ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How Do You Replace Active Directory?

    Scheduled Pinned Locked Moved Water Closet
    105 Posts 9 Posters 15.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender
      last edited by

      In Gene's case, I know his company is providing RDS sessions to everyone - this removes a lot of the concern over the local device, though a key logger would still be bad...

      scottalanmillerS 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @Dashrender said in What Are You Doing Right Now:

        I sorta understand where you're going with that - but users are users - they infect their computers, etc. Just taking admin rights away resolves a noticeable if not significant amount of that.

        You've made some non-existing leap. What are you talking about? Certainly whatever you are thinking is 100% not related to AD.

        DashrenderD 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Dashrender
          last edited by

          @Dashrender said in What Are You Doing Right Now:

          In Gene's case, I know his company is providing RDS sessions to everyone - this removes a lot of the concern over the local device, though a key logger would still be bad...

          RDS, sadly, has AD as a requirement. Although you can localize it and make it irrelevant.

          M 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Dashrender
            last edited by

            @Dashrender said in What Are You Doing Right Now:

            so you have 100+ devices, 100+ users and what?

            Treat it the same way you would any individual device. Imagine if you supported a one person company. AD would provide quite literally zero possible features. Instead of changing the design as you grow to accommodate AD, simple scale "as it is" from a single user device.

            It's kind of like asking "what would a cheeseburger be without avocado"? Um, it would just be a normal cheeseburger. AD isn't the default, it's not the native, it's the special case. Just "normal" is what we are like without it.

            You would never have local admin given to the end user with a single device situation. Why would you change that when you added a second device?

            Even in the Microsoft world, Microsoft has never recommended AD below ten devices. So whatever model you'd use there, you just keep using.

            DashrenderD 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said in What Are You Doing Right Now:

              Then what? how do you manage user accounts on the devices? How do you manage local admin on the devices?

              This is a leap. WHY do you manage user accounts on the devices? That's not something most shops need. They might have it, they might "want" it, but it serves little purpose to most companies. Often it comes at a cost that you can't recoup. But that said, user management is built into Windows. So I'm confused. AD doesn't provide this, so why bring it up as it's not changed by removing AD.

              Local admin again, manage it the same as you did with AD.

              DashrenderD 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller
                last edited by

                In this discussion "What do I do without AD", I think it's always going to come back to "you'd have to articulate what AD is doing for you that has value" before we could answer that. In 90% of environments that I found AD in, it is serving no function whatsoever. So there's no questions to answer. It's like your appendix. What will you do when they remove it? You'll act just like you did before, what would change?

                jt1001001J 1 Reply Last reply Reply Quote 1
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said in What Are You Doing Right Now:

                  but non of that manages the device

                  Just like AD. AD doesn't manage the device. This is the big myth. AD does so little.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Dashrender
                    last edited by

                    @Dashrender said in What Are You Doing Right Now:

                    So, do you just not care about the device at all?

                    Generally, no. I have no idea why a normal business would. High security business, sure, it's plausible. but normal companies, no. Definitely nothing in healthcare, insurance, veterinarian, manufacturing, etc. where the device should have no value and any management of it would just be a waste.

                    But let's not assume that, that's easy to just dismiss. Instead lets talk about those cases where you do need it.

                    If I need to manage the device, AD would be a pretty bad choice. Not the worse, but bad. First if security had any priority, Windows would be off the table so AD would play no obvious role whatsoever. But let's assume total oxymoronic situation any just assume we want to overly secure Windows.

                    Basic tools like remote access, RMM, state machines... they all take the kind of Group Policy tools that AD is mistakenly associated with and do them properly or at least better. No matter what your need, it is hard to see when AD would make the short list. AD represents a huge security risk, and is designed around super insecure architectures. If you are attempting to secure anything, AD's value proposition goes to a huge negative really quickly.

                    DashrenderD 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said in What Are You Doing Right Now:

                      again, user has local admin rights?

                      Can't figure out where this comes from.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said in What Are You Doing Right Now:

                        BOYD, etc?

                        This is fine. It falls into irrelevant. What does this have to do with AD decisions?

                        1 Reply Last reply Reply Quote 0
                        • jt1001001J
                          jt1001001 @scottalanmiller
                          last edited by

                          @scottalanmiller as I found in our case, AD here was adding absolutes 0% while actually creating more of an administrative headache. 99% of our applications here are "in the cloud" (unlike my old company) and all the DC was doing was print, some file shares, and 1 or 2 group policies (that weren't even working right!). So moving to Teams (see post in other discussion) will alleviate the file share; may build a linux file server for 1 or 2 use cases where Teams/Sharepoint won't work. Group policies are unnecessary and worst case we can upgrade our licenses and go Azure AD/Intune if we need to. Printing, well its printing and it sucks but we'll figure it out. Best is the CTO and President are on board without so much as a blink.

                          scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 2
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said in What Are You Doing Right Now:

                            or something else that you've undoubtedly told me about before that I've forgotten.

                            It's just that none of it matters. None of these things are related to AD. AD just does SO little.

                            jt1001001J 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @jt1001001
                              last edited by

                              @jt1001001 said in How Do You Replace Active Directory?:

                              as I found in our case, AD here was adding absolutes 0% while actually creating more of an administrative headache.

                              This is generally what I find. AD providing nothing and making us do a lot of work for nothing. Especially when we log in to the command prompt via MeshCentral and never see AD creds in use! ANd in theory, never even need to do that.

                              1 Reply Last reply Reply Quote 0
                              • jt1001001J
                                jt1001001 @scottalanmiller
                                last edited by

                                @Dashrender do they need local admin rights? For us the answer is NO.
                                Right now I'm working on an image for our systems with apps re-installed and Chocolaty for future package management. A local admin user with password known to IT (different foe each machine) is created, and I-T person adds machine to Azure AD though Accounts section of Win 10 (with pre-set password). Reboot, new user logs in and is prompted to change their password. Will simplify this as time goes on but its a good start.

                                scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @jt1001001
                                  last edited by

                                  @jt1001001 said in How Do You Replace Active Directory?:

                                  A local admin user with password known to IT (different foe each machine) is created

                                  Yeah, no reason not to do that. So easy to do and how is that different than with AD where you'd need some form of admin creds for the machines anyway. With AD we still create, manage, and track all these local admin accounts. AD doesn't manage that at all. So having AD on top of the user management is awful.

                                  And that local admin account can be used to manage the local user accounts. Plus you CAN decide to make different local admin accounts for each admin if you prefer (that's how Linux recommends it.)

                                  But with most tools today (RMM, MeshCentral, Salt, Ansible, ScreenConnect, etc.) you manage the users through that and don't need to log in at all.

                                  DashrenderD 1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @scottalanmiller
                                    last edited by

                                    @scottalanmiller said in How Do You Replace Active Directory?:

                                    @Dashrender said in What Are You Doing Right Now:

                                    I sorta understand where you're going with that - but users are users - they infect their computers, etc. Just taking admin rights away resolves a noticeable if not significant amount of that.

                                    You've made some non-existing leap. What are you talking about? Certainly whatever you are thinking is 100% not related to AD.

                                    the quoted comment was in another thread, and not specifically about AD - but about users. and goes back to my full post - let's say you do create non admin accounts - how are you doing that?

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in How Do You Replace Active Directory?:

                                      @Dashrender said in What Are You Doing Right Now:

                                      so you have 100+ devices, 100+ users and what?

                                      Treat it the same way you would any individual device. Imagine if you supported a one person company. AD would provide quite literally zero possible features. Instead of changing the design as you grow to accommodate AD, simple scale "as it is" from a single user device.

                                      It's kind of like asking "what would a cheeseburger be without avocado"? Um, it would just be a normal cheeseburger. AD isn't the default, it's not the native, it's the special case. Just "normal" is what we are like without it.

                                      You would never have local admin given to the end user with a single device situation. Why would you change that when you added a second device?

                                      Even in the Microsoft world, Microsoft has never recommended AD below ten devices. So whatever model you'd use there, you just keep using.

                                      /sigh, now this is a road we've gone down before - you're the one assuming since we started talking about AD you feel that I somehow feel that's the only option, of course it's not. You could use Salt of other management tools to create users, etc...

                                      So please - if that's what your intention is, just say that, don't just say - of course we don't give local admin.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @Dashrender said in How Do You Replace Active Directory?:

                                        let's say you do create non admin accounts - how are you doing that?

                                        net user

                                        Same way we always have. That goes back to the early NT days.

                                        DashrenderD 1 Reply Last reply Reply Quote 1
                                        • DashrenderD
                                          Dashrender @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in How Do You Replace Active Directory?:

                                          @Dashrender said in What Are You Doing Right Now:

                                          Then what? how do you manage user accounts on the devices? How do you manage local admin on the devices?

                                          This is a leap. WHY do you manage user accounts on the devices? That's not something most shops need. They might have it, they might "want" it, but it serves little purpose to most companies. Often it comes at a cost that you can't recoup. But that said, user management is built into Windows. So I'm confused. AD doesn't provide this, so why bring it up as it's not changed by removing AD.

                                          Local admin again, manage it the same as you did with AD.

                                          what? you can't manage local users the same way you do with AD.

                                          Normal office users have no idea how to create a second user that isn't and admin - it's not in they typical round.

                                          scottalanmillerS 2 Replies Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @scottalanmiller
                                            last edited by

                                            @scottalanmiller said in How Do You Replace Active Directory?:

                                            @Dashrender said in What Are You Doing Right Now:

                                            So, do you just not care about the device at all?

                                            Generally, no. I have no idea why a normal business would. High security business, sure, it's plausible. but normal companies, no. Definitely nothing in healthcare, insurance, veterinarian, manufacturing, etc. where the device should have no value and any management of it would just be a waste.

                                            But let's not assume that, that's easy to just dismiss. Instead lets talk about those cases where you do need it.

                                            If I need to manage the device, AD would be a pretty bad choice. Not the worse, but bad. First if security had any priority, Windows would be off the table so AD would play no obvious role whatsoever. But let's assume total oxymoronic situation any just assume we want to overly secure Windows.

                                            Basic tools like remote access, RMM, state machines... they all take the kind of Group Policy tools that AD is mistakenly associated with and do them properly or at least better. No matter what your need, it is hard to see when AD would make the short list. AD represents a huge security risk, and is designed around super insecure architectures. If you are attempting to secure anything, AD's value proposition goes to a huge negative really quickly.

                                            well - took around 5 posts to get here ... 🙂

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 1 / 6
                                            • First post
                                              Last post