ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    SAMIT: Do You Really Need Active Directory

    Scheduled Pinned Locked Moved IT Discussion
    samitscott alan milleryoutubeactive directory
    135 Posts 10 Posters 18.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Obsolesce
      last edited by

      @Obsolesce said in SAMIT: Do You Really Need Active Directory:

      What do you use to sync accounts and passwords between the computer and services such as storage, email, and whatever other services require login?

      Why do you feel a need to do this, though? There is an obvious assumption, that generally stems from AD, that we want or even need this, when in fact, it's often not even desirable let alone a requirement.

      If you do need it, AD doesn't do this for me anyway, so clearly AD replacement alone isn't enough. AD doesn't provide this today (nothing does just as a blanket) so why would something else suddenly need to? If you really need single sign in everywhere, you have to address that on a unique case by case basis and see what tools work at all, let alone work well, for your specific scenario. But AD is actually quite bad at this given its LAN-assumption architecture, it's one of the worst, rather than best, approaches.

      But it's going back to the basics.... we keep approaching the problem from assumptions that are derived from AD.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @DustinB3403
        last edited by

        @DustinB3403 said in SAMIT: Do You Really Need Active Directory:

        The gotcha is no one in the world is using the local workstation settings for this

        Actually, lots are, because the local are controlled by.... Salt, Ansible, scripts, SMB (not AD)... lots of people are doing it, and not manually touching the local tools, because there are lots of ways to do it. The assumption that AD is doing something special here is not correct. Even when we say AD does it, it's not AD doing it. It's just a shared folder, and local machines just look themselves up in AD to see what they should do with the SMB share based on their group. AD is nothing more than a directory here, too.

        There is no gotcha. It's just misconception. The consistent misconception is that everything is "AD vs manual individual control", which is never correct. The second consistent misconception is that "manual individual control" is never the right answer, when often it is.

        DashrenderD 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Obsolesce
          last edited by

          @Obsolesce said in SAMIT: Do You Really Need Active Directory:

          When you have MS AD DS, you will have Group Policy and such, so that's a part of having it.

          That's mostly true, unless you aren't on a LAN. Then you potentially don't.

          But also, you get this with all AD, not just MS AD. AD in no way is tied to MS, nor is any of the things people associate with it.

          1 Reply Last reply Reply Quote 0
          • IRJI
            IRJ @Dashrender
            last edited by

            @Dashrender said in SAMIT: Do You Really Need Active Directory:

            @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

            @Dashrender said in SAMIT: Do You Really Need Active Directory:

            We'll use my office then for requirements - must be HIPAA compliant. So I have to show that AV is installed (and I assuming I have to show it's getting updates - but maybe I don't HAVE to), I'm pretty sure I have to show that updates are being applied.

            AV is part of the OS. There's really nothing to show. You'd have to have removed it. And updates are automatic, again, you'd have to have disabled them. If you are audited, each machine shows you the status. That's trivial.

            So you've been through an audit and the auditor allowed you to say - and to see the status of each machine's AV level - we'll be going around to every machine now - and they still passed your audit?

            I have 🙂

            I had to implement this with no centrally managed tool. I used wazuh to create triggers for certain events to go the SIEM.

            Based just on local logs I can

            1. Know AV is currently running (sytemctl timer that runs a service status check every 4 mins and writes to a log file if there are any issues)
            2. Know when scans were last run be ingesting completed scan logs and creating a low level entry in SIEM
            3. Know when AV database was updated (also taken from log file)
            4. Know when any infections are found. It will write to the log file and in my case send a high level alert.

            23aa02bd-9588-49d5-a638-ec724c6761f9-image.png

            Dashboard shows scans every 2 mins. I was running this when testing to see a list of events over time.

            scottalanmillerS 1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller
              last edited by

              Here is the bottom line that is making this all so hard...

              Everything. Literally everything, around the term AD is a false assumption. Everything involving what it does, who provides the tools, how much it costs, what depends on it, why you want it, what you need it to do, what breaks without
              it..... is generally misconception.

              AD is a good product, with good times to use it. The things that are often associated with AD are often good products, with good time to use them. But almost every AD implementation, whether used correctly or not, is used under a state of confusion with a belief that it does something it doesn't, that it's needed to do something it's not, that it's the only way to do something that it isn't, that something was needed that isn't, etc. AD is one of those products so incredibly simple, that everyone is convinced that it has to do more than they know it does. No matter how much we explain how simple it is, the assumption is always that there is more to the story and we are just oversimplifying. But that's not the case.

              AD isn't MS only. AD isn't the only directory server. AD doesn't do anything beyond directory services. AD doesn't do security. AD doesn't enable any feature, of any OS. AD isn't necessary for any service commonly associated with it. No service commonly associated with AD is the only way to do the thing it does, either. MS is not the only maker of any service that AD is associated with. Nothing that AD does is a requirement or assumed needed functionality. Nothing done by something associated with AD is a requirement or assumed needed functionality.

              The discussion is hard because we can't remove enough assumptions. AD is such a quagmire of misinformation, incorrect terms, marketing momentum that we just have to keep chipping away at a new layer of "AD isn't actually what you think that it is."

              DashrenderD 1 Reply Last reply Reply Quote 1
              • scottalanmillerS
                scottalanmiller @IRJ
                last edited by

                @IRJ said in SAMIT: Do You Really Need Active Directory:

                I had to implement this with no centrally managed tool. I used wazuh to create triggers for certain events to go the SIEM.

                Many RMM will do this, too.

                As will MeshCentral!

                Those are both central management tools, but non-Windows ones. MC is great for knowing that AV is installed and running at every machine.

                IRJI 1 Reply Last reply Reply Quote 0
                • IRJI
                  IRJ @scottalanmiller
                  last edited by

                  @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

                  @IRJ said in SAMIT: Do You Really Need Active Directory:

                  I had to implement this with no centrally managed tool. I used wazuh to create triggers for certain events to go the SIEM.

                  Many RMM will do this, too.

                  As will MeshCentral!

                  Those are both central management tools, but non-Windows ones. MC is great for knowing that AV is installed and running at every machine.

                  SIEM is nice to use because its one location of truth to manage.

                  scottalanmillerS 1 Reply Last reply Reply Quote 1
                  • IRJI
                    IRJ
                    last edited by

                    Please it is much nicer for running queries

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @IRJ
                      last edited by

                      @IRJ said in SAMIT: Do You Really Need Active Directory:

                      @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

                      @IRJ said in SAMIT: Do You Really Need Active Directory:

                      I had to implement this with no centrally managed tool. I used wazuh to create triggers for certain events to go the SIEM.

                      Many RMM will do this, too.

                      As will MeshCentral!

                      Those are both central management tools, but non-Windows ones. MC is great for knowing that AV is installed and running at every machine.

                      SIEM is nice to use because its one location of truth to manage.

                      Oh yes, we are moving to that. But for "alternatives", there are more ways to skin that cat.

                      1 Reply Last reply Reply Quote 0
                      • ObsolesceO
                        Obsolesce @scottalanmiller
                        last edited by

                        @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

                        @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                        So, if you get rid of AD, you'll also be getting rid of Group Policy and whatever else is in use with it. So, you'll not just be replacing AD and that's it, typically.

                        That's not correct, though. GPO exists without AD. It's part of Windows itself. You can, and still do, use it even when AD isn't there. That's part of the continuing myth that not only the part you point out that AD doesn't do what people think, but the second part is that the things that people think depend on AD, don't actually. SMB, GPO, etc. they all keep working without AD.

                        Right, but you know I wasn't talking about Local group policy.

                        DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @coliver
                          last edited by

                          @coliver said in SAMIT: Do You Really Need Active Directory:

                          @Dashrender said in SAMIT: Do You Really Need Active Directory:

                          @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

                          @Dashrender said in SAMIT: Do You Really Need Active Directory:

                          We'll use my office then for requirements - must be HIPAA compliant. So I have to show that AV is installed (and I assuming I have to show it's getting updates - but maybe I don't HAVE to), I'm pretty sure I have to show that updates are being applied.

                          AV is part of the OS. There's really nothing to show. You'd have to have removed it. And updates are automatic, again, you'd have to have disabled them. If you are audited, each machine shows you the status. That's trivial.

                          So you've been through an audit and the auditor allowed you to say - and to see the status of each machine's AV level - we'll be going around to every machine now - and they still passed your audit?

                          AD doesn't provide this... Am I missing something?

                          We were well beyond just AD at that point.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @scottalanmiller
                            last edited by

                            @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

                            t manually touching the local tools, because there are lots of ways to do it. The assumption that AD is doing something special

                            I need to stop using AD and completely and wholy replace it with AD DS, because almost no one is ever talking solely about the authentication DB that MS uses - they are talking about the whole stack of services that come together.

                            DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 0
                            • DustinB3403D
                              DustinB3403 @Dashrender
                              last edited by

                              @Dashrender said in SAMIT: Do You Really Need Active Directory:

                              I need to stop using AD and completely and wholy replace it with AD DS, because almost no one is ever talking solely about the authentication DB that MS uses - they are talking about the whole stack of services that come together.

                              Are you not already doing this?

                              DashrenderD 1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

                                Here is the bottom line that is making this all so hard...

                                Everything. Literally everything, around the term AD is a false assumption. Everything involving what it does, who provides the tools, how much it costs, what depends on it, why you want it, what you need it to do, what breaks without
                                it..... is generally misconception.

                                AD is a good product, with good times to use it. The things that are often associated with AD are often good products, with good time to use them. But almost every AD implementation, whether used correctly or not, is used under a state of confusion with a belief that it does something it doesn't, that it's needed to do something it's not, that it's the only way to do something that it isn't, that something was needed that isn't, etc. AD is one of those products so incredibly simple, that everyone is convinced that it has to do more than they know it does. No matter how much we explain how simple it is, the assumption is always that there is more to the story and we are just oversimplifying. But that's not the case.

                                AD isn't MS only. AD isn't the only directory server. AD doesn't do anything beyond directory services. AD doesn't do security. AD doesn't enable any feature, of any OS. AD isn't necessary for any service commonly associated with it. No service commonly associated with AD is the only way to do the thing it does, either. MS is not the only maker of any service that AD is associated with. Nothing that AD does is a requirement or assumed needed functionality. Nothing done by something associated with AD is a requirement or assumed needed functionality.

                                The discussion is hard because we can't remove enough assumptions. AD is such a quagmire of misinformation, incorrect terms, marketing momentum that we just have to keep chipping away at a new layer of "AD isn't actually what you think that it is."

                                Sure - because, as stated a moment ago - almost no one ever talks about AD - but they are talking about AD DS or whatever you want to call the total and complete bundle of things that come with the Windows Server license that typical shops use.

                                Also - No one here, that I've seen, has even hinted at the fact that these features aren't available though other means, in general I'd say most of us know they are - be it AAD, Intune, RMM, Salt, Ansible, etc.

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @Obsolesce
                                  last edited by

                                  @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                                  @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

                                  @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                                  So, if you get rid of AD, you'll also be getting rid of Group Policy and whatever else is in use with it. So, you'll not just be replacing AD and that's it, typically.

                                  That's not correct, though. GPO exists without AD. It's part of Windows itself. You can, and still do, use it even when AD isn't there. That's part of the continuing myth that not only the part you point out that AD doesn't do what people think, but the second part is that the things that people think depend on AD, don't actually. SMB, GPO, etc. they all keep working without AD.

                                  Right, but you know I wasn't talking about Local group policy.

                                  Exactly - when you hear people talking about GPO they are practically never talking about local - and if they are, I've 100% of the time heard they specifically express that it was local GPOs.

                                  Now - using Salt/Ansible/RMM to centrally manage GPO, OK - now we're talking about actual potential replacements.

                                  ObsolesceO scottalanmillerS 3 Replies Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @DustinB3403
                                    last edited by

                                    @DustinB3403 said in SAMIT: Do You Really Need Active Directory:

                                    @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                    I need to stop using AD and completely and wholy replace it with AD DS, because almost no one is ever talking solely about the authentication DB that MS uses - they are talking about the whole stack of services that come together.

                                    Are you not already doing this?

                                    No because AD DS =
                                    @MS Website said

                                    Active Directory Domain Services (AD DS) is a server role in Active Directory that allows admins to manage and store information about resources from a network, as well as application data, in a distributed database.

                                    Which means Scott still will keep saying the same thing - AD DS doesn't give you centralized GPO control.

                                    But If AD doesn't - then what does? I mean - the workstation only checks the DC for these files in a very specific location IF it's a member of AD (granted could be MS or Linux based AD)... otherwise the workstation won't do that.

                                    And is it really GPO if you're using Salt/Ansible/RMM to set registry keys, and not the GPO tool and the XML files it generates? I mean the end goal is the same, sure, but the tech to get there is slightly different - I think.

                                    ObsolesceO scottalanmillerS 3 Replies Last reply Reply Quote 0
                                    • ObsolesceO
                                      Obsolesce @Dashrender
                                      last edited by

                                      @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                      @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                                      @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

                                      @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                                      So, if you get rid of AD, you'll also be getting rid of Group Policy and whatever else is in use with it. So, you'll not just be replacing AD and that's it, typically.

                                      That's not correct, though. GPO exists without AD. It's part of Windows itself. You can, and still do, use it even when AD isn't there. That's part of the continuing myth that not only the part you point out that AD doesn't do what people think, but the second part is that the things that people think depend on AD, don't actually. SMB, GPO, etc. they all keep working without AD.

                                      Right, but you know I wasn't talking about Local group policy.

                                      Exactly - when you hear people talking about GPO they are practically never talking about local - and if they are, I've 100% of the time heard they specifically express that it was local GPOs.

                                      Now - using Salt/Ansible/RMM to centrally manage GPO, OK - now we're talking about actual potential replacements.

                                      Yeah, you can replace it all. There's no doubt there and I don't think anyone was saying otherwise. The question is how much trouble do you go through to replace something working with a bunch of different things and to manage/maintain it all.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 1
                                      • ObsolesceO
                                        Obsolesce @Dashrender
                                        last edited by

                                        @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                        And is it really GPO if you're using Salt/Ansible/RMM to set registry keys, and not the GPO tool and the XML files it generates? I mean the end goal is the same, sure, but the tech to get there is slightly different - I think.

                                        You're better off using PowerShell scripts with SaltStack to manage registry settings and policies, along with scheduled tasks to execute some things. I'd say ansible, but that sucks when you don't know the IP of mobile devices.... such as managing laptops that are mobile and not always on yoru LAN. Having the client really helps keeps things under control and more secure.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                          Exactly - when you hear people talking about GPO they are practically never talking about local - and if they are, I've 100% of the time heard they specifically express that it was local GPOs.

                                          They don't, most people don't know which they are working with. We just call them GPOs because local vs. non-local is not a reference to something useful. GP isn't local or non-local. GPOs are stored locally or non-locally. But it's just where it is stored, not what it does.

                                          1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @Obsolesce
                                            last edited by

                                            @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                                            @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

                                            @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                                            So, if you get rid of AD, you'll also be getting rid of Group Policy and whatever else is in use with it. So, you'll not just be replacing AD and that's it, typically.

                                            That's not correct, though. GPO exists without AD. It's part of Windows itself. You can, and still do, use it even when AD isn't there. That's part of the continuing myth that not only the part you point out that AD doesn't do what people think, but the second part is that the things that people think depend on AD, don't actually. SMB, GPO, etc. they all keep working without AD.

                                            Right, but you know I wasn't talking about Local group policy.

                                            Then the point becomes moot because getting right of non-local group policy doesn't matter, as you still have group policy.

                                            If you only meant AD, what was the point of the statement? It basically says "without AD, you don't have AD", back to my point of being circular. Consistently the argument seems to be "AD for AD's sake".

                                            DashrenderD 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 3 / 7
                                            • First post
                                              Last post