ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How Do You Replace Active Directory?

    Water Closet
    9
    105
    8.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Mario Jakovina
      last edited by

      @Mario-Jakovina said in How Do You Replace Active Directory?:

      We had Device RDS CALs, and things are very simple with them.

      Can be, if you have locked down devices. But that's not related to the AD issue. AD isn't to make the CALs simpler.

      M 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Mario Jakovina
        last edited by

        @Mario-Jakovina said in How Do You Replace Active Directory?:

        Maybe it is complicated if you have User RDS CALs.

        How do CALs relate?

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Dashrender
          last edited by

          @Dashrender said in How Do You Replace Active Directory?:

          Though I can't imagine what AD would have to do with it in either case?

          My thoughts, too. I'm not sure how that relates. AD doesn't interact with CALs, nor does the use of AD influence the CALs.

          1 Reply Last reply Reply Quote 0
          • J
            JasGot @scottalanmiller
            last edited by

            @scottalanmiller said in How Do You Replace Active Directory?:

            Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

            Curious.... How are you enforcing password changes at the local PC for users?

            DashrenderD scottalanmillerS ObsolesceO 4 Replies Last reply Reply Quote 0
            • DashrenderD
              Dashrender @JasGot
              last edited by

              @JasGot said in How Do You Replace Active Directory?:

              @scottalanmiller said in How Do You Replace Active Directory?:

              Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

              Curious.... How are you enforcing password changes at the local PC for users?

              Why does this matter?

              J 1 Reply Last reply Reply Quote 0
              • J
                JasGot @Dashrender
                last edited by

                @Dashrender said in How Do You Replace Active Directory?:

                @JasGot said in How Do You Replace Active Directory?:

                @scottalanmiller said in How Do You Replace Active Directory?:

                Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

                Curious.... How are you enforcing password changes at the local PC for users?

                Why does this matter?

                Because we're required to enforce it.

                DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @JasGot
                  last edited by

                  @JasGot said in How Do You Replace Active Directory?:

                  @Dashrender said in How Do You Replace Active Directory?:

                  @JasGot said in How Do You Replace Active Directory?:

                  @scottalanmiller said in How Do You Replace Active Directory?:

                  Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

                  Curious.... How are you enforcing password changes at the local PC for users?

                  Why does this matter?

                  Because we're required to enforce it.

                  I assume - because company - not because law...

                  Anyway - one way to do it would be whatever management solution you choose - Intune/MeshCentral/ScreenConnect/etc - you push a script that flips the switch making them have to change their password as needed.

                  You could also schedule a job to run locally that could do the same.

                  J 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @JasGot
                    last edited by

                    @JasGot said in How Do You Replace Active Directory?:

                    @scottalanmiller said in How Do You Replace Active Directory?:

                    Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

                    Curious.... How are you enforcing password changes at the local PC for users?

                    We don't, that's considered a security violation. It's unsafe and not good for productivity. One of the reasons we want AD out is that it encourages this outdated myth and by default people do things that are reckless with it.

                    Youtube Video

                    1 Reply Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @JasGot
                      last edited by

                      @JasGot said in How Do You Replace Active Directory?:

                      @Dashrender said in How Do You Replace Active Directory?:

                      @JasGot said in How Do You Replace Active Directory?:

                      @scottalanmiller said in How Do You Replace Active Directory?:

                      Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

                      Curious.... How are you enforcing password changes at the local PC for users?

                      Why does this matter?

                      Because we're required to enforce it.

                      By whom?

                      J 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @JasGot
                        last edited by

                        @JasGot said in How Do You Replace Active Directory?:

                        @scottalanmiller said in How Do You Replace Active Directory?:

                        Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

                        Curious.... How are you enforcing password changes at the local PC for users?

                        We have never been asked to lower our security in this way. As the IT department to most of our customers we typically make these recommendations so don't run into the problem. I can certainly see when it could happen and we'd have no choice, we've just been lucky.

                        If you are using local accounts you certainly don't lose this functionality. It isn't special with AD. It's just that the culture around AD users is to always have it, and the culture over local accounts is not to. It's amazing how many things are just cultural preferences in IT.

                        Here is where you set it...

                        Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy

                        1 Reply Last reply Reply Quote 1
                        • ObsolesceO
                          Obsolesce @JasGot
                          last edited by Obsolesce

                          @JasGot said in How Do You Replace Active Directory?:

                          @scottalanmiller said in How Do You Replace Active Directory?:

                          Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

                          Curious.... How are you enforcing password changes at the local PC for users?

                          If you are using corporate identities for employees on corporate owned devices, there's no need for local user accounts. You can use, for example, Okta/Azure AD/etc as your identity provider along with MFA with Azure/Okta/Duo/etc and the users can use their corporate provided identities to log on to their devices. Using that method there is no need to do anything there locally on the device.

                          1 Reply Last reply Reply Quote 0
                          • J
                            JasGot @scottalanmiller
                            last edited by

                            @scottalanmiller said in How Do You Replace Active Directory?:

                            @JasGot said in How Do You Replace Active Directory?:

                            @Dashrender said in How Do You Replace Active Directory?:

                            @JasGot said in How Do You Replace Active Directory?:

                            @scottalanmiller said in How Do You Replace Active Directory?:

                            Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

                            Curious.... How are you enforcing password changes at the local PC for users?

                            Why does this matter?

                            Because we're required to enforce it.

                            By whom?

                            General Motors

                            1 Reply Last reply Reply Quote 0
                            • J
                              JasGot @Dashrender
                              last edited by

                              @Dashrender said in How Do You Replace Active Directory?:

                              you push a script that flips the switch making them have to change their password as needed.

                              For environments without AD, we'll set these rules at the local PC.

                              This is the script I came up with:
                              PassRules.Cmd

                              rem Create a random number between 42 and 90 for password aging
                              set /a _rand=(%random%*48/32768)+42
                              
                              rem Set Minimum Password Length
                              net accounts /minpwlen:12
                              
                              rem Set Max Password Age to our random number
                              net accounts /maxpwage:%_rand%
                              
                              rem Set refusal to allow any of the last 5 passwords
                              net accounts /uniquepw:5
                              
                              rem Lockout user after 10 failed login attempts
                              net accounts /lockoutthreshold:10
                              
                              rem Set screen timeout to 15 minutes for both AC and battery power
                              powercfg /change monitor-timeout-ac 15
                              powercfg /change monitor-timeout-dc 15
                              
                              rem Lock workstation after 15 minutes of idleness for both AC and battery power
                              powercfg.exe /setacvalueindex scheme_current sub_video videoconlock 900
                              powercfg.exe /setdcvalueindex scheme_current sub_video videoconlock 900
                              
                              DashrenderD 1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @JasGot
                                last edited by

                                @JasGot Aren't you the one who asked how to do this?

                                scottalanmillerS J 2 Replies Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said in How Do You Replace Active Directory?:

                                  @JasGot Aren't you the one who asked how to do this?

                                  Technically he asked how WE did this 😉

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    Mario Jakovina @scottalanmiller
                                    last edited by Mario Jakovina

                                    @scottalanmiller said in How Do You Replace Active Directory?:

                                    @Mario-Jakovina said in How Do You Replace Active Directory?:

                                    We had Device RDS CALs, and things are very simple with them.

                                    Can be, if you have locked down devices. But that's not related to the AD issue. AD isn't to make the CALs simpler.

                                    Scott, you said that RDS requires, AD - and it is not true.
                                    I am just saying, that RDS does not require AD and RDS is very simple with Device CAL,s and without AD - there is no "AD issue" in this scenario.

                                    By the way - we did not locked down devices - devices just access RDS via VPN (or LAN)

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      JasGot @Dashrender
                                      last edited by

                                      @Dashrender said in How Do You Replace Active Directory?:

                                      @JasGot Aren't you the one who asked how to do this?

                                      I assume you are referring to my post of the script I came up with yesterday AFTER I read your post suggesting a script to do it?

                                      Geeeeesh. The next time I want to share a solution I came up with, as a result of your suggestion, I won't.

                                      DashrenderD 1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @JasGot
                                        last edited by

                                        @JasGot said in How Do You Replace Active Directory?:

                                        @Dashrender said in How Do You Replace Active Directory?:

                                        @JasGot Aren't you the one who asked how to do this?

                                        I assume you are referring to my post of the script I came up with yesterday AFTER I read your post suggesting a script to do it?

                                        Geeeeesh. The next time I want to share a solution I came up with, as a result of your suggestion, I won't.

                                        LOL - there was no indication that you just created that -but that's awesome that you tossed something together so quickly.

                                        1 Reply Last reply Reply Quote 0
                                        • 1
                                        • 2
                                        • 3
                                        • 4
                                        • 5
                                        • 6
                                        • 5 / 6
                                        • First post
                                          Last post