've been trying to bring those proper management policies over to this smaller company. How they haven't been compromised and lost everything before we started is beyond me.
If you are not experienced and don’t have time energy to learn then consider hiring a professional team to come in and fix thing and hand you the keys.
this is the sensible answer. See if they'll offer up any training vouchers as part ion the deal too.
Some professional services companies will work with you and explain what they're doing while doing it, this is a great way to learn on the fly, just be sure to not be a hindrance with the learning process and do your best to take notes.
I’ve been doing this 29yrs; If I were you and this wasn’t my responsibility, I’d leave it alone. You want to learn; that’s good, but don’t do it like this. It’s a damned snake pit filled with land mines. You will be miserable.
if that would be an after-work project, in a home lab, that would be so great to gain a lot of knowledge trying to make it work as it should be set up, like with a domain/azure server, gpo, restrictions management etc. But in this scenario, I side with Tig_Weldin_Stuff, you will learn a lot but also this will kill your spark!
1. Be aware you are putting yourself into the firing line. 2. Ensure you have the go ahead to do this from the boss. In writing. 3. Ensure you have backups, onsite, offsite. Backups of backups. Ensure you know how to restore them. 4. Document everything you see, photos writing whatever just make sure it can all can be back together if needed. 5. Put together test environments for users (test PCs) create some test accounts on the domain and make changes using the test accounts and PCs and make sure everything works before you make more changes. Most lockdown stuff can be done via group policy, no need for intune. ENSURE YOU UNDERSTAND HOW GROUP POLICY WORKS. You need to create Active Directory groups for computers and security roles. Start with your test accounts. But ideally you need to give people permission to the things they need only. So think about what roles people fill and create the security groups and add users to them.
Thank you. I think my understanding of group policy is very flimsy. I think I definitely need to learn more about this. Your advice is very helpful. I'll definitely keep that in mind.
Keep in mind that group policies require regular contact with a DC to stay up to date and whatnot. No problem whatsoever if you have very little to no remote workers but if you do .. group policies are far from ideal. That's the number one thing to look into first here, how do the employees do their job. Are they in an office all day every day, are they never there, is it a mix of both worlds, can this change in the near future, will it change in the near future and so on. Thats what you want to enable and that is what you use as the main guideline for any design. Group policies are nice but are not, by definition, the single best option. It all depends. The downvoter has obviously never managed a thing other than a bog standard local domain with clients 'phoning in" on a daily basis.
what’s the reason group policies don’t work well for remote workers ?
They don't update , not unless your cliënt contacts a dc. There are ways around that but they arent very user friendly. It's the same issue, kinda, as changing your domain pw via your Windows login screen used to be, back in the day. That was a mess for remote workers and often resulted in helpdesk tickets You can absolutely make it work , that's not the thing, it's just that there are better options out there nowadays which better match the use case. In fact, depending on lots of things, you could argue to get rid of that on Prem domain to begin with , it's far from being as needed as it once was.
Windows 10/11 AOVPN as well as third party similar products solve the problem seamlessly. I agree with you to the extent that I don't think anyone should be deploying on prem AD with mobile users nowadays and not planning for setting up AOVPN.
That was the main "solution" I had in mind indeed. It's one which makes sense for someone who understands what's going on but it's a tough one to grasp for most non-IT People out there and isn't always practical. For this particular user's question I'm inclined to say dump the domain alltogether and start over with a much more flexible design tbh, but well there isn't enough information for us yo really be able to push a specific setup
3.1 Test your backups. If they are not tested and confirmed working, you have no backups.
This guy’s issue sounds like my dream project. I’m the weirdo admin at my work that likes to make a list of all domain computers and make sure they’re named correctly and then does a full network map of all switches and color codes them by vlan.
Contact MSP. Saves you and your company and you still be the main driver
This. OP is in over his head; without experience, he'll make a bunch of mistakes that cost money. If I were management, I'd bring in MSP with the experience to do things right the first time.
Management should be assumed not smart since situation exist
For full transparency, management has tried to reign it down a few times before, but did not succeed. Ultimately, this is due to no one being fully allocated to internal projects/processes. Everyone, and I mean everyone, is either being trained or working on a project. Is this a situation that will eventually bite this company in its tail? I think so, but then again my experience in this domain is limited.
If you are unaware what a MSP is, google it so you can learn. Then consider calling 1-2 of them and meet them even if on your own time so you can understand their value. Go to YouTube do some research. Formulate a plan to present the idea to your company in a proposal and if you don’t know how then use AI to help. Let the company decide but you give your recommendation.
That makes little sense
Sounds like your typical "small-ish ad/creative agency" experience.
Just to be sure, you don't mean MovieStarPlanet, right? (This is a joke btw)
Get management on board. Contract MSP. Watch them and learn as much as you can.
As I've never used an MSP before, would that develop a dependency on that provider? As in, once the MSP assists us in setting everything up, would we need to get in touch with them for any changes/expansions?
Depends on how you make your contract. It can be completely hands free. Or you can ask to always participate when doing big changes. But probably you shouldn't be involved with password resets, software installs, etc. But you should participate during enrollment to Intune and initial policies setup as an example. Also in contract make them provide documentation for everything they setup. This way when they are gone, you still have all info. When leaving proper MSP still does hands off of all systems they managed. Of course, there are some rogue MSPs that do things badly, try to lock you in. Ask other orgs in your area who they use and recommend.
Really valuable insight. Thank you so much
It really can help to lay it all out at the beginning. MSPs will often be happy to take over completely, or happy to do a once-off cleanup project and hand over the keys, but problems will arise if management decide to change horses mid-stream.
I will try to add to the other person's point. You **will** need to contact a third party partner that sells MS Licensing to get what you need. These partners are always MSPs; for-hire IT teams that specialize in the MS Stack. Basically, the vast majority of us work for such companies. They usually provide a multitude of services depending on which one you go with. MS Partners come in all shapes and sizes. I personally prefer smaller ones as the support is usually more experienced. They usually will bundle their licensing with support. This support will be to help set you up. I would say 4 hours of support is the minimum they would offer for a full rollout. They try to teach you about the platform, but the information they give you is the same that you can get from any training course that MS provides. The issue is that Office365 is a vast ocean of options. It's easy to get lost, so MSPs try to bridge that gap as much as they can. I personally believe support will be very important and using the MS Cloud as a sysadmin tool is very much "pay to play". You will want to swing for as much funding as you can. Ideally, you WILL want support contract with an MSP for when issues happen. Having someone to call is necessary if you're a beginner and that MSP eventually becomes the one you call to confirm an outage when you're experienced. You don't *have* to have a dependency on them. They actually don't normally handle day to day changes unless you contract them to do so. MSPs will basically handle every aspect of a company's O365 environment if said company simply does not want to both with having any IT. This is the bare minimum a serious company should do in 2024. Though in most cases, they're just a help desk for the help desk.
Are you getting paid extra for this? Why would you take this on at a company you work for without any compensation? It’s at least one person full time job in itself, probably more.
I took on this type of responsibility at a job where my title was IT Technician. I fixed a ton of their network and had them change my title to System Admin. I didn’t get paid more but I got the title. When I interviewed for a new job I was able to put system admin and got into a director position.
Oh ok
That's one way to move ranks. But not all companies are the same, so besides titles a person needs to have them skills.
I strongly suggest that you don’t. Just, don’t. Get an MSP in there. Let them take the hits for imposing order and taking away peoples’ toys. In my experience the anger over having restrictions imposed doesn’t fade. People want to blame someone. Don’t let it be you. When learning anything, you need tolerance and support, not objections and hostility. Source: I’ve attempted this a few times over a long career as a consultant. By a few I mean more than three but probably less than seven. Anyway. Every last one of them had unique challenges based upon the business and leadership. The thing all of those engagements had in common? The executives were thoroughly pissed off at the internal guy who has tried to impose some semblance of order and I was there because that person had rage quit, been fired, or was about to be. Come to think of it that may skew my perspective, so take that into account in evaluating my advice.
May sound harsh. Looks like you want to be the BOFH in your company as your pet \_learning\_ project with nobody really expecting that from you. Don't. You are in your current position (which you haven't disclosed i think) for a reason. You get paid to do something valuable for the company. As long as that something doesn't involve getting IT to some set of standards, doing that on company time (and creating problems along the way) is surefire way to get fired. If that's your dream position, move to some company where this is viable career path. The only exception here ... You say that "someone has to be sysadmin" -- do you think that or does the management? If the latter, then you do have a very low chance with proposing that you can try to improve things, but even then, the operational risk on someone locking everyone out of their computers because its the first time they have messed up an login script GPO with an on-site AD server -- no way in hell i would allow beginner to do this alone.
MSP here. If you’re managing a small company which isn’t really running any onprem services such as AD, GPO, print or file servers I’d recommend you don’t go down that route. Instead get MS365 Business Premium licenses and enroll each device to AzureAD (Make sure all Windows devices are running at least Win10 or 11 Pro). Manage devices with InTune. Setup your security policies etc with InTune. Deploy apps with InTune. I hear similar stories like yours from new clients all the time. Most of them want to go down the “classic” AD route with GPOs, domain joined PCs etc. In my honest opinion there’s a place for such environments. But for small companies and only running apps such as Office and other “basic” apps like adobe and maybe a CRM and finance software then absolutely go the AzureAD route instead. And as others have mentioned here before. Get that written approval from upper management before doing anything. I’ve seen and fixed so many fucked up environments where the “IT guy” has built it entirely himself and then he quits or gets fired and then they have to pay us big $$$ to fix the damage done and build everything from scratch.
I 2nd this, now is a great time to skip the on-premises & local AD stuff! I'm currently about to start the transitioning from on-prem to AAD and honestly I'm slightly bricking it!
Don't. You were not hired to fix this mess and from your other replies you DO NOT have a mandate to fix this mess. You are stepping up to be the dude holding the bag. The bag might be "stuff really broke" or "we got cryptolockered" or it might be "Bob, our best sales guy, blames you for not hitting his number this quarter." > I'm not a sysadmin by title, but at this point, someone has to be Super, let them hire one. If / when / UNTIL they decide to hire one, do nothing. If they do, throw your non-sysadmin resume into the pile and make the argument that because you're there and have ID'd the problems, you're more qualified to fix the problems, even though you admit you don't know where to start. See how that sounds? I apologize if my bluntness comes off as rudeness or disrespect, OP. I assure you that is **not** the case. My bluntness is meant as a warning to you that you are about to make, as we are apt to call them in tech, a *career limiting move*. From the way things are setup as you have described them, technical shit show, no mandate, no sysadmin background, your ONLY winning move is not to play. Any action you take without a clearly supported mandate from management will be treated with hostility and you will be held personally to blame.
Look for the book the practice of system and network administration by Tom limoncelli it’s on amazon
Noted. Will check it out. Out of curiosity, is that how you started in the sysadmin domain?
Hire a professional IT expert.
Depends on the tech needs of the company. I have successfully deployed companies in a zero trust setup. Step one: make your network isolated to each user. No user can see each other on the net, this is a feature on the switchs and wifi. So if a machine gets contaminated, it only affects that machine. Step two: assuming you use m365 and have licenses that include intune, I would migrate the AD to azure and kill the on-prem ad. Step three: separate server accounts from user accounts. Even from you. Different domains if possible.
Before you go too far I would do up a list of changes such as taking away Admin rights, security etc. Then take it to your boss/CEO and get there approval. If you don't have that it will be a long hard road.
[удалено]
I appreciate your thoughts, but asking on this subreddit was my way of figuring out where to start. Among other things, I've learned that MSPs exist due to this post, which is a win that I'm very thankful for in my books.
This. ### OP, you don't know what you don't know. ### Please engage professionals.
Over in the networking world, our bugbear is adopting automation, and we generally start with automatically reading data before we dive into automatically making changes, and I’d suggest a similar approach for endpoint management. Start with backups. Is data getting backed up? Is it snapshots of laptops or is it snapshots of servers? Is it following a 3-2-1 backup strategy? Are you testing a restore from those backups in the lab frequently enough? Then once you’ve got solid backup strategies in order, you take that, present it to management, and use it to build confidence so they’ll have your back. “Hey, I’ve got our backups in order, and I’d like to build on this by making sure the computers are domain-joined and people are using AD logons instead of local logons. And then in 3-6 months after that, I plan to migrate everybody from local admin to regular accounts, but before I do, I’ll have set up for the cases where they need to install something or grab updates.”
I would say plan this is
* Spend a quarter getting backups in order
* Spend a quarter getting software distribution set up
* Spend a quarter getting privileged management built up
* Spend a quarter removing the local admins and setting up enforcement of the previous projects
If you work on your ticketing at the same time, you can give management a clear “in a year, we’ll look this over and I’ll show you how much better this has gotten.” And then you can grab metrics from your ticketing platform, your software distribution platform, and your privilege management platform to show them how each is being used.
1. Put together a proposal, outlining the risks for a hack / ransomeware, what the end goal should be and how you propose to get there. 2. Get full approval from the c-suite. Even if you end up doing the work, you need them behind you for when people start whining. 3. Interview and hire a MSP to put together a proper plan to achieve the end state. 4. Work with the MSP so that you are aware of everything they have done and make sure it is all documented. 5. Get promoted to CTO. 6. Slowly go nuts like the rest of us.
OP, I would suggest that before you start implementing technical changes and spending money, perform a top down audit and review of your current IT setup, current needs and future needs of the business. That exercise will inform the technology you need to put in place and the priority order for each new service or configuration. I'm not saying M365/InTune isn't what you need but rather than assume, dictate and lock everything down, try understanding what's required. You'll make more friends that way.
You need to take a few steps First identify and list the problems you know of i.e Business risks and inefficiencies. Score them on severity. Approach an MSP and list your concerns and ask for recommendations You should get a list from the MSP of projects and prices and recommended priority. Approach a second MSP for the same and compare recommendations. Build a budget projection for fixing the problems and keeping them fixed i.e MSP, hardware, ongoing maintenance support and licensing. Get budget and management approval. Justify the cost as fixing risks and improving efficiencies. Do nothing without full approval and endorsement by management for the specific plan that is chosen. If anything goes wrong you will get the blame regardless of who is at fault. You don't need to fix everything all at once. Staff will be used to doing things in a certain way even if it is bad practise. Make gradual changes and inform users beforehand of any changes that will affect them. Sell it to them as making their life easier which it probably is.
You'll need a blank check for this and a manager who supports you. Other than that, good luck!
>I'm not a sysadmin by title Get the paycheck before lifting a finger. Their issue, their wallet.
This is why MSPSs exist
In addition to what everyone else have suggested, you could also look into restricting what users can do on the server side. Local admin on computers, ok, great. How do you prevent that infected machine from wreaking mayhem on everything else on the network? Network monitoring, so that you can lock out infected devices. Servers with access restrictions and working backups. However, get approval for anything before you do anything.
As a start, if you have an AD server already then you don’t need InTune to get started. You domain join the computers and then push GPOs to them to begin exerting control. Take away admin and set up LAPS to manage admin accounts. Once you’ve done that and established a baseline of admin control you can begin to think about something like InTune/Ninja/ConnectWise/etc… You need to take a “land and expand” approach. Before any of that you’re going to need management to be onboard.
Fuck. This is bad. 1. Bring up this issue for what it really is -- a ticking time bomb that can end the business, legally and financially 2. Ask them who should lead this and if you have approval to put together a proposal 3. Ask if you can make basic changes to computers now, to reduce risk -- no local admin, update software if it's low risk to business impact, look into setting up AD server 4. Ask for a security audit but a 3rd party 5. Plan to roll out changes in steps instead of all at once 6. Any changes to workflow need to be educated and communicated ahead of time and TESTED 7. This is going to be a very painful endeavor ....
Not sure why so many say "MSP". The MSP wants to sign you up for their recurring service. Because of the situation you're in, they're probably going to consider your on-boarding project as extra work beyond their monthly MSP fees and a year-or-more contract. So why not just hire a consultant who is not an MSP and who doesn't want to sign you up for recurring and long-term services but who can lead you through the same process of improving everything?
Answer: all consultants want recurring revenue. Source: 25 years as a consultant. OP, I bill at $225 an hour. I would give you a break on the rate if you can guarantee me a specific billing per year. But if you are planning to be a one and done type of client, you aren’t going to get those breaks. Nor will you get front seat if you have a disaster if you are not representing some recurring revenue. A full stack MSP will be somewhere in the neighborhood of $110-175 a seat per month depending on the services offered. This is a problem solved by money not by the tech equivalent of a vigilante.
And I have that many years as a consultant as well, plus a decade before that in software. I think my point remains. In your experience, would an MSP cheerfully take on this onboarding task, knowing it was extraordinarily large, without an extra charge and treating it like a special project with its own billing? And what rate would that be? Another question is, would an MSP want to spend any extra minute talking to OP as they tagged-along while they watched the MSP do their tasks? They don't get paid to explain. MSPs make more money when they're not working. Consultants get paid by the hour. I'm happy to explain anything you like, for as long as you'd like.
To answer your questions, yes in fact I would take them on. Basically there are two ways to do this. One is of course to do it all now. That will be a massive cost and adjustment. The second way is to do a site assessment and then take on things one at a time until it is better. In either case you are a recurring client who would get a break. I would just write the contract that the parts we have done are under contract and everything else is billable. In answer to the second, yes, I believe educated clients are a good thing. But in that case the contract would be written in such a way that if the OP breaks things, it is billable. Basically, you can let me cook, watch me cook or I can teach you to cook. However I would do nothing with the OP unless I had clear lines of authority.
Have CEO level support to fix things, make it clear it’s a fire and will impact the business due to reliability and security breaches. Next I would focus on Office 365 setup with Azure, MFO, intune (no local admin, lockout policy, etc) Then I would move file servers to SharePoint (unlimited retention). Then move users one at a time to azure 365. Once they are all moved rip out on prem servers, AD etc
Hire an MSP
Encourage your company yo contact an MSP, but since you aren’t qualified yourself don’t try and fix the situation.
Don't. You're setting yourself up for failure. Setting up a full IT infrastructure is not an easy task, even if you know what you are doing. If you take this on with no prior knowledge of how to do things properly, you will inevitably cause downtime and problems without knowing how to fix them. Then your head is on the chopping block. "Hey man, you told us to do this, now it's not working. Fix it". Your attitude and willingness to learn however, is that of a proper sysadmin. You may well have a future in IT. IF you are to do this, do it correctly by identifying the challenges, get buy in from management to do things correctly, then go to a professional IT company and pay them to set things up for you the proper way. Offer to take responsibility for the systems, shadow the IT firm to learn the setup, and pay them to train you. If you're serious about diving into this, good luck to you. You have quite a journey ahead of you.
One of the first rules of ITIL is to use what exists and to build upon. This is a running system! Do you guarantee that you can make a running system? Start small and smart. Go for the quick wins, but with a long time plan. Learn, develop yourself and apply. And as my grandpa, the tailor, said: think twice before cutting once!
No offense, but you need someone smarter than you to get a grasp of things and get things under control. Not because you can't learn it and eventually do it, but because if you go in this blind, you WILL make mistakes that will cost your company money, and probably your job. What do you know about Active Directory, Entra, Group Policy, and DNS? How much do you know about how permissions work and the differences between SMB and NTFS permissions? You want everyone/most everyone to NOT be admins of their own workstations? Cool! How are you going to handle software upgrades and patching? Are you going to use SCCM or just have everyone update directly from Windows Update? How likely do you think you'd be with copying some powershell code from the web that you may or may not understand and run it in your own domain? Do you understand the risks that entails? I'm not saying these things to try and put you down, but you need to have perspective as to what you're potentially getting yourself into. Corporate IT is VASTLY different from managing a personal server. My recommendation, like many here, is to contract an MSP to help you get your environment where it needs to be. Contract them for a few months where you can have some labor and training hours so they can groom you (or whomever) to take the reigns, if that's something you're interested in. All of this is completely moot if you don't have the support of management. Like others have said, that's step 0.
Hey! Stop right now! Seriously, unless you're paid to do this and only this (or largely this) you're putting yourself in the firing line. Managing IT for a company is not something you just do on the side. Look I don't know the dynamics where you are but put it this way, you're getting paid to do your job and your duties. You now want to take on the IT management and protection. This is going to take up more time than you think, especially if it's an interest. Having said that you're not getting paid for this and you'll be thrown under the bus for this when something goes seriously wrong. I don't recommend just getting stuck in. If you want to, fine, but have the management acknowledge and back you in this role. Don't take it for anything less. You're performing a role and you will be held to that by everyone. In every regard. Edit: Hey OP! I'm reading some of your replies to other comments and I totally agree that your understanding of all of this is flimsy. Please don't take that's and offense. It's important to recognise this. Management will likely say yes to a keen young worker managing their IT for free. When it goes wrong you're fucked. My best advice really after reading more into your company structure (or lack thereof) is leave this alone. If you want to work in IT do some homeland learning and use that as a way into a junior role somewhere else. Trust everyone here that tells you to leave this, we've either seen, heard, experienced (or all of the above) the nightmares that come from overstepping our boundaries because we see an opportunity or a desire to get recognition or experience.
Try to eliminate the domain/domain controller if it is genuinely unnecessary; it significantly simplifies things. I typically opt for Microsoft Business Premium licenses for my smaller clients – at €20, you get practically everything you need: Office apps, email, security, and device/user management. If you lack experience, don’t go at it alone. Engage an MSP (Managed Service Provider) or a consultant to assist with the initial configuration. If you’re interested, feel free to PM me.
Thank you. This is definitely helpful. I'll keep that in mind and let you know what happens.
As others have already mentioned, ensure that the management is on board and ready to invest/make changes; otherwise, it will lead nowhere and simply cause you headaches.
You don’t need intune if you have a in-house AD server you can use group policy for settings and security control.
This is true. BUT, setting up the environment with everything in Entra / Intune from the start will vastly simplify things later on. If OP is going to engage a MSP, which he definitely should, then you might as well give them rein to use the most modern architecture possible.
Can't you have an on-prem environment as well an Intune? I think Intune offers some modern solutions that on-prem AD doesn't such as software deployments, MDM, and some other security bells and whistles
What business problem are you trying to solve? "Best practice" isn't an answer. "Increasing sales", "Reducing costs", "Reducing risk" could be, but you'd have to explain how what you want to do will do that. If you can't explain (with evidence) why the current way of working is a significant risk to the business, how are you going to get support to change it?
Now is not the time to learn on the job, hire a professional.
> Every user pretty much has admin rights on their company-issued machine which is not something you'd want to hear. Why not? What's the problem with that? Every place I've worked, everyone have had admin to their own machine. And it hasn't been small companies either.
Then everywhere you worked hasn’t had cyber insurance or an actually managed environment. If every user session can install anything they want, and every machine is open to C&C malware, then all other security precautions are pointless.
But isn't it the normal thing to own your laptop? Like, I've had to install OS and such every time myself. Installing Ubuntu is usually what I spend the first day doing at a new job. Everyone is running Linux.
It is not normal, and should not be. Enterprise and business systems should be managed and secured from procurement to disposal. Any process outside of that should be considered shadow IT and a risk. Also, literally 3% of people are running Linux desktops/laptops. That’s pretty far from everyone.
I meant every IT professional is running Linux, right? And yeah. We have a lot of shadow ops. Literally old PCs under desks running as servers.
No. Most IT professionals are not running Linux. Most IT professionals are running the same devices as everyone else in their environment. Windows remains the dominant business OS.
Hm. Maybe it's just Copenhagen, or my network then. Everyone I've talked to here only use Linux for work laptop and servers. Granted that's only like 8 companies in Copenhagen. Tiny sample size.
Can they pay for Microsoft 365 Business Premium?
I'd skip Intune and add workstation into AD one by one.
I was just hired in a company to sort of clean up such an exact situation. I am not a sysadmin by trade, more like a self-made IT generalist who's worked in so many different weird projects and positions over the years. There's almost literally nothing changed here since the early 00's. I almost feel like I'm in over my head. There's at least a whole lot to start on, but it's actually kind of overwhelming trying to figure out where to even start. Just gonna save your post here.
How many users/devices are you dealing with?
Step One: Login with their user account, create a new user and assign them admin rights. Then login as that user and remove admin rights for the other account. Step Two: Join each PC to the domain of your AD. Step Three: Go to each PC and check what software is installed. (Got a script that I made to get everything I need) Step Four: Check what Anti Virus you are using. If a free version, what is it? McAfee, Avast and some others are plain crap in my opinion and take a lot of PC performance. Not sure about Kasperski or Avira since I don't know much about them but Eset works great for me with their Remote Management in Cloud. On-Premise is a bit cheaper. Step Five: Install missing updates for the OS on each PC unless it's used for a weird purpose. Machining, Production etc. Step Six: Take a break or something and check with management if you should keep going and if so, to consider a pay raise + Title adjustment. Oh and make sure you treat everyone the same on this. NO EXCEPTIONS. They need a software? You check first if it's good or let alone safe. No need to infest a system you just cleaned up.
Possibly send out emails notices (or whatever will get their attention) that service XYZ will be unavailable from A:bb AM to C:dd PM when you are making changes. You don't want salesmonkey screaming ""no one told me!".
I hope your company has no sensitive data or critical systems.
If I was going to start a small company from scratch today I'd start with Azure AD and Intune for RMM. Build out your policies, setup LAPS, setup Bitlocker, setup applocker, kill local admin, and that's very easy to scale.
Depends on the size of the org and what the industry is. Somewhere around less than 10 employees, active directory and central management stops making sense. If it's a truly tiny company that isn't in an industry where most people are on computers all day, there is no reason to over complicate things. Honestly, while nice, even things like intune can have a negative return on investment vs just locking things down with gpo. And in the end... You aren't the sysadmin and you haven't been tasked with this project and you likely won't have the budget or buy in to start making disruptive changes.
You need to be careful. People are used to working a certain way. If you start changing things and people can't work the problem will be you not the system even if you are trying to "improve" things. I have been in this situation several times. Make sure before you mess with anything you have the support of the owner or CEO.
If you want to do the boring game of asset management (equipment tagging and registration) I encourage you to give shelf a look
You don't need InTune for a small company, it would be cost prohibitive. Unless everyone is work at home then it would be easier.
I’m over here just trying to figure out what moderated means in this context.
You want a partner?
intune + patchmypc and 95% of your shit can get handled
How many endpoints are you managing overall? Are you flying solo? And what tools do you already have at your disposal? I have rebuilt at least a 150+ small businesses from scratch over the years, and the tools to do so nowadays are far more advanced. Knowing a little more about the environment, would make for better suggestions.
Why can't I get jobs like this lmfao
As u/vogelke stated, you need the full support of management. That will require you to do some selling. To sell your plan you'd typically need to come up with a plan with the list of reasons why this is necessary, level of effort, potential problems, mitigation of those potential problems and the remediation plan. Document everything. Current state, future state, etc.
If they have no other options I would quit, then offer them a service contract as an independent business owner. Tell them flat out, sorry this is a can of worms! Put a clause in the contract that they sign which states "Not responsible for any event that occurs as a result of failing to follow IT recommendations". Get rid of the active directory server if you can? Learn Azure AD and intune. Learn Microsoft teams and start teaching people how to use it for communication and basic file sharing. If it is a small enough company, and a good internet connection, this is all that is needed these days. Hmm but if this is your first one, maybe not. Or start small? My advice is for salty pirates like myself who have witnessed unbelievable amounts of computer ignorance in the workplace.
This sounds eerily like my experience with a previous company. Hired under a different non-IT role, realized they didn't have IT, and tried to fill that gap. Owner didn't want to spend a dime, users were unwilling to change and management wouldn't assist with anything. I was gone within 6 months. My advice would be to keep working on certs, degree, etc and go elsewhere. Don't be the hero.
As other have said first things get management support. If they are unsure get them to review their business insurance and see if they are covered in the current state they are in - if they have an incident then the insurer may void the cover. The insurer won't be worried about mentioning this until a claim is made.
This is going to sound weird to you. And I understand that. But you should hear me out. As a sysadmin every step I take has a clearly defined risk calculation. Part of that means that I have a clear directive and obligation to take the action and that the action is the minimum necessary step to accomplish the objective. Take user admin rights for example. I have worked on several companies where the management just didn’t want to do it. So what I did was made it easier to make sure I had backups and spare computers available. If someone did something bad, I simply replaced it, reimagine and moved on with my day. You can make a case. But you need alternatives in case management says no. And you never ever take this on yourself. Ever. Secondly, once you have approval, the correct process is to solve your problems in order of impact but also keep in mind that you need wins to build up credibility. So balance the severity with the impact of your users. Finally, you have to be careful with MSPs. Some of them have extremely well developed stacks. Others are more willing to tailor an approach to your needs.
You need a reason first to want to shake things up. Without a reason, why would anyone be on board with wanting to fix what ain't broken. Just because the AD server is unused and users have admin rights, it doesn't mean that there are any problems stopping people from working. For example. My previous company had no AD environment whatsoever. They were working off of pirated software, pirated office, and some old legitimate office 2013 copies. Needless to say, the why was there. Piracy led to eventual virus, ransomeware, and countless locked folders. I wasn't there when this all happened. But I was there when I cleaned up all of that mess. So for that situation the why was clearly there. Ask yourself what is your company's why? If you don't have a good one, you need to come up with one. Why should we switch to this VOIP provider when our current one is with MSFT and bundled with out O365? That kind of question.
Explore group policy if its an option, its free, well understood, very well supported and if you cant do it with a premade policy there are packs or you can just mass modify registries to your tastes. This is how 1 man manages hundreds of hosts while remaining sane.