ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How Do You Replace Active Directory?

    Scheduled Pinned Locked Moved Water Closet
    105 Posts 9 Posters 15.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @Dashrender said in What Are You Doing Right Now:

      In Gene's case, I know his company is providing RDS sessions to everyone - this removes a lot of the concern over the local device, though a key logger would still be bad...

      RDS, sadly, has AD as a requirement. Although you can localize it and make it irrelevant.

      M 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @Dashrender said in What Are You Doing Right Now:

        so you have 100+ devices, 100+ users and what?

        Treat it the same way you would any individual device. Imagine if you supported a one person company. AD would provide quite literally zero possible features. Instead of changing the design as you grow to accommodate AD, simple scale "as it is" from a single user device.

        It's kind of like asking "what would a cheeseburger be without avocado"? Um, it would just be a normal cheeseburger. AD isn't the default, it's not the native, it's the special case. Just "normal" is what we are like without it.

        You would never have local admin given to the end user with a single device situation. Why would you change that when you added a second device?

        Even in the Microsoft world, Microsoft has never recommended AD below ten devices. So whatever model you'd use there, you just keep using.

        DashrenderD 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Dashrender
          last edited by

          @Dashrender said in What Are You Doing Right Now:

          Then what? how do you manage user accounts on the devices? How do you manage local admin on the devices?

          This is a leap. WHY do you manage user accounts on the devices? That's not something most shops need. They might have it, they might "want" it, but it serves little purpose to most companies. Often it comes at a cost that you can't recoup. But that said, user management is built into Windows. So I'm confused. AD doesn't provide this, so why bring it up as it's not changed by removing AD.

          Local admin again, manage it the same as you did with AD.

          DashrenderD 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            In this discussion "What do I do without AD", I think it's always going to come back to "you'd have to articulate what AD is doing for you that has value" before we could answer that. In 90% of environments that I found AD in, it is serving no function whatsoever. So there's no questions to answer. It's like your appendix. What will you do when they remove it? You'll act just like you did before, what would change?

            jt1001001J 1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said in What Are You Doing Right Now:

              but non of that manages the device

              Just like AD. AD doesn't manage the device. This is the big myth. AD does so little.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @Dashrender said in What Are You Doing Right Now:

                So, do you just not care about the device at all?

                Generally, no. I have no idea why a normal business would. High security business, sure, it's plausible. but normal companies, no. Definitely nothing in healthcare, insurance, veterinarian, manufacturing, etc. where the device should have no value and any management of it would just be a waste.

                But let's not assume that, that's easy to just dismiss. Instead lets talk about those cases where you do need it.

                If I need to manage the device, AD would be a pretty bad choice. Not the worse, but bad. First if security had any priority, Windows would be off the table so AD would play no obvious role whatsoever. But let's assume total oxymoronic situation any just assume we want to overly secure Windows.

                Basic tools like remote access, RMM, state machines... they all take the kind of Group Policy tools that AD is mistakenly associated with and do them properly or at least better. No matter what your need, it is hard to see when AD would make the short list. AD represents a huge security risk, and is designed around super insecure architectures. If you are attempting to secure anything, AD's value proposition goes to a huge negative really quickly.

                DashrenderD 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said in What Are You Doing Right Now:

                  again, user has local admin rights?

                  Can't figure out where this comes from.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Dashrender
                    last edited by

                    @Dashrender said in What Are You Doing Right Now:

                    BOYD, etc?

                    This is fine. It falls into irrelevant. What does this have to do with AD decisions?

                    1 Reply Last reply Reply Quote 0
                    • jt1001001J
                      jt1001001 @scottalanmiller
                      last edited by

                      @scottalanmiller as I found in our case, AD here was adding absolutes 0% while actually creating more of an administrative headache. 99% of our applications here are "in the cloud" (unlike my old company) and all the DC was doing was print, some file shares, and 1 or 2 group policies (that weren't even working right!). So moving to Teams (see post in other discussion) will alleviate the file share; may build a linux file server for 1 or 2 use cases where Teams/Sharepoint won't work. Group policies are unnecessary and worst case we can upgrade our licenses and go Azure AD/Intune if we need to. Printing, well its printing and it sucks but we'll figure it out. Best is the CTO and President are on board without so much as a blink.

                      scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 2
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said in What Are You Doing Right Now:

                        or something else that you've undoubtedly told me about before that I've forgotten.

                        It's just that none of it matters. None of these things are related to AD. AD just does SO little.

                        jt1001001J 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @jt1001001
                          last edited by

                          @jt1001001 said in How Do You Replace Active Directory?:

                          as I found in our case, AD here was adding absolutes 0% while actually creating more of an administrative headache.

                          This is generally what I find. AD providing nothing and making us do a lot of work for nothing. Especially when we log in to the command prompt via MeshCentral and never see AD creds in use! ANd in theory, never even need to do that.

                          1 Reply Last reply Reply Quote 0
                          • jt1001001J
                            jt1001001 @scottalanmiller
                            last edited by

                            @Dashrender do they need local admin rights? For us the answer is NO.
                            Right now I'm working on an image for our systems with apps re-installed and Chocolaty for future package management. A local admin user with password known to IT (different foe each machine) is created, and I-T person adds machine to Azure AD though Accounts section of Win 10 (with pre-set password). Reboot, new user logs in and is prompted to change their password. Will simplify this as time goes on but its a good start.

                            scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @jt1001001
                              last edited by

                              @jt1001001 said in How Do You Replace Active Directory?:

                              A local admin user with password known to IT (different foe each machine) is created

                              Yeah, no reason not to do that. So easy to do and how is that different than with AD where you'd need some form of admin creds for the machines anyway. With AD we still create, manage, and track all these local admin accounts. AD doesn't manage that at all. So having AD on top of the user management is awful.

                              And that local admin account can be used to manage the local user accounts. Plus you CAN decide to make different local admin accounts for each admin if you prefer (that's how Linux recommends it.)

                              But with most tools today (RMM, MeshCentral, Salt, Ansible, ScreenConnect, etc.) you manage the users through that and don't need to log in at all.

                              DashrenderD 1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said in How Do You Replace Active Directory?:

                                @Dashrender said in What Are You Doing Right Now:

                                I sorta understand where you're going with that - but users are users - they infect their computers, etc. Just taking admin rights away resolves a noticeable if not significant amount of that.

                                You've made some non-existing leap. What are you talking about? Certainly whatever you are thinking is 100% not related to AD.

                                the quoted comment was in another thread, and not specifically about AD - but about users. and goes back to my full post - let's say you do create non admin accounts - how are you doing that?

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in How Do You Replace Active Directory?:

                                  @Dashrender said in What Are You Doing Right Now:

                                  so you have 100+ devices, 100+ users and what?

                                  Treat it the same way you would any individual device. Imagine if you supported a one person company. AD would provide quite literally zero possible features. Instead of changing the design as you grow to accommodate AD, simple scale "as it is" from a single user device.

                                  It's kind of like asking "what would a cheeseburger be without avocado"? Um, it would just be a normal cheeseburger. AD isn't the default, it's not the native, it's the special case. Just "normal" is what we are like without it.

                                  You would never have local admin given to the end user with a single device situation. Why would you change that when you added a second device?

                                  Even in the Microsoft world, Microsoft has never recommended AD below ten devices. So whatever model you'd use there, you just keep using.

                                  /sigh, now this is a road we've gone down before - you're the one assuming since we started talking about AD you feel that I somehow feel that's the only option, of course it's not. You could use Salt of other management tools to create users, etc...

                                  So please - if that's what your intention is, just say that, don't just say - of course we don't give local admin.

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Dashrender
                                    last edited by

                                    @Dashrender said in How Do You Replace Active Directory?:

                                    let's say you do create non admin accounts - how are you doing that?

                                    net user

                                    Same way we always have. That goes back to the early NT days.

                                    DashrenderD 1 Reply Last reply Reply Quote 1
                                    • DashrenderD
                                      Dashrender @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in How Do You Replace Active Directory?:

                                      @Dashrender said in What Are You Doing Right Now:

                                      Then what? how do you manage user accounts on the devices? How do you manage local admin on the devices?

                                      This is a leap. WHY do you manage user accounts on the devices? That's not something most shops need. They might have it, they might "want" it, but it serves little purpose to most companies. Often it comes at a cost that you can't recoup. But that said, user management is built into Windows. So I'm confused. AD doesn't provide this, so why bring it up as it's not changed by removing AD.

                                      Local admin again, manage it the same as you did with AD.

                                      what? you can't manage local users the same way you do with AD.

                                      Normal office users have no idea how to create a second user that isn't and admin - it's not in they typical round.

                                      scottalanmillerS 2 Replies Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @scottalanmiller
                                        last edited by

                                        @scottalanmiller said in How Do You Replace Active Directory?:

                                        @Dashrender said in What Are You Doing Right Now:

                                        So, do you just not care about the device at all?

                                        Generally, no. I have no idea why a normal business would. High security business, sure, it's plausible. but normal companies, no. Definitely nothing in healthcare, insurance, veterinarian, manufacturing, etc. where the device should have no value and any management of it would just be a waste.

                                        But let's not assume that, that's easy to just dismiss. Instead lets talk about those cases where you do need it.

                                        If I need to manage the device, AD would be a pretty bad choice. Not the worse, but bad. First if security had any priority, Windows would be off the table so AD would play no obvious role whatsoever. But let's assume total oxymoronic situation any just assume we want to overly secure Windows.

                                        Basic tools like remote access, RMM, state machines... they all take the kind of Group Policy tools that AD is mistakenly associated with and do them properly or at least better. No matter what your need, it is hard to see when AD would make the short list. AD represents a huge security risk, and is designed around super insecure architectures. If you are attempting to secure anything, AD's value proposition goes to a huge negative really quickly.

                                        well - took around 5 posts to get here ... 🙂

                                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @Dashrender said in How Do You Replace Active Directory?:

                                          So please - if that's what your intention is, just say that, don't just say - of course we don't give local admin.

                                          But you know no one would. Why keep bringing it up when you know the answer is "manage them any number of super obvious ways the same as it is already done in all other platforms and how it is done in Windows". You know the answer, but keep asking the question as if "give users local admin" is the answer. Obviously it is not.

                                          It's a silly question to ask. It's the easiest thing ever. But there's no one answer, that would be silly. Even in our limited scope here we likely have four different ways at the ready at any given moment. Let's see....

                                          ScreenConnect
                                          MeshCentral
                                          TacticalRMM
                                          Salt

                                          And then if you log in first... net user or just use the GUI.

                                          That's six ways quickly off of the top of my head. Not six options to deploy, six approaches I have on all of my machines right now. Local user management is so simple and straightforward, the question would have to be ... how can you not manage them? Every tool out there, including the OS itself, has this included. It's the first function everything does. Except, of course, AD. AD is the one tool that doesn't address this.

                                          1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @Dashrender
                                            last edited by

                                            @Dashrender said in How Do You Replace Active Directory?:

                                            hat? you can't manage local users the same way you do with AD.

                                            Yes, you can. AD doesn't manage it at all. YOu are expected to log in and user "net user." That continues to work the same.

                                            DashrenderD 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 6 / 6
                                            • First post
                                              Last post