How Do You Replace Active Directory?
- 
 @scottalanmiller said in How Do You Replace Active Directory?: @Dashrender said in How Do You Replace Active Directory?: @scottalanmiller said in How Do You Replace Active Directory?: @Dashrender said in How Do You Replace Active Directory?: @scottalanmiller said in How Do You Replace Active Directory?: @siringo said in How Do You Replace Active Directory?: I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM. Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends. Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO. Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days... Reliability. Hoping that the operating system will successfully pull GPO without an agent is a flaky process. You can make a lot of billable hours getting paid to troubleshoot GPO failures because Windows doesn't have a good way to get the data, process the data, and report on that processing. It's the agents that do all the things that make this type of process reliable. I guess I don't follow. Something in Windows Pro is what tells the PC to pull and process the GPO - there are logs for that process in Windows. of course I've had issues before - are you saying you've never had issues with something that has a third party agent before? I'm saying that the GPO system is flaky and useless. It's pathetically complex and unreliable. Those that use it tend to either have to keep it very, very basic or do a ton of work to make it work and rarely can you find a shop that's really confident that it is working. The very idea that you have to go onto the endpoints to look at logs shows how big the problem is. There's no warning, no alerting that something has failed. No central repository. You have to build out some kind of log monitoring solution with an AGENT and deploy it to the end points to bandaid the kind of centralized data into GPO that you'd just expect with any modern solution (or competent solution.) Everything "has" problems. But how often they have problems, how the agent handles problems, and how you have to deal with problems are what matters. And obviously nothing you'd actually deploy should have the kinds of unreliability or difficulty in monitoring as GPO. If it even comes close, it's not something you'd trust. You are asking "GPO is bad, so you are saying other solutions are perfect?" Do you see why that is a bad question? Nothing is perfect, why do you ask if other solutions are perfect but don't expect GPO to be? The way that you ask these questions makes you sound crazy. Don't ask if GPO is perfect. What you should be asking is something like "Oh, so you've found that the good third party agents are reasonably more reliable than the native GPO?" It's logical, it's rational, and it doesn't imply that perfect is a requirement, because obviously it is not. I guess I've just had good luck. I haven't had to poor huge amounts of time into my GPOs not working. 
 not zero - but no RMM type solution would I expect zero issues with when setting up.
- 
 @scottalanmiller said in How Do You Replace Active Directory?: @Dashrender said in How Do You Replace Active Directory?: of course I've had issues before And did your central monitoring report that to you? This is where GPO is difficult. The first thing most people without GPO experience expect when they are told about it is that they will be able to log into a central console and see the status of what has been applied and where that application has succeeded (and where it has failed.) They expect that the central AD system will somehow have monitoring and alerting as that is what would make this process valuable. But there isn't. With Salt, for example, or an RMM or an MDM, we'd never accept this kind of management without a central system that tells us that status of the endpoints. If an agent fails, we get a notification. We might still have to fix it manually (or maybe not, because with alerting comes the opportunity for automation) but at least we are told to fix it rather than either dedicated absurd amounts of manpower to seek out problems that we don't know are out there, or waiting for machines to not behave as desired and then try to track down the failed GPO as a cause. yeah, makes sense. 
- 
 @Dashrender said in How Do You Replace Active Directory?: @scottalanmiller said in How Do You Replace Active Directory?: @Dashrender said in How Do You Replace Active Directory?: @scottalanmiller said in How Do You Replace Active Directory?: @Dashrender said in How Do You Replace Active Directory?: @scottalanmiller said in How Do You Replace Active Directory?: @siringo said in How Do You Replace Active Directory?: I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM. Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends. Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO. Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days... Reliability. Hoping that the operating system will successfully pull GPO without an agent is a flaky process. You can make a lot of billable hours getting paid to troubleshoot GPO failures because Windows doesn't have a good way to get the data, process the data, and report on that processing. It's the agents that do all the things that make this type of process reliable. I guess I don't follow. Something in Windows Pro is what tells the PC to pull and process the GPO - there are logs for that process in Windows. of course I've had issues before - are you saying you've never had issues with something that has a third party agent before? I'm saying that the GPO system is flaky and useless. It's pathetically complex and unreliable. Those that use it tend to either have to keep it very, very basic or do a ton of work to make it work and rarely can you find a shop that's really confident that it is working. The very idea that you have to go onto the endpoints to look at logs shows how big the problem is. There's no warning, no alerting that something has failed. No central repository. You have to build out some kind of log monitoring solution with an AGENT and deploy it to the end points to bandaid the kind of centralized data into GPO that you'd just expect with any modern solution (or competent solution.) Everything "has" problems. But how often they have problems, how the agent handles problems, and how you have to deal with problems are what matters. And obviously nothing you'd actually deploy should have the kinds of unreliability or difficulty in monitoring as GPO. If it even comes close, it's not something you'd trust. You are asking "GPO is bad, so you are saying other solutions are perfect?" Do you see why that is a bad question? Nothing is perfect, why do you ask if other solutions are perfect but don't expect GPO to be? The way that you ask these questions makes you sound crazy. Don't ask if GPO is perfect. What you should be asking is something like "Oh, so you've found that the good third party agents are reasonably more reliable than the native GPO?" It's logical, it's rational, and it doesn't imply that perfect is a requirement, because obviously it is not. I guess I've just had good luck. I haven't had to poor huge amounts of time into my GPOs not working. 
 not zero - but no RMM type solution would I expect zero issues with when setting up.No, not zero for sure. GPOs tend to be better when you have a very LAN-centric, very homogenous environment. The more variation you add, especially in terms of latency and connection, the harder it gets. GPOs start to get flaky, especially over the WAN, and you start getting a lot of time spent just trying to get them to process. 
- 
 @scottalanmiller said in How Do You Replace Active Directory?: @Dashrender said in How Do You Replace Active Directory?: @scottalanmiller said in How Do You Replace Active Directory?: @Dashrender said in How Do You Replace Active Directory?: @scottalanmiller said in How Do You Replace Active Directory?: @Dashrender said in How Do You Replace Active Directory?: @scottalanmiller said in How Do You Replace Active Directory?: @siringo said in How Do You Replace Active Directory?: I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM. Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends. Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO. Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days... Reliability. Hoping that the operating system will successfully pull GPO without an agent is a flaky process. You can make a lot of billable hours getting paid to troubleshoot GPO failures because Windows doesn't have a good way to get the data, process the data, and report on that processing. It's the agents that do all the things that make this type of process reliable. I guess I don't follow. Something in Windows Pro is what tells the PC to pull and process the GPO - there are logs for that process in Windows. of course I've had issues before - are you saying you've never had issues with something that has a third party agent before? I'm saying that the GPO system is flaky and useless. It's pathetically complex and unreliable. Those that use it tend to either have to keep it very, very basic or do a ton of work to make it work and rarely can you find a shop that's really confident that it is working. The very idea that you have to go onto the endpoints to look at logs shows how big the problem is. There's no warning, no alerting that something has failed. No central repository. You have to build out some kind of log monitoring solution with an AGENT and deploy it to the end points to bandaid the kind of centralized data into GPO that you'd just expect with any modern solution (or competent solution.) Everything "has" problems. But how often they have problems, how the agent handles problems, and how you have to deal with problems are what matters. And obviously nothing you'd actually deploy should have the kinds of unreliability or difficulty in monitoring as GPO. If it even comes close, it's not something you'd trust. You are asking "GPO is bad, so you are saying other solutions are perfect?" Do you see why that is a bad question? Nothing is perfect, why do you ask if other solutions are perfect but don't expect GPO to be? The way that you ask these questions makes you sound crazy. Don't ask if GPO is perfect. What you should be asking is something like "Oh, so you've found that the good third party agents are reasonably more reliable than the native GPO?" It's logical, it's rational, and it doesn't imply that perfect is a requirement, because obviously it is not. I guess I've just had good luck. I haven't had to poor huge amounts of time into my GPOs not working. 
 not zero - but no RMM type solution would I expect zero issues with when setting up.No, not zero for sure. GPOs tend to be better when you have a very LAN-centric, very homogenous environment. The more variation you add, especially in terms of latency and connection, the harder it gets. GPOs start to get flaky, especially over the WAN, and you start getting a lot of time spent just trying to get them to process. yeah - that definitely makes sense. I'm curious - haven't dug in enough yet - how much Intune notifies you of non compliant machines? 
- 
 @Dashrender said in How Do You Replace Active Directory?: I'm curious - haven't dug in enough yet - how much Intune notifies you of non compliant machines? I've not checked either. But I bet a lot. 
- 
 admittedly, our deployment will be more "seat of the pants' as we had a DC failure and I'm the new guy so make him do it. I haven't even looked at all the potential issues and pitfalls. I just know that for a company of our size (less than 100 users, workforce now primarily remote) a central active directory structure is not necessary nor needed. We aren't doing LDAP/ADFS/SAML anywhere today. Heck we don't know yet if we even need MDM (Intune) but if the higher ups are allowing up to get licenses might as well play with it. 
- 
 @Dashrender I'll be finding out next week. 
- 
 Sorry, TLDR, very busy ATM. I really appreciate the input from everyone, this is very interesting. If I were starting from scratch and didn't want to use AD and only had Windows devices and sysadmins with only Windows experience, what would you use? The network size is small, 15 client PCs, 2 servers, everything is Windows. 
- 
 @siringo said in How Do You Replace Active Directory?: Sorry, TLDR, very busy ATM. I really appreciate the input from everyone, this is very interesting. If I were starting from scratch and didn't want to use AD and only had Windows devices and sysadmins with only Windows experience, what would you use? The network size is small, 15 client PCs, 2 servers, everything is Windows. So I'd say that that isn't enough to go on. Size isn't really a big factor. And all Windows is a small factor. But it is really management style and needs. I wouldn't worry about the experience of the system admins either, if they are truly skilled admins they can manage anything about the same, there's no real skill difference between platforms. If they have only memorized Windows then we have other issues and need to outsource the oversight no matter what. But for a network of that size, you should always outsource and always to a competent shop. You need hundreds or thousands of devices to justify any full time person, but even a one person firm needs solid IT guidance. So you can never really consider anything but outsourcing. That's another issue, but since it is in the question. An environment of that size would only be what, $500-$1000 a month for full outsourcing. Where will you find multiple internal system admins for $500 a month? Under MOST circumstances, and I truly just mean like 50% or more, I'd do nothing. And I have hundreds of environments that are super close to this (10-30 machines, 2-3 servers, mostly Windows but almost never exclusively) and definitely the answer is "nothing". Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD. In fact, the majority had AD and we removed it because we are paid flat rate, not by the hour, and we save a lot of time by managing manually at that size. Now, manually managing would be inefficient if we had to sit at each machine. For us, we use MeshCentral and TacticalRMM and manage most machines that way. You've got scripts, you've got remote access, you've got remote console so no need to interrupt the user, do everything from the command line which is best practice regardless and the effort to manage the environment is so minimal that you will be like "wow, why did I ever put AD in anywhere?" Typically we move DNS and DHCP to something like Unifi routers so we can do remote, rapid management and insight way better than Windows does. So any network configuration gets pushed out from there. 
- 
 @scottalanmiller said in How Do You Replace Active Directory?: Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD So how do you set up the shares? Open to everyone? 
 How do you handle passwords for the local machine and sync them to the passwords required for the server?
- 
 @JasGot said in How Do You Replace Active Directory?: So how do you set up the shares? Open to everyone? I don't have a time machine so don't need to worry about shares  This is 2022, I don't think I have more than one or two customers still doing shared drives for files. I've had very little of this in the last ten years. Almost none today, except in cases where we are brought in to modernize the environment. This is 2022, I don't think I have more than one or two customers still doing shared drives for files. I've had very little of this in the last ten years. Almost none today, except in cases where we are brought in to modernize the environment.We DO have a number of customers forced by a vendor to use mapped drives, but in that specific case the vendor requires and will not support any environment where the shares have any security. They are required to be wide open (customers are all warned that the vendor is reckless and unprofessional and a malicious entity but people like to not change things up.) They use the shares purely for the app, not for file sharing. 
- 
 @JasGot said in How Do You Replace Active Directory?: How do you handle passwords for the local machine and sync them to the passwords required for the server? Not really something that comes up for us that often. Because we push hard to modernize and secure networks and to lower cost, things like mapped drives tend to fall by the wayside quickly. Customers often have that stuff when they come to us and I'm not saying it has no place or never stays. But it is anything but the norm. The idea that workstation user accounts need to sync to server user accounts because they are sharing LAN resources is something I deal with literally with months of time in between seeing it. It's super rare. Even with hundreds of customers, we don't see it as normal anymore. 
- 
 @scottalanmiller said in How Do You Replace Active Directory?: don't have a time machine so don't need to worry about shares This is 2022, I don't think I have more than one or two customers still doing shared drives for files. Cloud based? 
 No common files stored centrally in the office?
- 
 @JasGot said in How Do You Replace Active Directory?: @scottalanmiller said in How Do You Replace Active Directory?: don't have a time machine so don't need to worry about shares This is 2022, I don't think I have more than one or two customers still doing shared drives for files. Cloud based? 
 No common files stored centrally in the office?Could be either. Some places have no central office, that's starting to be a thing. Those that have a central office might not want their files stored there as it creates risk... how do you work when you aren't in the office, even if normally you are? Those that do can do modern non-mapped drives inside of the office (NextCloud, as an example, works that way.) There's lots of solutions. Including a lot of customers, actually, that do away with file sharing entirely. Not the norm, but not a one or two either. It's amazing how many businesses (including NTG) just don't need to share files anymore. 
- 
 @scottalanmiller said in How Do You Replace Active Directory?: @JasGot said in How Do You Replace Active Directory?: How do you handle passwords for the local machine and sync them to the passwords required for the server? Not really something that comes up for us that often. Because we push hard to modernize and secure networks and to lower cost, things like mapped drives tend to fall by the wayside quickly. Customers often have that stuff when they come to us and I'm not saying it has no place or never stays. But it is anything but the norm. The idea that workstation user accounts need to sync to server user accounts because they are sharing LAN resources is something I deal with literally with months of time in between seeing it. It's super rare. Even with hundreds of customers, we don't see it as normal anymore. What are you normally deploying for file storage? Sure it would be great to get companies away from them, but I can't imagine you've managed to do that for most of your clients. I'm assuming you have some combination of box/dropbox/Nextcloud/zoho files/google drive/OD, etc? 
- 
 @Dashrender said in How Do You Replace Active Directory?: @scottalanmiller said in How Do You Replace Active Directory?: @JasGot said in How Do You Replace Active Directory?: How do you handle passwords for the local machine and sync them to the passwords required for the server? Not really something that comes up for us that often. Because we push hard to modernize and secure networks and to lower cost, things like mapped drives tend to fall by the wayside quickly. Customers often have that stuff when they come to us and I'm not saying it has no place or never stays. But it is anything but the norm. The idea that workstation user accounts need to sync to server user accounts because they are sharing LAN resources is something I deal with literally with months of time in between seeing it. It's super rare. Even with hundreds of customers, we don't see it as normal anymore. What are you normally deploying for file storage? Sure it would be great to get companies away from them, but I can't imagine you've managed to do that for most of your clients. I'm assuming you have some combination of box/dropbox/Nextcloud/zoho files/google drive/OD, etc? We have a good number on no files. In medical this is surprisingly easy since you need to maintain so much control files present a big risk. Any medical style industry will be an easy candidate to get away from that. And IT, of course. We should not have files. For more normal businesses, files are common, of course. We get all kinds of things. NextCloud certainly comes up. Zoho, Google, and Microsoft solutions are all used. We've got a big customer that just migrated from mapped drives to DropBox (and left their physical office behind too.) Pretty much all those solutions make sense at different times. And once in a while, traditional file storage still is needed. But when you have so many options to pick from, something is likely to fit the workflow well. 
- 
 @Dashrender said in How Do You Replace Active Directory?: @scottalanmiller said in How Do You Replace Active Directory?: @Dashrender said in How Do You Replace Active Directory?: @scottalanmiller said in How Do You Replace Active Directory?: @Dashrender said in How Do You Replace Active Directory?: @scottalanmiller said in How Do You Replace Active Directory?: @Dashrender said in How Do You Replace Active Directory?: @scottalanmiller said in How Do You Replace Active Directory?: @siringo said in How Do You Replace Active Directory?: I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM. Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends. Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO. Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days... Reliability. Hoping that the operating system will successfully pull GPO without an agent is a flaky process. You can make a lot of billable hours getting paid to troubleshoot GPO failures because Windows doesn't have a good way to get the data, process the data, and report on that processing. It's the agents that do all the things that make this type of process reliable. I guess I don't follow. Something in Windows Pro is what tells the PC to pull and process the GPO - there are logs for that process in Windows. of course I've had issues before - are you saying you've never had issues with something that has a third party agent before? I'm saying that the GPO system is flaky and useless. It's pathetically complex and unreliable. Those that use it tend to either have to keep it very, very basic or do a ton of work to make it work and rarely can you find a shop that's really confident that it is working. The very idea that you have to go onto the endpoints to look at logs shows how big the problem is. There's no warning, no alerting that something has failed. No central repository. You have to build out some kind of log monitoring solution with an AGENT and deploy it to the end points to bandaid the kind of centralized data into GPO that you'd just expect with any modern solution (or competent solution.) Everything "has" problems. But how often they have problems, how the agent handles problems, and how you have to deal with problems are what matters. And obviously nothing you'd actually deploy should have the kinds of unreliability or difficulty in monitoring as GPO. If it even comes close, it's not something you'd trust. You are asking "GPO is bad, so you are saying other solutions are perfect?" Do you see why that is a bad question? Nothing is perfect, why do you ask if other solutions are perfect but don't expect GPO to be? The way that you ask these questions makes you sound crazy. Don't ask if GPO is perfect. What you should be asking is something like "Oh, so you've found that the good third party agents are reasonably more reliable than the native GPO?" It's logical, it's rational, and it doesn't imply that perfect is a requirement, because obviously it is not. I guess I've just had good luck. I haven't had to poor huge amounts of time into my GPOs not working. 
 not zero - but no RMM type solution would I expect zero issues with when setting up.No, not zero for sure. GPOs tend to be better when you have a very LAN-centric, very homogenous environment. The more variation you add, especially in terms of latency and connection, the harder it gets. GPOs start to get flaky, especially over the WAN, and you start getting a lot of time spent just trying to get them to process. yeah - that definitely makes sense. I'm curious - haven't dug in enough yet - how much Intune notifies you of non compliant machines? You can get total sight and notification of any kind of compliance you want. The default no-setup-needed compliance policies are a great start, and now you can use your own custom compliance scripts. Additionally, through automation, the possibilities are endless. 
- 
 @scottalanmiller said in How Do You Replace Active Directory?: @siringo said in How Do You Replace Active Directory?: So how do you add a new shared printer to a group of PCs? You'd never visit each PC individually and add it. So many ways. And all ways that we need in Mac and Linux worlds since GPO doesn't work there. So this is a solution in search of a problem. Add via script, Salt, Ansible, RMM, you name it. It's not a challenge in the Windows world. Who brought up GPO's? This conversation has been based on Centralized user administration. Quit with the what aboutism's. 
- 
 @DustinB3403 said in How Do You Replace Active Directory?: @scottalanmiller said in How Do You Replace Active Directory?: @siringo said in How Do You Replace Active Directory?: So how do you add a new shared printer to a group of PCs? You'd never visit each PC individually and add it. So many ways. And all ways that we need in Mac and Linux worlds since GPO doesn't work there. So this is a solution in search of a problem. Add via script, Salt, Ansible, RMM, you name it. It's not a challenge in the Windows world. Who brought up GPO's? This conversation has been based on Centralized user administration. Quit with the what aboutism's. How does centralized user management add printers? Read the question. "How do you add a new shared printer to a group of PCs?" That's GPO that he's talking about. Central User management can't do that. So the person asking the question @siringo brought it up. I just answered what was asked about the alternative to them. If you don't like him asking the question, don't complain to me. 
- 
 @scottalanmiller said in How Do You Replace Active Directory?: @Dashrender said in How Do You Replace Active Directory?: @scottalanmiller said in How Do You Replace Active Directory?: @JasGot said in How Do You Replace Active Directory?: How do you handle passwords for the local machine and sync them to the passwords required for the server? Not really something that comes up for us that often. Because we push hard to modernize and secure networks and to lower cost, things like mapped drives tend to fall by the wayside quickly. Customers often have that stuff when they come to us and I'm not saying it has no place or never stays. But it is anything but the norm. The idea that workstation user accounts need to sync to server user accounts because they are sharing LAN resources is something I deal with literally with months of time in between seeing it. It's super rare. Even with hundreds of customers, we don't see it as normal anymore. What are you normally deploying for file storage? Sure it would be great to get companies away from them, but I can't imagine you've managed to do that for most of your clients. I'm assuming you have some combination of box/dropbox/Nextcloud/zoho files/google drive/OD, etc? We have a good number on no files. In medical this is surprisingly easy since you need to maintain so much control files present a big risk. Any medical style industry will be an easy candidate to get away from that. And IT, of course. We should not have files. We have a crap ton of files - just not PHI. that lives in the EMR. The files are things like reviews, forms that are then entered into the EMR, accounting records, compliance records, etc. 





