Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacOS in Windows Domain setting?

W

wonderings

macrumors 6502a
Original poster
Nov 19, 2021
960
957
Company is going to be moving to all Windows here. There are 3 of us who still use Mac and prefer the OS. They are wanting to use Microsoft domains, not sure what that all is but their concern is needing to manually manage the 3 Macs we have here when it would be simple and easy for them with all Windows. I don't know much about this end of things networking wise, first I had ever heard of it. I did forward them an article on an Apple page showing how MacOS works with Windows domain. Anyone here have any knowledge and experience with this? Would MacOS computers really need more manual hands on work to implement the security features they are looking to get with windows domain?

Thanks!
 
wonderings said:
Would MacOS computers really need more manual hands on work to implement the security features they are looking to get with windows domain?
Click to expand...
A definite yes to that question. A domain controls MUCH more than just logins. Security, licensing, auditing, reporting, and update control, plus shared resources, are the main ones most used and that would be all manual on a Mac other than the login itself. You're looking at a Windows PC not needing any manual work, and a Mac would need a lot. Unless the IT Staff would retain A Mac guy to handle your 3 PC's I don't really see a good counter to their argument unless the Mac's do something that can't be done on a Windows PC.

You might be able to convince them that you can fulfill that requirement by running a Windows VM on your Macs and they would have full domain control over that, but even then there's more work involved for them than a typical PC if you have some kind of problem...
 
bobcomer said:
A definite yes to that question. A domain controls MUCH more than just logins. Security, licensing, auditing, reporting, and update control, plus shared resources, are the main ones most used and that would be all manual on a Mac other than the login itself. You're looking at a Windows PC not needing any manual work, and a Mac would need a lot. Unless the IT Staff would retain A Mac guy to handle your 3 PC's I don't really see a good counter to their argument unless the Mac's do something that can't be done on a Windows PC.

You might be able to convince them that you can fulfill that requirement by running a Windows VM on your Macs and they would have full domain control over that, but even then there's more work involved for them than a typical PC if you have some kind of problem...
Click to expand...
I can work in either environment, I prefer the Mac and think it is more then they can both do the same thing, which they can but they go about doing it in different ways. The Windows VM thing is not really an option and would just add complications as you mention. With the M1 chips and Apple eventually going all their own CPU's, running Windows on a Mac will not longer be a thing unless some virtualization happens to allow Windows 10/11 (no ARM versions) to install as a VM.

I think the main uses are not so much for logins but for network access to shared drives which is what we want to keep secure obviously. Not knowing really what this is all about it is difficult to make any argument to try and hold onto the Macs for the 3 of us left and not sure how much real maintenance is needed. I know from a general support stand point Macs are great because they need very little support and IT help, obviously this is different and if they are ever changing aspects of security having them all unified and able to do at once makes a lot of sense. I just find it hard to believe that there are no options to have both running in the same environment while being secure. Maybe it is just a completely other approach is needed for this and not something I am going to push, I just wanted to get a better understanding.

Thanks!
 
wonderings said:
I can work in either environment, I prefer the Mac and think it is more then they can both do the same thing, which they can but they go about doing it in different ways. The Windows VM thing is not really an option and would just add complications as you mention. With the M1 chips and Apple eventually going all their own CPU's, running Windows on a Mac will not longer be a thing unless some virtualization happens to allow Windows 10/11 (no ARM versions) to install as a VM.

I think the main uses are not so much for logins but for network access to shared drives which is what we want to keep secure obviously. Not knowing really what this is all about it is difficult to make any argument to try and hold onto the Macs for the 3 of us left and not sure how much real maintenance is needed. I know from a general support stand point Macs are great because they need very little support and IT help, obviously this is different and if they are ever changing aspects of security having them all unified and able to do at once makes a lot of sense. I just find it hard to believe that there are no options to have both running in the same environment while being secure. Maybe it is just a completely other approach is needed for this and not something I am going to push, I just wanted to get a better understanding.

Thanks!
Click to expand...
I can understand where you're coming from about wanting to use a Mac, but the security challenges today are probably why they want to go with a domain, it just makes things easier to administer and automated reporting of problems. I only run Macs at home for pretty much the same reason even without a domain at work, and I'm the head IT guy.

I'm hoping for an x86 Windows emulation that is fast enough to use on an M1 Mac, even for my work, but I just don't really see that happening -- it's just not in Apple's mindset to push for that and us people that are left out in the cold don't matter. To quote many a post in this forum -- we should buy a Windows PC to do what we need to do. (even if we want to use a Mac!) I expect I've bought my last Mac and I'm not happy about that. (An M1 MBA)
 
bobcomer said:
I can understand where you're coming from about wanting to use a Mac, but the security challenges today are probably why they want to go with a domain, it just makes things easier to administer and automated reporting of problems. I only run Macs at home for pretty much the same reason even without a domain at work, and I'm the head IT guy.

I'm hoping for an x86 Windows emulation that is fast enough to use on an M1 Mac, even for my work, but I just don't really see that happening -- it's just not in Apple's mindset to push for that and us people that are left out in the cold don't matter. To quote many a post in this forum -- we should buy a Windows PC to do what we need to do. (even if we want to use a Mac!) I expect I've bought my last Mac and I'm not happy about that. (An M1 MBA)
Click to expand...
Are there big changes that need to be made individually on a Mac in that sort of environment? Not tech illiterate but had not heard of Windows domain and how this is used till now. If they made changes to the Windows environment, is it something straightforward if I were to be the "IT" guy for the 3 Macs we have? If it is basic stuff I would have no trouble making the manual changes myself. Guessing they won't go for it, but doing my best to try and offer an alternative if possible to keep the few of us who really prefer the work flow on a Mac.

I installed Windows 11 as a VM yesterday and while it is getting similar in many ways they still lack a lot of what makes me very efficient in Mac OS.
 
It really depends what they're getting at...

If they just want to lock down logins, great. Macs can bind to Windows domains without issue. Zero extra work for IT.

If they just want to secure file shares, great. Macs can authenticate to Windows file shares with or without being bound to the domain. Zero extra work for IT.

If they want to lock down end-user settings, manage updates, run data loss prevention? Hard to argue. Allowing an OS other than Windows adds extra work and/or undermines the added security entirely anyway.
 
  • Like
Reactions: bobcomer
DJLC said:
It really depends what they're getting at...

If they just want to lock down logins, great. Macs can bind to Windows domains without issue. Zero extra work for IT.

If they just want to secure file shares, great. Macs can authenticate to Windows file shares with or without being bound to the domain. Zero extra work for IT.

If they want to lock down end-user settings, manage updates, run data loss prevention? Hard to argue. Allowing an OS other than Windows adds extra work and/or undermines the added security entirely anyway.
Click to expand...

I don't know all the details but I think primarily it is for file sharing and access to the files on networked drives. I still don't have a full grasp of what it actually does as it is way out of my wheel house networking wise. Would think they want to be able to change passwords and things on a regular basis to keep things tight and secure, they could give access and take away to computers they choose to with Windows domain, as far as I understand it.
 
wonderings said:
Are there big changes that need to be made individually on a Mac in that sort of environment?
Click to expand...
That's kind of hard question to answer, as it all depends on what other software that the company uses -- it could be a lot, it could be minor.
wonderings said:
If they made changes to the Windows environment, is it something straightforward if I were to be the "IT" guy for the 3 Macs we have?
Click to expand...
It all depends on the real IT guys and how comfortable they are with you. And it's more than changes, it's antivirus, licensing, shared folders, and a lot of other things too.

wonderings said:
I installed Windows 11 as a VM yesterday and while it is getting similar in many ways they still lack a lot of what makes me very efficient in Mac OS.
Click to expand...
On an M1 Mac? There's still a licensing problem there too, which I know the IT guys will (or should) have a problem with. Until it's resolved by Microsoft, it's not a workable solution in an enterprise.
 
bobcomer said:
That's kind of hard question to answer, as it all depends on what other software that the company uses -- it could be a lot, it could be minor.

It all depends on the real IT guys and how comfortable they are with you. And it's more than changes, it's antivirus, licensing, shared folders, and a lot of other things too.


On an M1 Mac? There's still a licensing problem there too, which I know the IT guys will (or should) have a problem with. Until it's resolved by Microsoft, it's not a workable solution in an enterprise.
Click to expand...
Good relationship with IT, we are a medium size company but feels a lot like a small shop which is good in many ways. I fix most of the problems here in my location (they are in another), anyways good relationship.

All Intel Macs
 
  • Like
Reactions: bobcomer
wonderings said:
I don't know all the details but I think primarily it is for file sharing and access to the files on networked drives. I still don't have a full grasp of what it actually does as it is way out of my wheel house networking wise. Would think they want to be able to change passwords and things on a regular basis to keep things tight and secure, they could give access and take away to computers they choose to with Windows domain, as far as I understand it.
Click to expand...
Based on that description — if they truly just want to be able to control password changes and access to file shares — the Macs can function just fine in that environment. I'd say bind the Macs to the Windows domain. You'll use your Windows domain credentials to log in. If your password expires, macOS will prompt you to change it and will respect any password policies set on the server. You'll be able to then connect to those file shares easily.

They won't have the same level of control over macOS that they have over Windows. But they will be able to control logins, password policies, and file share access. They'll see the Macs listed in Active Directory Users & Computers on the Windows Server + can disable specific Macs or users the same way they would for a PC.
 
DJLC said:
Based on that description — if they truly just want to be able to control password changes and access to file shares — the Macs can function just fine in that environment. I'd say bind the Macs to the Windows domain. You'll use your Windows domain credentials to log in. If your password expires, macOS will prompt you to change it and will respect any password policies set on the server. You'll be able to then connect to those file shares easily.

They won't have the same level of control over macOS that they have over Windows. But they will be able to control logins, password policies, and file share access. They'll see the Macs listed in Active Directory Users & Computers on the Windows Server + can disable specific Macs or users the same way they would for a PC.
Click to expand...
Thanks for the info. Treading lightly here with them as I do not want to come across as a madman telling them how they should do their jobs, but trying to also keep the few of us who use and prefer Macs on the machines we are most efficient on. Going to try and get more info on what they are doing and wanting to accomplish with the change.
 
wonderings said:
Company is going to be moving to all Windows here. There are 3 of us who still use Mac and prefer the OS. They are wanting to use Microsoft domains, not sure what that all is but their concern is needing to manually manage the 3 Macs we have here when it would be simple and easy for them with all Windows. I don't know much about this end of things networking wise, first I had ever heard of it. I did forward them an article on an Apple page showing how MacOS works with Windows domain. Anyone here have any knowledge and experience with this? Would MacOS computers really need more manual hands on work to implement the security features they are looking to get with windows domain?

Thanks!
Click to expand...
don't fret! Modern nMac sense 10.6.8 Bill Gates allowed Macs into Server 2008s2! tThen it was baked right into Server 2010 for Mac and modern Linux flavors to go into a Windows server Domain! So Macs made after 10.6.8 will join modern Windows Domains!
 
wonderings said:
With the M1 chips and Apple eventually going all their own CPU's, running Windows on a Mac will not longer be a thing unless some virtualization happens to allow Windows 10/11 (no ARM versions) to install as a VM.
Click to expand...

Not sure what you are talking about, but having Windows ARM or x86 running in a M1 VM makes no difference...aside that Windows ARM is running native and would be much! faster. All the features like domain management are totally the same.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back