How Do You Replace Active Directory?
-
@Dashrender said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@JasGot said in How Do You Replace Active Directory?:
How do you handle passwords for the local machine and sync them to the passwords required for the server?
Not really something that comes up for us that often. Because we push hard to modernize and secure networks and to lower cost, things like mapped drives tend to fall by the wayside quickly. Customers often have that stuff when they come to us and I'm not saying it has no place or never stays. But it is anything but the norm.
The idea that workstation user accounts need to sync to server user accounts because they are sharing LAN resources is something I deal with literally with months of time in between seeing it. It's super rare. Even with hundreds of customers, we don't see it as normal anymore.
What are you normally deploying for file storage? Sure it would be great to get companies away from them, but I can't imagine you've managed to do that for most of your clients. I'm assuming you have some combination of box/dropbox/Nextcloud/zoho files/google drive/OD, etc?
We have a good number on no files. In medical this is surprisingly easy since you need to maintain so much control files present a big risk. Any medical style industry will be an easy candidate to get away from that. And IT, of course. We should not have files.
For more normal businesses, files are common, of course. We get all kinds of things. NextCloud certainly comes up. Zoho, Google, and Microsoft solutions are all used. We've got a big customer that just migrated from mapped drives to DropBox (and left their physical office behind too.) Pretty much all those solutions make sense at different times. And once in a while, traditional file storage still is needed. But when you have so many options to pick from, something is likely to fit the workflow well.
-
@Dashrender said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@siringo said in How Do You Replace Active Directory?:
I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.
Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends.
Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO.
Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days...
Reliability. Hoping that the operating system will successfully pull GPO without an agent is a flaky process. You can make a lot of billable hours getting paid to troubleshoot GPO failures because Windows doesn't have a good way to get the data, process the data, and report on that processing. It's the agents that do all the things that make this type of process reliable.
I guess I don't follow. Something in Windows Pro is what tells the PC to pull and process the GPO - there are logs for that process in Windows. of course I've had issues before - are you saying you've never had issues with something that has a third party agent before?
I'm saying that the GPO system is flaky and useless. It's pathetically complex and unreliable. Those that use it tend to either have to keep it very, very basic or do a ton of work to make it work and rarely can you find a shop that's really confident that it is working.
The very idea that you have to go onto the endpoints to look at logs shows how big the problem is. There's no warning, no alerting that something has failed. No central repository. You have to build out some kind of log monitoring solution with an AGENT and deploy it to the end points to bandaid the kind of centralized data into GPO that you'd just expect with any modern solution (or competent solution.)
Everything "has" problems. But how often they have problems, how the agent handles problems, and how you have to deal with problems are what matters. And obviously nothing you'd actually deploy should have the kinds of unreliability or difficulty in monitoring as GPO. If it even comes close, it's not something you'd trust.
You are asking "GPO is bad, so you are saying other solutions are perfect?" Do you see why that is a bad question? Nothing is perfect, why do you ask if other solutions are perfect but don't expect GPO to be?
The way that you ask these questions makes you sound crazy. Don't ask if GPO is perfect. What you should be asking is something like "Oh, so you've found that the good third party agents are reasonably more reliable than the native GPO?" It's logical, it's rational, and it doesn't imply that perfect is a requirement, because obviously it is not.
I guess I've just had good luck. I haven't had to poor huge amounts of time into my GPOs not working.
not zero - but no RMM type solution would I expect zero issues with when setting up.No, not zero for sure. GPOs tend to be better when you have a very LAN-centric, very homogenous environment. The more variation you add, especially in terms of latency and connection, the harder it gets. GPOs start to get flaky, especially over the WAN, and you start getting a lot of time spent just trying to get them to process.
yeah - that definitely makes sense.
I'm curious - haven't dug in enough yet - how much Intune notifies you of non compliant machines?
You can get total sight and notification of any kind of compliance you want. The default no-setup-needed compliance policies are a great start, and now you can use your own custom compliance scripts. Additionally, through automation, the possibilities are endless.
-
@scottalanmiller said in How Do You Replace Active Directory?:
@siringo said in How Do You Replace Active Directory?:
So how do you add a new shared printer to a group of PCs? You'd never visit each PC individually and add it.
So many ways. And all ways that we need in Mac and Linux worlds since GPO doesn't work there. So this is a solution in search of a problem.
Add via script, Salt, Ansible, RMM, you name it. It's not a challenge in the Windows world.
Who brought up GPO's? This conversation has been based on Centralized user administration.
Quit with the what aboutism's.
-
@DustinB3403 said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@siringo said in How Do You Replace Active Directory?:
So how do you add a new shared printer to a group of PCs? You'd never visit each PC individually and add it.
So many ways. And all ways that we need in Mac and Linux worlds since GPO doesn't work there. So this is a solution in search of a problem.
Add via script, Salt, Ansible, RMM, you name it. It's not a challenge in the Windows world.
Who brought up GPO's? This conversation has been based on Centralized user administration.
Quit with the what aboutism's.
How does centralized user management add printers? Read the question. "How do you add a new shared printer to a group of PCs?" That's GPO that he's talking about. Central User management can't do that. So the person asking the question @siringo brought it up. I just answered what was asked about the alternative to them. If you don't like him asking the question, don't complain to me.
-
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@JasGot said in How Do You Replace Active Directory?:
How do you handle passwords for the local machine and sync them to the passwords required for the server?
Not really something that comes up for us that often. Because we push hard to modernize and secure networks and to lower cost, things like mapped drives tend to fall by the wayside quickly. Customers often have that stuff when they come to us and I'm not saying it has no place or never stays. But it is anything but the norm.
The idea that workstation user accounts need to sync to server user accounts because they are sharing LAN resources is something I deal with literally with months of time in between seeing it. It's super rare. Even with hundreds of customers, we don't see it as normal anymore.
What are you normally deploying for file storage? Sure it would be great to get companies away from them, but I can't imagine you've managed to do that for most of your clients. I'm assuming you have some combination of box/dropbox/Nextcloud/zoho files/google drive/OD, etc?
We have a good number on no files. In medical this is surprisingly easy since you need to maintain so much control files present a big risk. Any medical style industry will be an easy candidate to get away from that. And IT, of course. We should not have files.
We have a crap ton of files - just not PHI. that lives in the EMR.
The files are things like reviews, forms that are then entered into the EMR, accounting records, compliance records, etc.
-
@scottalanmiller said in How Do You Replace Active Directory?:
Could be either. Some places have no central office, that's starting to be a thing. Those that have a central office might not want their files stored there as it creates risk... how do you work when you aren't in the office, even if normally you are? Those that do can do modern non-mapped drives inside of the office (NextCloud, as an example, works that way.)
Thanks.
Although the concept is NOT foreign to us, we have NO customers that operate with offsite data.
All are 9-5 office only shops with apps that require onsite centralized storage and a ton of scattered printers available to all departments. -
@DustinB3403 said in How Do You Replace Active Directory?:
Who brought up GPO's? This conversation has been based on Centralized user administration.
Quit with the what aboutism's.Ha! GPOs are by their very nature, all about centralized user administration. GPOs would be the very first solution most IT admins would identify.
-
@scottalanmiller said in How Do You Replace Active Directory?:
RDS, sadly, has AD as a requirement. Although you can localize it and make it irrelevant.
What do you mean with "RDS has AD as requirement"
In my previous company, most of us used RDS, and we did not used AD -
@Mario-Jakovina said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
RDS, sadly, has AD as a requirement. Although you can localize it and make it irrelevant.
What do you mean with "RDS has AD as requirement"
In my previous company, most of us used RDS, and we did not used ADYou have to, RDS won't deploy without it. When you go to install RDS it checks for AD and won't enable until you add it.
-
@Mario-Jakovina said in How Do You Replace Active Directory?:
In my previous company, most of us used RDS, and we did not used AD
I'm sure you did what we do... deploy AD directly on RDS and not connect it to anything. So you get AD as a product (there's no licensing or cost involved that is extra so it doesn't have a financial component here) but none of the expected behaviour of it. But RDS only uses users provided by AD.
-
@JasGot said in How Do You Replace Active Directory?:
@DustinB3403 said in How Do You Replace Active Directory?:
Who brought up GPO's? This conversation has been based on Centralized user administration.
Quit with the what aboutism's.Ha! GPOs are by their very nature, all about centralized user administration. GPOs would be the very first solution most IT admins would identify.
Exactly. You should not assume GPO when people say AD, because they are two different animals that just play nicely together and come together as part of an MS suite of products. But they aren't actually linked intrinsically. You can, and often do, use one without the other. Either.
But, you also have to accommodate that easily over 90% of people think that GPO and AD aren't just related but the same thing. Most IT pros that I know don't know that they aren't the same thing. They often say AD meaning GPO.
In this case, though, whoever asked the question made it clear that they meant GPO so it didn't require the assumption
-
@JasGot said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
Could be either. Some places have no central office, that's starting to be a thing. Those that have a central office might not want their files stored there as it creates risk... how do you work when you aren't in the office, even if normally you are? Those that do can do modern non-mapped drives inside of the office (NextCloud, as an example, works that way.)
Thanks.
Although the concept is NOT foreign to us, we have NO customers that operate with offsite data.
All are 9-5 office only shops with apps that require onsite centralized storage and a ton of scattered printers available to all departments.That's wild. That those exist is of no surprise. Of course they do. But especially in the post (or still) COVID world, the need for working from home and eliminating offices has become so key to disaster prevention and continuity of business that any remnants we saw two years ago of offices holding out on modernizing away from office dependency (not use, just dependency) faded away.
Even places that make normal offices seem mired in locality like human and animal medical have moved (for us) to being location independent. We do tons of veterinary (and...fingers crossed... I think we just made the leap to building our first clinic of our own!!!) and that is moving in that direction rapidly. Nearly all of our clinics still store their data onsite (it's the wise move for sure), but make it available offsite. And they don't work with files, everything is application and database driven. And more and more of their staff works offsite, at least part time. Every role from reception to backoffice to even the vets themselves.
We even keep vet offices in Managua and Leon for our own vets to provide services to clinics in the US. Obviously they are medical professionals working 100% outside the office.
Vets are at the absolute peak of "everything needs to be onsite", and even they have mostly abandoned any office lock in that they can today. COVID was a nice push for that.
But I should mention, they do NOT use cloud-based apps 99% of the time, that would be insanely dumb for that business model.
-
@Dashrender said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@JasGot said in How Do You Replace Active Directory?:
How do you handle passwords for the local machine and sync them to the passwords required for the server?
Not really something that comes up for us that often. Because we push hard to modernize and secure networks and to lower cost, things like mapped drives tend to fall by the wayside quickly. Customers often have that stuff when they come to us and I'm not saying it has no place or never stays. But it is anything but the norm.
The idea that workstation user accounts need to sync to server user accounts because they are sharing LAN resources is something I deal with literally with months of time in between seeing it. It's super rare. Even with hundreds of customers, we don't see it as normal anymore.
What are you normally deploying for file storage? Sure it would be great to get companies away from them, but I can't imagine you've managed to do that for most of your clients. I'm assuming you have some combination of box/dropbox/Nextcloud/zoho files/google drive/OD, etc?
We have a good number on no files. In medical this is surprisingly easy since you need to maintain so much control files present a big risk. Any medical style industry will be an easy candidate to get away from that. And IT, of course. We should not have files.
We have a crap ton of files - just not PHI. that lives in the EMR.
The files are things like reviews, forms that are then entered into the EMR, accounting records, compliance records, etc.
Why does the EMR use them as files rather than contextualizing them? That's what the EMR is for. Making an EMR to just be a file server is, weird.
We make Veterinary EMR and of course having file fall back capability for one off files that can't be contextualized is important for flexibility, but it is never meant to be used, it means someone got data that was unexpected and we are in a failure avoidance mode.
Accounting records, compliance records, etc. should not be kept as files generally. Keeping files means you've essentially fallen back to paper, just digitized paper. It's far better than paper, but it's not embracing computers as data devices, just computers as paper enhancements.
-
@scottalanmiller said in How Do You Replace Active Directory?:
@Mario-Jakovina said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
RDS, sadly, has AD as a requirement. Although you can localize it and make it irrelevant.
What do you mean with "RDS has AD as requirement"
In my previous company, most of us used RDS, and we did not used ADYou have to, RDS won't deploy without it. When you go to install RDS it checks for AD and won't enable until you add it.
Well it is not true, because RDS is still there, and AD services are not deployed.
(I checked it) -
@Mario-Jakovina said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@Mario-Jakovina said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
RDS, sadly, has AD as a requirement. Although you can localize it and make it irrelevant.
What do you mean with "RDS has AD as requirement"
In my previous company, most of us used RDS, and we did not used ADYou have to, RDS won't deploy without it. When you go to install RDS it checks for AD and won't enable until you add it.
Well it is not true, because RDS is still there, and AD services are not deployed.
(I checked it)Interesting. I found a guide. So what's the purpose of doing this? Looks like a bit more work and what benefit since you normally just deploy AD local to the RDS server when you don't want to deploy it otherwise it acts (and is) local when done that way anyway. Why do the effort to work around it and have it not fully featured?
http://woshub.com/install-remote-desktop-services-rdsh-workgroup-without-domain/
-
@scottalanmiller Maybe it is complicated if you have User RDS CALs.
We had Device RDS CALs, and things are very simple with them. -
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@JasGot said in How Do You Replace Active Directory?:
How do you handle passwords for the local machine and sync them to the passwords required for the server?
Not really something that comes up for us that often. Because we push hard to modernize and secure networks and to lower cost, things like mapped drives tend to fall by the wayside quickly. Customers often have that stuff when they come to us and I'm not saying it has no place or never stays. But it is anything but the norm.
The idea that workstation user accounts need to sync to server user accounts because they are sharing LAN resources is something I deal with literally with months of time in between seeing it. It's super rare. Even with hundreds of customers, we don't see it as normal anymore.
What are you normally deploying for file storage? Sure it would be great to get companies away from them, but I can't imagine you've managed to do that for most of your clients. I'm assuming you have some combination of box/dropbox/Nextcloud/zoho files/google drive/OD, etc?
We have a good number on no files. In medical this is surprisingly easy since you need to maintain so much control files present a big risk. Any medical style industry will be an easy candidate to get away from that. And IT, of course. We should not have files.
We have a crap ton of files - just not PHI. that lives in the EMR.
The files are things like reviews, forms that are then entered into the EMR, accounting records, compliance records, etc.
Why does the EMR use them as files rather than contextualizing them? That's what the EMR is for. Making an EMR to just be a file server is, weird.
I don't disagree, Most of the data that we create is live data, typed into the system, stored in a DB, but faxes that come in (hundreds of pages a day) have not been shown to be reliably transcribed via OCR, therefore the "paper" copy must be kept for any related issues there.
Additionally, anything human transcribed is also scanned and stored as CYA for bad data entry.
We continue to look at solutions where the data can be entered directly by the patient, the roadblock there - costs.
Accounting records, compliance records, etc. should not be kept as files generally. Keeping files means you've essentially fallen back to paper, just digitized paper. It's far better than paper, but it's not embracing computers as data devices, just computers as paper enhancements.
I've been asking about this for ages - again, costs is the reason frequently given (and staff pushback).
-
@Mario-Jakovina said in How Do You Replace Active Directory?:
@scottalanmiller Maybe it is complicated if you have User RDS CALs.
We had Device RDS CALs, and things are very simple with them.Something still has to deploy those CALs.
Since you're on premises you can control the number of devices you have, so device CALs work - if you opened it up and allowed people to work from home, User CALs would likely pay off.
Though I can't imagine what AD would have to do with it in either case?
-
@Mario-Jakovina said in How Do You Replace Active Directory?:
We had Device RDS CALs, and things are very simple with them.
Can be, if you have locked down devices. But that's not related to the AD issue. AD isn't to make the CALs simpler.
-
@Mario-Jakovina said in How Do You Replace Active Directory?:
Maybe it is complicated if you have User RDS CALs.
How do CALs relate?