ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How Do You Replace Active Directory?

    Scheduled Pinned Locked Moved Water Closet
    105 Posts 9 Posters 15.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @Dashrender said in How Do You Replace Active Directory?:

      @scottalanmiller said in How Do You Replace Active Directory?:

      @Dashrender said in What Are You Doing Right Now:

      So, do you just not care about the device at all?

      Generally, no. I have no idea why a normal business would. High security business, sure, it's plausible. but normal companies, no. Definitely nothing in healthcare, insurance, veterinarian, manufacturing, etc. where the device should have no value and any management of it would just be a waste.

      But let's not assume that, that's easy to just dismiss. Instead lets talk about those cases where you do need it.

      If I need to manage the device, AD would be a pretty bad choice. Not the worse, but bad. First if security had any priority, Windows would be off the table so AD would play no obvious role whatsoever. But let's assume total oxymoronic situation any just assume we want to overly secure Windows.

      Basic tools like remote access, RMM, state machines... they all take the kind of Group Policy tools that AD is mistakenly associated with and do them properly or at least better. No matter what your need, it is hard to see when AD would make the short list. AD represents a huge security risk, and is designed around super insecure architectures. If you are attempting to secure anything, AD's value proposition goes to a huge negative really quickly.

      well - took around 5 posts to get here ... 🙂

      It would be faster if you started with "I care about devices because X." Because you care about them, but we don't know why. That we don't and shouldn't care about ours doesn't really help you. That 90% of businesses shouldn't care, doesn't help you. The only thing that matters to do is 1) Do you care and 2) why?

      Answer that and none of this should matter.

      1 Reply Last reply Reply Quote 1
      • scottalanmillerS
        scottalanmiller
        last edited by

        So let's start asking the questions that really matter...

        Why do you @Dashrender care about AD? What value do you see in what it does?

        Why do you care about tightly managing a device that is designed to be self sufficient? And why would you want to introduce AD which often disables critical security features (like updates.) Why do you care about the tight control of non-local user accounts? And how are you managing local user accounts today?

        All the things that you are asking us, ask yourself. You have asked us this many times. But I don't know why any of these topics matter to you because by default, none of them should matter except for very special needs.

        DashrenderD 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @jt1001001
          last edited by

          @jt1001001 said in How Do You Replace Active Directory?:

          @scottalanmiller as I found in our case, AD here was adding absolutes 0% while actually creating more of an administrative headache. 99% of our applications here are "in the cloud" (unlike my old company) and all the DC was doing was print, some file shares, and 1 or 2 group policies (that weren't even working right!). So moving to Teams (see post in other discussion) will alleviate the file share; may build a linux file server for 1 or 2 use cases where Teams/Sharepoint won't work. Group policies are unnecessary and worst case we can upgrade our licenses and go Azure AD/Intune if we need to. Printing, well its printing and it sucks but we'll figure it out. Best is the CTO and President are on board without so much as a blink.

          While potentially a large shift in workflow - moving to teams/sharepoint from windows shares can be challenging though not impossible.

          what is your plan for people logging into their devices provided by the company? Will you use something like salt to deploy state machines, a local admin that you know, but not the user? how about the user account itself? I mean sure, in this case, what that user account is I guess doesn't really matter, but I'm also guessing that you don't want to deploy "user" as everyone's username on all devices (again through something liek Salt, or even when you just roll out the machines).

          Printing can be managed by web based printing solutions, or even Salt I assume could create local IP printers and everyone could print direct to the printers.

          Last thing - Linux SMB share - is the plan to make an account on the Linux box for each user - and they'll manage that no different than they do their cloud services account? You'll likely have to help them map their drives - yeah, instructions in an email can likely get most users to get this working.

          1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @jt1001001
            last edited by

            @jt1001001 said in How Do You Replace Active Directory?:

            @Dashrender do they need local admin rights? For us the answer is NO.
            Right now I'm working on an image for our systems with apps re-installed and Chocolaty for future package management. A local admin user with password known to IT (different foe each machine) is created, and I-T person adds machine to Azure AD though Accounts section of Win 10 (with pre-set password). Reboot, new user logs in and is prompted to change their password. Will simplify this as time goes on but its a good start.

            No - luckily we have nothing so broken as to require local admin to run.
            Interesting - so you've added AAD to the mix.
            so you're replacing AD with AAD for the user accounts.

            1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender @scottalanmiller
              last edited by

              @scottalanmiller said in How Do You Replace Active Directory?:

              @jt1001001 said in How Do You Replace Active Directory?:

              A local admin user with password known to IT (different foe each machine) is created

              Yeah, no reason not to do that. So easy to do and how is that different than with AD where you'd need some form of admin creds for the machines anyway. With AD we still create, manage, and track all these local admin accounts. AD doesn't manage that at all. So having AD on top of the user management is awful.

              And that local admin account can be used to manage the local user accounts. Plus you CAN decide to make different local admin accounts for each admin if you prefer (that's how Linux recommends it.)

              But with most tools today (RMM, MeshCentral, Salt, Ansible, ScreenConnect, etc.) you manage the users through that and don't need to log in at all.

              MC manages the local user accounts? I'm going to have to read up on that.
              I agree with the rest here.

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @scottalanmiller
                last edited by

                @scottalanmiller said in How Do You Replace Active Directory?:

                @Dashrender said in How Do You Replace Active Directory?:

                let's say you do create non admin accounts - how are you doing that?

                net user

                Same way we always have. That goes back to the early NT days.

                How manual of you.
                I suppose if you're touching all the computers for setup, you're already there, not that big of deal....

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said in How Do You Replace Active Directory?:

                  MC manages the local user accounts? I'm going to have to read up on that.

                  The same as you would through sitting at the machine, through PowerShell Remoting, or SSH. You still have to user the commands. But MC provides the access. It's manual, not centralized. But that's how Windows works out of the box. MC just allows you to do it while a user is using the machine, without needing creds of any user.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Dashrender
                    last edited by

                    @Dashrender said in How Do You Replace Active Directory?:

                    @scottalanmiller said in How Do You Replace Active Directory?:

                    @Dashrender said in How Do You Replace Active Directory?:

                    let's say you do create non admin accounts - how are you doing that?

                    net user

                    Same way we always have. That goes back to the early NT days.

                    How manual of you.
                    I suppose if you're touching all the computers for setup, you're already there, not that big of deal....

                    Right, when setting up a computer you have to put in a hostname, supply other settings, etc. I don't see this as any more or less work than with AD.

                    With AD I have two basic choices when deploying a new computer. Either do a bit of creating a user and applying it only to the appropriate devices that it is expected to be used on. Or doing it the same for all machines. In both cases, I can do the same without AD using net user about the same. Either just manually as the machine is set up, or a simple script that sets them all the same on each device. This is where I'm always confused... what's AD providing me? Even with 1000 users and 1000 devices, I get no benefit at setup time.

                    Users having central password reset isn't something that Windows handles by default internally without AD, but even in AD environments this is rarely beneficial. When it is, it's really important. But when it is really important, it's not hard to provide any number of third party tools that handle that from a trivially simple script to Salt.

                    1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @scottalanmiller
                      last edited by

                      @scottalanmiller said in How Do You Replace Active Directory?:

                      @Dashrender said in How Do You Replace Active Directory?:

                      hat? you can't manage local users the same way you do with AD.

                      Yes, you can. AD doesn't manage it at all. YOu are expected to log in and user "net user." That continues to work the same.

                      you're right - local user - but I don't give a toss about local users. We have users who hope around to 6+ machines... so those users would either have 6 different accounts (potentially synced by the user themselves) or an account that is somehow synced between them. Considering we have AD today providing centralized user authentication (again, you're right not local user at all) I can't see management accepting a solution where a user has to manage these accounts between the machine themselves and not be centralized.

                      1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @scottalanmiller
                        last edited by

                        @scottalanmiller said in How Do You Replace Active Directory?:

                        So let's start asking the questions that really matter...

                        Why do you @Dashrender care about AD? What value do you see in what it does?

                        I don't care about AD - I care about centralized authentication of all devices. I'd likely be just as happy with JumpCloud/AAD/SAMBA/etc.

                        Why do you care about tightly managing a device that is designed to be self sufficient? And why would you want to introduce AD which often disables critical security features (like updates.)

                        AD doesn't disable update any more than AD provides GPO.

                        Why do you care about the tight control of non-local user accounts? And how are you managing local user accounts today?

                        Local user accounts are disabled.

                        I use GPOs a lot today. Learning other options like Salt or Ansible, etc, i.e. state machines would allow me to potentially move away from GPOs.

                        scottalanmillerS 2 Replies Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Dashrender
                          last edited by

                          @Dashrender said in How Do You Replace Active Directory?:

                          I don't care about AD - I care about centralized authentication of all devices.

                          But... why? Why is this something that you care about? It's not an end goal. It's a means. But what is the ends?

                          1 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said in How Do You Replace Active Directory?:

                            Local user accounts are disabled.
                            I use GPOs a lot today. Learning other options like Salt or Ansible, etc, i.e. state machines would allow me to potentially move away from GPOs.

                            Or you can use them to deploy GPOs.

                            1 Reply Last reply Reply Quote 0
                            • siringoS
                              siringo
                              last edited by

                              I dunno. Sorry I haven't read all this, my back is giving me hell ATM.

                              So how do you add a new shared printer to a group of PCs? You'd never visit each PC individually and add it.

                              I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.

                              I can understand how you could use an MDM to manage Windows devices, but why not just use native AD?

                              I cannot see any corp running 1000's of Windows devices without AD. However I could see a small business not using AD.

                              DustinB3403D scottalanmillerS 5 Replies Last reply Reply Quote 0
                              • 1
                                1337 @scottalanmiller
                                last edited by

                                @scottalanmiller said in How Do You Replace Active Directory?:

                                @Dashrender said in How Do You Replace Active Directory?:

                                I don't care about AD - I care about centralized authentication of all devices.

                                But... why? Why is this something that you care about? It's not an end goal. It's a means. But what is the ends?

                                Since he has users that use several workstations, I would venture that the end goal is having the same login credentials on every workstation the user uses.

                                1 Reply Last reply Reply Quote 1
                                • DustinB3403D
                                  DustinB3403 @siringo
                                  last edited by

                                  @siringo said in How Do You Replace Active Directory?:

                                  I cannot see any corp running 1000's of Windows devices without AD. However I could see a small business not using AD.

                                  Scott seems to only deal in little Windows environments, hence he always questions the practical use cases of AD and central user administration.

                                  DashrenderD 1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @DustinB3403
                                    last edited by

                                    @DustinB3403 said in How Do You Replace Active Directory?:

                                    @siringo said in How Do You Replace Active Directory?:

                                    I cannot see any corp running 1000's of Windows devices without AD. However I could see a small business not using AD.

                                    Scott seems to only deal in little Windows environments, hence he always questions the practical use cases of AD and central user administration.

                                    Agreed.
                                    From this discussion - centralized user admin is not something Scott seems to ever need, I guess a person at his customers never want to utilize more than one computer.

                                    Even @jt1001001 appears to want centralized user administration because he's stated he adds the machines to AAD.

                                    @jt1001001 said in How Do You Replace Active Directory?:

                                    @scottalanmiller as I found in our case, AD here was adding absolutes 0% while actually creating more of an administrative headache. 99% of our applications here are "in the cloud" (unlike my old company) and all the DC was doing was print, some file shares, and 1 or 2 group policies (that weren't even working right!). So moving to Teams (see post in other discussion) will alleviate the file share; may build a linux file server for 1 or 2 use cases where Teams/Sharepoint won't work. Group policies are unnecessary and worst case we can upgrade our licenses and go Azure AD/Intune if we need to. Printing, well its printing and it sucks but we'll figure it out. Best is the CTO and President are on board without so much as a blink.

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @siringo
                                      last edited by

                                      @siringo said in How Do You Replace Active Directory?:

                                      So how do you add a new shared printer to a group of PCs? You'd never visit each PC individually and add it.

                                      So many ways. And all ways that we need in Mac and Linux worlds since GPO doesn't work there. So this is a solution in search of a problem.

                                      Add via script, Salt, Ansible, RMM, you name it. It's not a challenge in the Windows world.

                                      DustinB3403D 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @siringo
                                        last edited by

                                        @siringo said in How Do You Replace Active Directory?:

                                        I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.

                                        Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends.

                                        Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO.

                                        DashrenderD 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @siringo
                                          last edited by

                                          @siringo said in How Do You Replace Active Directory?:

                                          I can understand how you could use an MDM to manage Windows devices, but why not just use native AD?

                                          Lots of reasons. And no one is saying that AD is NEVER right, not NOT OFTEN. It's not the same thing. AD has a place in extremely legacy networks where other factors have kept modernization from happening.

                                          So why not AD?

                                          1. Fragility. AD breaks easily and presents risk. All directory services do to some degree, AD does more than most.
                                          2. Cost. AD requires more licensing and management than other solutions. Often doing the same task takes more time and effort with AD and there is large amounts of cleanup and troubleshooting time that otherwise would not exist. Sure we can use an open source AD, but the effort and complexity is still there even if the licensing is not.
                                          3. Risk. AD creates a sprawling attack surface that is easy prey for attackers. If extremely well designed, managed, and maintained AD's risks can be pretty minimal as the protocols themselves are rock solid, but the fundamental assumptions and value proposition of AD are based on decades old pre-Internet "LAN-based" network design which is the prime target for attackers because it is both wildly insecure by design and because it flags an organization as being in a legacy mode which means that their chances of a successful attack because of a lack of security posture is hundreds of times better. The real value to AD only exists when several other legacy and super high risk practices are combined with it, like mapped drives and LAN trust.
                                          4. Lack of Flexibility. AD is like land line telephones for a business - it works technically, but doesn't provide the basic functionality that is just expected today. If you use AD, you "feel" the lack of modern usability. Today we expect logins to be fast, mobile, universal, secure, etc. We expect that we can work from anywhere, anytime, without having to do something unthinkably risky like adding a VPN which isn't just risky, but slow, fragile, and cumbersome. AD is a LAN-only technology, it has no accommodations for working over a WAN even for office sites and absolutely no accommodations for mobile workers. Terrible ideas like RDS, VPNs, and VDI are based around accepting lots of inefficiency and risk to work around legacy infrastructure like AD (and often decades outdated apps too, it's rarely only AD.) The way that people expect to be able to work in a modern world, the way that businesses expect to be able to compete just isn't accommodated by AD. AD was the last hurrah of a short lived LAN-centric network authentication model whose place in the IT universe arose in the early 1990s and was approaching antique status towards the end of the decade and was all petering out in the early 2000s. There is a reason that all other, more flexible, directories like this died off and why no other platform other than Windows takes any interest in these solutions - it's not for lack of access to them, it's a lack of need.
                                          5. It encourages, but certainly doesn't require, use of cumbersome management techniques like remote GUI logins and GPOs. You can use AD and not get stuck into that mindset, but find me a shop that uses AD and avoids those entrapments.
                                          6. Platform lockin. Sure, you can join other things to AD but support and reliability isn't the best and it doesn't provide a universal tool set when doing so. When you deploy AD you essentially either commit to your directory service being a partial solution and still needing another solution anyway (which is crazy common), or to using AD only for the most basic features, or to being trapped on Windows. Which might be a good choice today, but "trapped" on any platform carries technical debt and risk that is rarely a good thing. It can be, but very rarely.
                                          1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @siringo
                                            last edited by

                                            @siringo said in How Do You Replace Active Directory?:

                                            I cannot see any corp running 1000's of Windows devices without AD.

                                            And yet those with hundreds of thousands of devices do so without any issue at all. Some things to keep in mind...

                                            1. Essentially anyone running 1000s or more of Windows devices will have tons of non-Windows devices too, making AD a serious problem to deal with as its value is super low as it can't be "the" solution, just a partial solution.
                                            2. Windows isn't crippled like people think and doesn't depend on AD or other Microsoft add on products for management functionality. All those modern tools that Mac and Linux users tend to use (MDM, state machines, scripts) work on Windows too and let you use a single toolset across all devices.
                                            3. The bigger the company, the more likely that AD can't address its needs. We are a tiny company of 55 people and yes, we run Linux primarily and Mac secondarily and Windows is purely for BYOD users (always optional, we provide Linux devices) but even if we were 100% Windows, at our size, AD doesn't work in any way whatsoever. It would provide no benefit even if it worked, but doesn't work. Big companies have (generally) lots of locations to deal with (AD can do this, but it starts to get more cumbersome and costly), mobile workers (sales people for example), work from home workers, and big concerns about the security exposure of AD. The bigger you are, the harder it is to make the limitations of AD fit.
                                            4. MSPs are effectively complex companies with thousands of devices and there is a reason that we all considered using AD (open source AD can do this) across customers and no one does - because it just isn't effective. You can imagine how nice that idea sounds... imagine a single authentication source and policy management tool that spans customers turning lots of little shops into a giant "enterprise" with all that efficiency so that the IT desk acts more like an internal one. It has a lot of promise, a lot of value. But it is so cumbersome, so risky, and so complex and slow and doesn't add real value the customers. (Plus most MSPs make bank selling AD management so providing something that takes less effort isn't in their financial interests - AD is one of those core things that sounds reasonable but is a way for MSPs to generate loads of extra billable hours.) So that's a good indicator, if MSPs don't see a value to it, their entire industry is based off of assessing IT value, then likely there's a financial problem with it. So MSPs are just like any other enterprise with 1000s of Windows devices and isolated departments. In fact, as an MSP, my customers are WAY more integrated to each other than the departments inside someplace like IBM are. IBMs departments are so isolated from each other that each had its own IT department that never spoke to each other. The MSP customers have shared IT. So MSPs can be way more like the Fortune 500 than you'd think in some ways.
                                            5. Even many small shops remove AD when they evaluate it today. Sure they lack the big scale that makes us assume that AD would be necessary, but they rip it out because it creates problems without solving them. Even pretty small businesses today want the flexibility that comes with not having AD. You don't have to be big at all to run into the limitations.
                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 5 / 6
                                            • First post
                                              Last post