SAMIT: Do You Really Need Active Directory
-
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
Here is the bottom line that is making this all so hard...
Everything. Literally everything, around the term AD is a false assumption. Everything involving what it does, who provides the tools, how much it costs, what depends on it, why you want it, what you need it to do, what breaks without
it..... is generally misconception.AD is a good product, with good times to use it. The things that are often associated with AD are often good products, with good time to use them. But almost every AD implementation, whether used correctly or not, is used under a state of confusion with a belief that it does something it doesn't, that it's needed to do something it's not, that it's the only way to do something that it isn't, that something was needed that isn't, etc. AD is one of those products so incredibly simple, that everyone is convinced that it has to do more than they know it does. No matter how much we explain how simple it is, the assumption is always that there is more to the story and we are just oversimplifying. But that's not the case.
AD isn't MS only. AD isn't the only directory server. AD doesn't do anything beyond directory services. AD doesn't do security. AD doesn't enable any feature, of any OS. AD isn't necessary for any service commonly associated with it. No service commonly associated with AD is the only way to do the thing it does, either. MS is not the only maker of any service that AD is associated with. Nothing that AD does is a requirement or assumed needed functionality. Nothing done by something associated with AD is a requirement or assumed needed functionality.
The discussion is hard because we can't remove enough assumptions. AD is such a quagmire of misinformation, incorrect terms, marketing momentum that we just have to keep chipping away at a new layer of "AD isn't actually what you think that it is."
Sure - because, as stated a moment ago - almost no one ever talks about AD - but they are talking about AD DS or whatever you want to call the total and complete bundle of things that come with the Windows Server license that typical shops use.
Also - No one here, that I've seen, has even hinted at the fact that these features aren't available though other means, in general I'd say most of us know they are - be it AAD, Intune, RMM, Salt, Ansible, etc.
-
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
So, if you get rid of AD, you'll also be getting rid of Group Policy and whatever else is in use with it. So, you'll not just be replacing AD and that's it, typically.
That's not correct, though. GPO exists without AD. It's part of Windows itself. You can, and still do, use it even when AD isn't there. That's part of the continuing myth that not only the part you point out that AD doesn't do what people think, but the second part is that the things that people think depend on AD, don't actually. SMB, GPO, etc. they all keep working without AD.
Right, but you know I wasn't talking about Local group policy.
Exactly - when you hear people talking about GPO they are practically never talking about local - and if they are, I've 100% of the time heard they specifically express that it was local GPOs.
Now - using Salt/Ansible/RMM to centrally manage GPO, OK - now we're talking about actual potential replacements.
-
@DustinB3403 said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
I need to stop using AD and completely and wholy replace it with AD DS, because almost no one is ever talking solely about the authentication DB that MS uses - they are talking about the whole stack of services that come together.
Are you not already doing this?
No because AD DS =
@MS Website saidActive Directory Domain Services (AD DS) is a server role in Active Directory that allows admins to manage and store information about resources from a network, as well as application data, in a distributed database.
Which means Scott still will keep saying the same thing - AD DS doesn't give you centralized GPO control.
But If AD doesn't - then what does? I mean - the workstation only checks the DC for these files in a very specific location IF it's a member of AD (granted could be MS or Linux based AD)... otherwise the workstation won't do that.
And is it really GPO if you're using Salt/Ansible/RMM to set registry keys, and not the GPO tool and the XML files it generates? I mean the end goal is the same, sure, but the tech to get there is slightly different - I think.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
So, if you get rid of AD, you'll also be getting rid of Group Policy and whatever else is in use with it. So, you'll not just be replacing AD and that's it, typically.
That's not correct, though. GPO exists without AD. It's part of Windows itself. You can, and still do, use it even when AD isn't there. That's part of the continuing myth that not only the part you point out that AD doesn't do what people think, but the second part is that the things that people think depend on AD, don't actually. SMB, GPO, etc. they all keep working without AD.
Right, but you know I wasn't talking about Local group policy.
Exactly - when you hear people talking about GPO they are practically never talking about local - and if they are, I've 100% of the time heard they specifically express that it was local GPOs.
Now - using Salt/Ansible/RMM to centrally manage GPO, OK - now we're talking about actual potential replacements.
Yeah, you can replace it all. There's no doubt there and I don't think anyone was saying otherwise. The question is how much trouble do you go through to replace something working with a bunch of different things and to manage/maintain it all.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
And is it really GPO if you're using Salt/Ansible/RMM to set registry keys, and not the GPO tool and the XML files it generates? I mean the end goal is the same, sure, but the tech to get there is slightly different - I think.
You're better off using PowerShell scripts with SaltStack to manage registry settings and policies, along with scheduled tasks to execute some things. I'd say ansible, but that sucks when you don't know the IP of mobile devices.... such as managing laptops that are mobile and not always on yoru LAN. Having the client really helps keeps things under control and more secure.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Exactly - when you hear people talking about GPO they are practically never talking about local - and if they are, I've 100% of the time heard they specifically express that it was local GPOs.
They don't, most people don't know which they are working with. We just call them GPOs because local vs. non-local is not a reference to something useful. GP isn't local or non-local. GPOs are stored locally or non-locally. But it's just where it is stored, not what it does.
-
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
So, if you get rid of AD, you'll also be getting rid of Group Policy and whatever else is in use with it. So, you'll not just be replacing AD and that's it, typically.
That's not correct, though. GPO exists without AD. It's part of Windows itself. You can, and still do, use it even when AD isn't there. That's part of the continuing myth that not only the part you point out that AD doesn't do what people think, but the second part is that the things that people think depend on AD, don't actually. SMB, GPO, etc. they all keep working without AD.
Right, but you know I wasn't talking about Local group policy.
Then the point becomes moot because getting right of non-local group policy doesn't matter, as you still have group policy.
If you only meant AD, what was the point of the statement? It basically says "without AD, you don't have AD", back to my point of being circular. Consistently the argument seems to be "AD for AD's sake".
-
Scott keeps mentioning that as an MSP he doesn't need AD - and that I would agree, his clients, because NTG is an MSP, AD (and the other associated things) aren't designed to work from a central situation across different customers - but - so what? that's not the use case any one here is really talking about - Except Scott. But we'll leave that lie.
I'm gathering that Scott is of the opinion that most offices would just have a single user setup on each PC, Scott, as the IT or MSP would have an admin account on that machine (again local only) and everything else would be setup as LANless as possible.
If that's not the case - then I really cant envision Scott's typical ideal setup?
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@coliver said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
We'll use my office then for requirements - must be HIPAA compliant. So I have to show that AV is installed (and I assuming I have to show it's getting updates - but maybe I don't HAVE to), I'm pretty sure I have to show that updates are being applied.
AV is part of the OS. There's really nothing to show. You'd have to have removed it. And updates are automatic, again, you'd have to have disabled them. If you are audited, each machine shows you the status. That's trivial.
So you've been through an audit and the auditor allowed you to say - and to see the status of each machine's AV level - we'll be going around to every machine now - and they still passed your audit?
AD doesn't provide this... Am I missing something?
We were well beyond just AD at that point.
We don't seem to be, the questions keep coming back to "how do I do something without AD, that AD never did".
-
Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?
100 desktops, 100 users, and they play musical charges daily - now what?
-
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
So, if you get rid of AD, you'll also be getting rid of Group Policy and whatever else is in use with it. So, you'll not just be replacing AD and that's it, typically.
That's not correct, though. GPO exists without AD. It's part of Windows itself. You can, and still do, use it even when AD isn't there. That's part of the continuing myth that not only the part you point out that AD doesn't do what people think, but the second part is that the things that people think depend on AD, don't actually. SMB, GPO, etc. they all keep working without AD.
Right, but you know I wasn't talking about Local group policy.
Then the point becomes moot because getting right of non-local group policy doesn't matter, as you still have group policy.
If you only meant AD, what was the point of the statement? It basically says "without AD, you don't have AD", back to my point of being circular. Consistently the argument seems to be "AD for AD's sake".
you don't have centrally managed Group Policy - but your retort is that you that you can - just use salt or ansible or RMM, right?
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
t manually touching the local tools, because there are lots of ways to do it. The assumption that AD is doing something special
I need to stop using AD and completely and wholy replace it with AD DS, because almost no one is ever talking solely about the authentication DB that MS uses - they are talking about the whole stack of services that come together.
Still confused. AD DS is what we call AD. AD provides DS, CS, LDS, FS and RMS. No one has hinted at any use outside of DS. You don't in any way mean AD DS. You mean "the Windows ecosystem", you don't mean AD in any way, shape or form. Referencing things like SMB, WAC, GPO, etc. can never be done using "AD" in any part of the phrase. The problem is you are attempting to either casually (just saying AD) or formally (by finding a larger AD XXX term) that refers to things that aren't part of or associated with AD, while still calling them AD. You have to let it go, it's not AD. Not technically, not casually, not to Microsoft, not at all.
All of those other things are part of a stack, but not the AD stack, they are the Windows Server management stack. MS doesn't make a specific term for them, because they are all individual components, each of which can be used without the others. None require the others, but they do work well together. But you are referring to the entirety of Microsoft's Windows Server ecosystem and should not attempt to refer to any set of those parts by the name of a subset of them.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?
100 desktops, 100 users, and they play musical charges daily - now what?
Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.
You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.
-
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@coliver said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
We'll use my office then for requirements - must be HIPAA compliant. So I have to show that AV is installed (and I assuming I have to show it's getting updates - but maybe I don't HAVE to), I'm pretty sure I have to show that updates are being applied.
AV is part of the OS. There's really nothing to show. You'd have to have removed it. And updates are automatic, again, you'd have to have disabled them. If you are audited, each machine shows you the status. That's trivial.
So you've been through an audit and the auditor allowed you to say - and to see the status of each machine's AV level - we'll be going around to every machine now - and they still passed your audit?
AD doesn't provide this... Am I missing something?
We were well beyond just AD at that point.
We don't seem to be, the questions keep coming back to "how do I do something without AD, that AD never did".
and yet some are missing the point that the masses are talking about all the components, just just the directory service - but central admin of settings - that's probably the big two.
centralized authentication so that local user DBs don't need to be managed
centralized settings admin, again, so local settings don't have to be managed -
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
So, if you get rid of AD, you'll also be getting rid of Group Policy and whatever else is in use with it. So, you'll not just be replacing AD and that's it, typically.
That's not correct, though. GPO exists without AD. It's part of Windows itself. You can, and still do, use it even when AD isn't there. That's part of the continuing myth that not only the part you point out that AD doesn't do what people think, but the second part is that the things that people think depend on AD, don't actually. SMB, GPO, etc. they all keep working without AD.
Right, but you know I wasn't talking about Local group policy.
Then the point becomes moot because getting right of non-local group policy doesn't matter, as you still have group policy.
If you only meant AD, what was the point of the statement? It basically says "without AD, you don't have AD", back to my point of being circular. Consistently the argument seems to be "AD for AD's sake".
you don't have centrally managed Group Policy - but your retort is that you that you can - just use salt or ansible or RMM, right?
You could use nothing and just not make data accessible with using cloud logins and MFA to access those cloud resources. No resources of value exist on the local system in that case. Even if a password is intercepted, you have MFA as well.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Sure - because, as stated a moment ago - almost no one ever talks about AD - but they are talking about AD DS or whatever you want to call the total and complete bundle of things that come with the Windows Server license that typical shops use.
AD DS is 20% of AD, it's more specific and under the hood, not less specific and under the hood. It's actually making the discussion worse, not better.
Imagine if we called every single thing on Linux "Apache" because Linux often ships with Apache. Imagine calling Samba, DNS, and LibreOffice "Apache" and just going "everyone means everything when they say Apache?"
Then how the heck do they talk about Apache? No wonder every Windows admin is confused, if your claim is true - not a single Windows admin knows any Windows component, feature, or functionality? That's crazy. How do they function? How do they communicate? No wonder so many Windows components get rolled out when they are not needed if everyone thinks that it's all one thing and none of it has a name or known purpose!
-
@IRJ said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?
100 desktops, 100 users, and they play musical charges daily - now what?
Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.
You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.
why would you even have OD if you can prevent local storage of files?
Actually I think I can answer that one myself - because local Excel wants to be used by the user - so they need either OD or SP to pull the file from the cloud.
But basically - you are saying - BYOD all the things, and just not give a shit about the end device at all...
But you still have regulations, the reason you're running an SIEM. -
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Scott keeps mentioning that as an MSP he doesn't need AD - and that I would agree, his clients, because NTG is an MSP, AD (and the other associated things) aren't designed to work from a central situation across different customers - but - so what? that's not the use case any one here is really talking about - Except Scott. But we'll leave that lie.
I'm gathering that Scott is of the opinion that most offices would just have a single user setup on each PC, Scott, as the IT or MSP would have an admin account on that machine (again local only) and everything else would be setup as LANless as possible.
If that's not the case - then I really cant envision Scott's typical ideal setup?
Scott's an MSP, so obviously wants to do what is easiest for him to make him the most money.
He'll rip out a fully working AD (and friends) setup, and replace it with 100 separate things they can manage for money, and bill for the time it takes to replace, redesign, and build everything.
FOllowing it all up tens of thousands of dollars later saying "see, AD was not needed".
-
This post is deleted! -
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Sure - because, as stated a moment ago - almost no one ever talks about AD - but they are talking about AD DS or whatever you want to call the total and complete bundle of things that come with the Windows Server license that typical shops use.
AD DS is 20% of AD, it's more specific and under the hood, not less specific and under the hood. It's actually making the discussion worse, not better.
Imagine if we called every single thing on Linux "Apache" because Linux often ships with Apache. Imagine calling Samba, DNS, and LibreOffice "Apache" and just going "everyone means everything when they say Apache?"
Then how the heck do they talk about Apache? No wonder every Windows admin is confused, if your claim is true - not a single Windows admin knows any Windows component, feature, or functionality? That's crazy. How do they function? How do they communicate? No wonder so many Windows components get rolled out when they are not needed if everyone thinks that it's all one thing and none of it has a name or known purpose!
yeah, I realized that after I posted - i went the wrong direction - which I did correct in a followup post with Dustin.