How Do You Replace Active Directory?
-
@Mario-Jakovina said in How Do You Replace Active Directory?:
We had Device RDS CALs, and things are very simple with them.
Can be, if you have locked down devices. But that's not related to the AD issue. AD isn't to make the CALs simpler.
-
@Mario-Jakovina said in How Do You Replace Active Directory?:
Maybe it is complicated if you have User RDS CALs.
How do CALs relate?
-
@Dashrender said in How Do You Replace Active Directory?:
Though I can't imagine what AD would have to do with it in either case?
My thoughts, too. I'm not sure how that relates. AD doesn't interact with CALs, nor does the use of AD influence the CALs.
-
@scottalanmiller said in How Do You Replace Active Directory?:
Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.
Curious.... How are you enforcing password changes at the local PC for users?
-
@JasGot said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.
Curious.... How are you enforcing password changes at the local PC for users?
Why does this matter?
-
@Dashrender said in How Do You Replace Active Directory?:
@JasGot said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.
Curious.... How are you enforcing password changes at the local PC for users?
Why does this matter?
Because we're required to enforce it.
-
@JasGot said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
@JasGot said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.
Curious.... How are you enforcing password changes at the local PC for users?
Why does this matter?
Because we're required to enforce it.
I assume - because company - not because law...
Anyway - one way to do it would be whatever management solution you choose - Intune/MeshCentral/ScreenConnect/etc - you push a script that flips the switch making them have to change their password as needed.
You could also schedule a job to run locally that could do the same.
-
@JasGot said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.
Curious.... How are you enforcing password changes at the local PC for users?
We don't, that's considered a security violation. It's unsafe and not good for productivity. One of the reasons we want AD out is that it encourages this outdated myth and by default people do things that are reckless with it.
-
@JasGot said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
@JasGot said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.
Curious.... How are you enforcing password changes at the local PC for users?
Why does this matter?
Because we're required to enforce it.
By whom?
-
@JasGot said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.
Curious.... How are you enforcing password changes at the local PC for users?
We have never been asked to lower our security in this way. As the IT department to most of our customers we typically make these recommendations so don't run into the problem. I can certainly see when it could happen and we'd have no choice, we've just been lucky.
If you are using local accounts you certainly don't lose this functionality. It isn't special with AD. It's just that the culture around AD users is to always have it, and the culture over local accounts is not to. It's amazing how many things are just cultural preferences in IT.
Here is where you set it...
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
-
@JasGot said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.
Curious.... How are you enforcing password changes at the local PC for users?
If you are using corporate identities for employees on corporate owned devices, there's no need for local user accounts. You can use, for example, Okta/Azure AD/etc as your identity provider along with MFA with Azure/Okta/Duo/etc and the users can use their corporate provided identities to log on to their devices. Using that method there is no need to do anything there locally on the device.
-
@scottalanmiller said in How Do You Replace Active Directory?:
@JasGot said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
@JasGot said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.
Curious.... How are you enforcing password changes at the local PC for users?
Why does this matter?
Because we're required to enforce it.
By whom?
General Motors
-
@Dashrender said in How Do You Replace Active Directory?:
you push a script that flips the switch making them have to change their password as needed.
For environments without AD, we'll set these rules at the local PC.
This is the script I came up with:
PassRules.Cmdrem Create a random number between 42 and 90 for password aging set /a _rand=(%random%*48/32768)+42 rem Set Minimum Password Length net accounts /minpwlen:12 rem Set Max Password Age to our random number net accounts /maxpwage:%_rand% rem Set refusal to allow any of the last 5 passwords net accounts /uniquepw:5 rem Lockout user after 10 failed login attempts net accounts /lockoutthreshold:10 rem Set screen timeout to 15 minutes for both AC and battery power powercfg /change monitor-timeout-ac 15 powercfg /change monitor-timeout-dc 15 rem Lock workstation after 15 minutes of idleness for both AC and battery power powercfg.exe /setacvalueindex scheme_current sub_video videoconlock 900 powercfg.exe /setdcvalueindex scheme_current sub_video videoconlock 900 -
@JasGot Aren't you the one who asked how to do this?
-
@Dashrender said in How Do You Replace Active Directory?:
@JasGot Aren't you the one who asked how to do this?
Technically he asked how WE did this
-
@scottalanmiller said in How Do You Replace Active Directory?:
@Mario-Jakovina said in How Do You Replace Active Directory?:
We had Device RDS CALs, and things are very simple with them.
Can be, if you have locked down devices. But that's not related to the AD issue. AD isn't to make the CALs simpler.
Scott, you said that RDS requires, AD - and it is not true.
I am just saying, that RDS does not require AD and RDS is very simple with Device CAL,s and without AD - there is no "AD issue" in this scenario.By the way - we did not locked down devices - devices just access RDS via VPN (or LAN)
-
@Dashrender said in How Do You Replace Active Directory?:
@JasGot Aren't you the one who asked how to do this?
I assume you are referring to my post of the script I came up with yesterday AFTER I read your post suggesting a script to do it?
Geeeeesh. The next time I want to share a solution I came up with, as a result of your suggestion, I won't.
-
@JasGot said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
@JasGot Aren't you the one who asked how to do this?
I assume you are referring to my post of the script I came up with yesterday AFTER I read your post suggesting a script to do it?
Geeeeesh. The next time I want to share a solution I came up with, as a result of your suggestion, I won't.
LOL - there was no indication that you just created that -but that's awesome that you tossed something together so quickly.
