Domain or Stand-Alone? So Complex.
January 5, 2010 7:32 AM   Subscribe

How do real IT shops handle laptops in a Windows domain?

I work for a smallish entity. We run a mostly XP domain with users' documents redirected to a central server. We haven't really figured out what's the best way to handle laptops. Sometimes we set them up as stand alone, non-domain machines. Sometimes we join them to the domain.

Each way has pros and cons for us. If it's a standalone laptop then we tend to let the user be an administrator and he or she can manage their documents manually using flash drives or whatever by copying the files they want to work on from their desktop to the laptop and going out the door. This is less micro-managing for us but less convenient for the user.

If we join the laptops to the domain then the users are faced with synchronization messages many of them don't understand (keep the network version or the local version the what?) and confusion over things like deleting an icon from their laptop and now it's gone from their desktop PC as well.

So how do larger organizations with Windows domains and lots of laptops coming and going from the office handle it?
posted by BeerFilter to Computers & Internet (7 answers total) 5 users marked this as a favorite
 
We keep our laptops off-domain, with a script that maps drives back to the server when they are off-site. It is made clear to the users upon receiving the laptop that nothing, NOTHING should be saved locally on it - if they do, they WILL lose it when the laptop dies / is returned / is stolen. (We're blessed in that most of our users already practice this on their local desktops already, so it's not a foreign concept to them.)

The bigger issue for us was that when a laptop is joined to a domain, the moment it can't communicate with the Domain Controllers, the laptop's performance goes down the drain. Windows keeps trying to connect back, and ties up resources while it cannot do so, causing noticeable issues for users on the road. This may have changed with more recent updates to XP (We haven't moved to Vista or Win7 yet), but the initial issues with On-Domain laptops leaving the area were enough to make us sidestep the issue to this day.
posted by GJSchaller at 7:48 AM on January 5, 2010


In my experience, the use of a domain assumes fixed network access--which laptops do not have. Ergo joining a mobile device to a domain is generally kludgy at best.

Instead of physically copying documents to flash drives, have you guys considered (or do you already use) some kind of personal online storage? At least you could have laptop users email themselves attachments, assuming they aren't immensely sensitive.
posted by Phyltre at 7:50 AM on January 5, 2010


Lately Ive been just setting up VPN + Remote Desktop for our more casual users. No file syncs to worry about.

If they arent using remote desktop, I find synchronization is too difficult and buggy for most users and just tell them to take a copy of the files they want to work on and copy them back in.

I prefer to have them on the domain. I tell them to boot or reboot on the domain when they are in the office so they can inheret any changes in group policy, software updates, packages I push out, etc. I never make them administrators. Either I make them users with extra rights or power users with certain rights and permissions taken away (like modify/write to c:\windows, c:\program files). The latter is easier and faster but less secure, but it sure beats letting them run as admin, which should never be allowed.
posted by damn dirty ape at 7:57 AM on January 5, 2010


usually, I end up setting up VPN services on the network and joining the laptop to the domain. the users then use the "Log in over dialup connection" option in Windows XP, so the VPN connection gets set up first and then logs them in. depending on what kind of internet connection you have, this might not be such a good idea. (the clients I have are all on at least T1s so it's not eye-gougingly bad. if you're on a cable modem or ADSL, this approach would be horrible.) I've just recently had to deal with Win7 so I don't really have a setup for that yet (I recommended everyone skip Vista, so haven't dealt with that at all).
posted by mrg at 8:19 AM on January 5, 2010


There's no real good solution to this. The rule of thumb I use:

- Stand alone if the laptop will never see the local network of the domain controller again.

Of course this introduces the problem of anything requiring domain authentication being kind of a pain in the ass to deal with. People have to remember to use "domain\Username" even when connected via VPN. Windows never seems to remember this as well as it should and you end up getting prompted quited a bit.

But you're question faces a larger problem, that is syncing files for offline use. If you have users with laptops they will be using files offline, it is just a fact. And it is damn hard to sync up with a network drive when your process is this (for a non-domain computer):

1. Boot up OS
2. Establish Internet connection
3. Connect to VPN
4. Authenticate and connect to network share

Bah, there's 10 minutes right there gone. Not even counting how long it takes to find the file you want and make sure either your local and remote copies are synced up so you can work on it on a plane. Hopefully HTML5 will get here fast and we can have native support in browsers to do this kind of thing (really MS could be putting this functionality more seamlessly into Office ...)

In any case this was way too much work for me, and guess what? I never ended up syncing my files. I found two solutions, none of which are completely satisfactory:

1. Using Outlook thick client as a datastore, creating a "Data" folder and place documents as attachments to messages and storing them there. When Internet connectivity was established Outlook did a really good job of syncing things up. If you're small enough to where you can get away with this and your Exchange box doesn't end up getting to be a hassle to manage I'd recommend this.

2. TortoiseSVN, when setup properly, is actually really nice. It does require some structure as to how files are stored in order to not have it be a complete mess. I set it up per user for misc. files and a more structured directory for shared files. Atwood has a good guide on setting this up on a Windows server. I followed the conventions set out in the SVN book. I've had pretty good adoption rates and people who are road warriors really like it. There's a big red exclamation folder on data that's not been committed to the server and since you can right click "commit" and "update" right from explorer it is really easy to use.
posted by geoff. at 8:30 AM on January 5, 2010


Never had a problem when I was IT Manager at a Tech startup of putting laptops on a domain. In fact we had about 60% laptops to 40% desktops mix with over 300 nodes. This allowed our developers to continue working at home on their laptops and once they were back at work they could logon the domain to get access to all the engineering tools. I do agree with geoff above though. If it's not going to see the domain again then don't worry about joining the domain. Otherwise I don't see how you can properly admin your network without having the laptops as domain members. It will be a pain dealing with the users at first until you get them trained on what they need to do as far as syncing files, etc. But if you're in a small organization without a ton of turnover this will get easier pretty quickly.
posted by white_devil at 10:35 AM on January 5, 2010


Response by poster: Thanks for the input everyone! Very helpful responses!
posted by BeerFilter at 5:27 PM on January 5, 2010


« Older Building a space ship   |   New Orleans haircut? Newer »
This thread is closed to new comments.