Taking an environment from managed to unmanaged: Perspective?

Hello Folks,

I guess I’m here looking for some perspective. I am in discussions with a long-time client (church), that has had a fully managed AD environment for 15+ years. Recently they moved about a third of the staff to Chromebooks, and migrated to G-Suite for the majority of their users.

Numbers look like this:

  • 35 staff users, 20 Windows PCs/Laptops (for users, kiosks, signage), 16 Macs (users, and A/V production), 20 Chromebooks
  • Ruckus wifi integrated with AD
  • Windows print server to multiple Canon ir-ADV machines and other printers

As the environment has changed over the years, I have AD syncing with AzureAD and G-Suite, and AzureAD is used for SSO to authenticate the Chromebook users, and the Finance team uses O365 in addition to G-Suite. All runs great.

I have been asked to put a project together to remove AD. Not replace it with something else, but just remove it (and, presumably AzureAD). I have explained on numerous occasions the reasons I feel this is a poor decision (i.e. security, manageability, SSO), but perhaps I have not expressed these issues clearly enough, as they still don’t see why they shouldn’t run a “home-style” network where everyone looks after their own machines.

The thinking seems to be that since “everything is in Google” (which it’s not) there is no longer any requirement for management, since “Google will be liable if there’s a data breach or damage from viruses etc.” They want everyone to have more autonomy and control over their own machines. My head just about explodes every time I think about it, but I can’t seem to get them to understand why this is a bad idea. Just gives me an extended headache.

What it comes down to is that they would like to save money on paying an expert (me) to manage the environment proactively, and just come in to fight fires when they happen. I’ve been doing this 20 years, and I’ve never had a client purposely want to move from a functioning, secure environment to a “home-style/open” (their words) network.

I don’t want to argue with them to maintain my little technology fiefdom and protect my revenue… certainly I can do what they want, but ethically I don’t believe it’s the right thing to do. Am I just too set in my ways as an IT professional, or does this seem a bad idea to anyone else? How would you respond if your church/organization/client decided to head in this direction?

Personally, I would be thrilled to remove any infrastructure we don’t need. If we could ditch AD today with a net positive in man hours I would do it in a heartbeat, though as AzureAD becomes more feature rich and easier to work with I am definitely eyeballing that. But from my viewpoint/perspective, any time and cost saved from simplifying management in my role would be immediately taken up by working with different departments to help them use technology better. We don’t have a shortage of work or ministry ideas that people need technical help with. I don’t have time to teach people what a project management system is or how different social media platforms have a different voice when I am nursing a limping server to delay a $15000 expense.

This gives me the chills.
no centralized management? No patch management lt or enterprise a/v. Everyone will want to be local admins too.

You’re right. You’ll spend your days putting out fires and they won’t save a dime because of it.

First things first: in the midst of C-19 a lot of churches have seen their giving drop 25~33% so it’s worth talking to the decision maker at the church about helping them reduce costs without entirely dumping having a managed IT infrastructure. It’s worth putting together a cloud-first style package for your service provider that leverages Intune/AAD or something like that because you can reduce a lot of the on-prem costs for many clients with the caveat that A/V tends to need to keep on-prem infrastructure for dealing with massive video files/resources.

Otherwise, you’re facing the age old catch 22 of “nothing works so what do we pay IT for? / everything is working so what do we pay IT for?” For me, since I don’t do break-fix, when this sort of thing happens I point out some of the issues they’ll encounter and am as helpful as I can be with the offboarding and transfer process. Not uncommon for clients to come back after they experience how bad things get when things aren’t being managed.

Thanks for the reply. This originally came up over a year ago, and I thought we had put it to bed. However, we can’t actually execute on this until the c-19 crisis is over, because it’s going to take a large effort in restructuring the infrastructure, and hands-on machines, printers, etc. I don’t see this being able to help them at all in the short term.

There are plenty of tools and solutions to handle machine management, remote control, patch management, anti-virus, etc. without local servers and Active Directory.
Many of these tools are already included with existing Office 365/Azure AD or are available for very minor cost increases that still come in way under the cost of replacing aged servers.
@Isaac already pointed out a few of these in his reply. But there are plenty of others. It DOES require thinking differently about IT and how that management works (or should work). But it’s not impossible and definitely can have some benefits.
We have several clients already with no internal server infrastructure. We’re a bit spoiled using tools that we’ve already used for over 10 years to help manage them. But Intune, Windows Update for Business, and other 3rd party solutions can be great choices as well.

If you are an ISV, or have built a product that you would need to manage, use Managed solutions to ship your product.

Please do a reality check and evaluate the capabilities and maturity of your organisation. If you are convinced you to have the people, processes, time, and budget to adequately maintain Managed solutions, then you are welcome to use Managed solutions.

Everyone else may use Unmanaged solutions in the production environment. It is a supported and perfectly valid way of deploying a solution to a production environment. I have never heard of an instance where an organisation was negatively impacted due to the use of Unmanaged solutions. I have heard many instances where Managed solutions causing grief due to human errors and lack of maturity of the organisation. Unmanaged solutions are more forgiving than Managed solutions when importing solutions. You can absolutely use Managed solutions in your production environment if you prefer but please be prepared to deal with the complexities that come with it.

Wait… you’ve never heard of an organization being negatively impacted because they didn’t want to manage the endpoints? I have many many many horror stories that resulted from unmanaged endpoints. For example, last year, a Christian social enterprise that went from an MSP that managed their environment much as Joel is doing to a loosey-goosey approach that didn’t have any centralized management of the endpoints, long story short: they lost all their sales data for fiscal year 2019 within 30 days of the switch. That’s not something that would have happened in their managed environment as there were several mitigations and redundancies that would have prevented it.