ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How Do You Replace Active Directory?

    Scheduled Pinned Locked Moved Water Closet
    105 Posts 9 Posters 15.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @siringo
      last edited by

      @siringo said in How Do You Replace Active Directory?:

      I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.

      Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends.

      Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO.

      DashrenderD 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @siringo
        last edited by

        @siringo said in How Do You Replace Active Directory?:

        I can understand how you could use an MDM to manage Windows devices, but why not just use native AD?

        Lots of reasons. And no one is saying that AD is NEVER right, not NOT OFTEN. It's not the same thing. AD has a place in extremely legacy networks where other factors have kept modernization from happening.

        So why not AD?

        1. Fragility. AD breaks easily and presents risk. All directory services do to some degree, AD does more than most.
        2. Cost. AD requires more licensing and management than other solutions. Often doing the same task takes more time and effort with AD and there is large amounts of cleanup and troubleshooting time that otherwise would not exist. Sure we can use an open source AD, but the effort and complexity is still there even if the licensing is not.
        3. Risk. AD creates a sprawling attack surface that is easy prey for attackers. If extremely well designed, managed, and maintained AD's risks can be pretty minimal as the protocols themselves are rock solid, but the fundamental assumptions and value proposition of AD are based on decades old pre-Internet "LAN-based" network design which is the prime target for attackers because it is both wildly insecure by design and because it flags an organization as being in a legacy mode which means that their chances of a successful attack because of a lack of security posture is hundreds of times better. The real value to AD only exists when several other legacy and super high risk practices are combined with it, like mapped drives and LAN trust.
        4. Lack of Flexibility. AD is like land line telephones for a business - it works technically, but doesn't provide the basic functionality that is just expected today. If you use AD, you "feel" the lack of modern usability. Today we expect logins to be fast, mobile, universal, secure, etc. We expect that we can work from anywhere, anytime, without having to do something unthinkably risky like adding a VPN which isn't just risky, but slow, fragile, and cumbersome. AD is a LAN-only technology, it has no accommodations for working over a WAN even for office sites and absolutely no accommodations for mobile workers. Terrible ideas like RDS, VPNs, and VDI are based around accepting lots of inefficiency and risk to work around legacy infrastructure like AD (and often decades outdated apps too, it's rarely only AD.) The way that people expect to be able to work in a modern world, the way that businesses expect to be able to compete just isn't accommodated by AD. AD was the last hurrah of a short lived LAN-centric network authentication model whose place in the IT universe arose in the early 1990s and was approaching antique status towards the end of the decade and was all petering out in the early 2000s. There is a reason that all other, more flexible, directories like this died off and why no other platform other than Windows takes any interest in these solutions - it's not for lack of access to them, it's a lack of need.
        5. It encourages, but certainly doesn't require, use of cumbersome management techniques like remote GUI logins and GPOs. You can use AD and not get stuck into that mindset, but find me a shop that uses AD and avoids those entrapments.
        6. Platform lockin. Sure, you can join other things to AD but support and reliability isn't the best and it doesn't provide a universal tool set when doing so. When you deploy AD you essentially either commit to your directory service being a partial solution and still needing another solution anyway (which is crazy common), or to using AD only for the most basic features, or to being trapped on Windows. Which might be a good choice today, but "trapped" on any platform carries technical debt and risk that is rarely a good thing. It can be, but very rarely.
        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @siringo
          last edited by

          @siringo said in How Do You Replace Active Directory?:

          I cannot see any corp running 1000's of Windows devices without AD.

          And yet those with hundreds of thousands of devices do so without any issue at all. Some things to keep in mind...

          1. Essentially anyone running 1000s or more of Windows devices will have tons of non-Windows devices too, making AD a serious problem to deal with as its value is super low as it can't be "the" solution, just a partial solution.
          2. Windows isn't crippled like people think and doesn't depend on AD or other Microsoft add on products for management functionality. All those modern tools that Mac and Linux users tend to use (MDM, state machines, scripts) work on Windows too and let you use a single toolset across all devices.
          3. The bigger the company, the more likely that AD can't address its needs. We are a tiny company of 55 people and yes, we run Linux primarily and Mac secondarily and Windows is purely for BYOD users (always optional, we provide Linux devices) but even if we were 100% Windows, at our size, AD doesn't work in any way whatsoever. It would provide no benefit even if it worked, but doesn't work. Big companies have (generally) lots of locations to deal with (AD can do this, but it starts to get more cumbersome and costly), mobile workers (sales people for example), work from home workers, and big concerns about the security exposure of AD. The bigger you are, the harder it is to make the limitations of AD fit.
          4. MSPs are effectively complex companies with thousands of devices and there is a reason that we all considered using AD (open source AD can do this) across customers and no one does - because it just isn't effective. You can imagine how nice that idea sounds... imagine a single authentication source and policy management tool that spans customers turning lots of little shops into a giant "enterprise" with all that efficiency so that the IT desk acts more like an internal one. It has a lot of promise, a lot of value. But it is so cumbersome, so risky, and so complex and slow and doesn't add real value the customers. (Plus most MSPs make bank selling AD management so providing something that takes less effort isn't in their financial interests - AD is one of those core things that sounds reasonable but is a way for MSPs to generate loads of extra billable hours.) So that's a good indicator, if MSPs don't see a value to it, their entire industry is based off of assessing IT value, then likely there's a financial problem with it. So MSPs are just like any other enterprise with 1000s of Windows devices and isolated departments. In fact, as an MSP, my customers are WAY more integrated to each other than the departments inside someplace like IBM are. IBMs departments are so isolated from each other that each had its own IT department that never spoke to each other. The MSP customers have shared IT. So MSPs can be way more like the Fortune 500 than you'd think in some ways.
          5. Even many small shops remove AD when they evaluate it today. Sure they lack the big scale that makes us assume that AD would be necessary, but they rip it out because it creates problems without solving them. Even pretty small businesses today want the flexibility that comes with not having AD. You don't have to be big at all to run into the limitations.
          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            None of this makes AD bad or useless. Just don't be surprised that it's not hard to live without it. For many, the real question, is "how could you use this on any scale" rather than "How do we live without it."

            If you have a single or dual site manufacturing facility running all Windows, AD might work surprisingly well. If you run a software development firm, it's hard to imagine something more useless.

            1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender @scottalanmiller
              last edited by

              @scottalanmiller said in How Do You Replace Active Directory?:

              @siringo said in How Do You Replace Active Directory?:

              I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.

              Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends.

              Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO.

              Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days...

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @Dashrender said in How Do You Replace Active Directory?:

                @scottalanmiller said in How Do You Replace Active Directory?:

                @siringo said in How Do You Replace Active Directory?:

                I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.

                Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends.

                Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO.

                Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days...

                Reliability. Hoping that the operating system will successfully pull GPO without an agent is a flaky process. You can make a lot of billable hours getting paid to troubleshoot GPO failures because Windows doesn't have a good way to get the data, process the data, and report on that processing. It's the agents that do all the things that make this type of process reliable.

                DashrenderD 1 Reply Last reply Reply Quote 1
                • DashrenderD
                  Dashrender @scottalanmiller
                  last edited by

                  @scottalanmiller said in How Do You Replace Active Directory?:

                  @Dashrender said in How Do You Replace Active Directory?:

                  @scottalanmiller said in How Do You Replace Active Directory?:

                  @siringo said in How Do You Replace Active Directory?:

                  I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.

                  Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends.

                  Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO.

                  Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days...

                  Reliability. Hoping that the operating system will successfully pull GPO without an agent is a flaky process. You can make a lot of billable hours getting paid to troubleshoot GPO failures because Windows doesn't have a good way to get the data, process the data, and report on that processing. It's the agents that do all the things that make this type of process reliable.

                  I guess I don't follow. Something in Windows Pro is what tells the PC to pull and process the GPO - there are logs for that process in Windows. of course I've had issues before - are you saying you've never had issues with something that has a third party agent before?

                  scottalanmillerS 2 Replies Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Dashrender
                    last edited by scottalanmiller

                    @Dashrender said in How Do You Replace Active Directory?:

                    @scottalanmiller said in How Do You Replace Active Directory?:

                    @Dashrender said in How Do You Replace Active Directory?:

                    @scottalanmiller said in How Do You Replace Active Directory?:

                    @siringo said in How Do You Replace Active Directory?:

                    I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.

                    Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends.

                    Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO.

                    Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days...

                    Reliability. Hoping that the operating system will successfully pull GPO without an agent is a flaky process. You can make a lot of billable hours getting paid to troubleshoot GPO failures because Windows doesn't have a good way to get the data, process the data, and report on that processing. It's the agents that do all the things that make this type of process reliable.

                    I guess I don't follow. Something in Windows Pro is what tells the PC to pull and process the GPO - there are logs for that process in Windows. of course I've had issues before - are you saying you've never had issues with something that has a third party agent before?

                    I'm saying that the GPO system is flaky and useless. It's pathetically complex and unreliable. Those that use it tend to either have to keep it very, very basic or do a ton of work to make it work and rarely can you find a shop that's really confident that it is working.

                    The very idea that you have to go onto the endpoints to look at logs shows how big the problem is. There's no warning, no alerting that something has failed. No central repository. You have to build out some kind of log monitoring solution with an AGENT and deploy it to the end points to bandaid the kind of centralized data into GPO that you'd just expect with any modern solution (or competent solution.)

                    Everything "has" problems. But how often they have problems, how the agent handles problems, and how you have to deal with problems are what matters. And obviously nothing you'd actually deploy should have the kinds of unreliability or difficulty in monitoring as GPO. If it even comes close, it's not something you'd trust.

                    You are asking "GPO is bad, so you are saying other solutions are perfect?" Do you see why that is a bad question? Nothing is perfect, why do you ask if other solutions are perfect but don't expect GPO to be?

                    The way that you ask these questions makes you sound crazy. Don't ask if GPO is perfect. What you should be asking is something like "Oh, so you've found that the good third party agents are reasonably more reliable than the native GPO?" It's logical, it's rational, and it doesn't imply that perfect is a requirement, because obviously it is not.

                    DashrenderD 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said in How Do You Replace Active Directory?:

                      of course I've had issues before

                      And did your central monitoring report that to you? This is where GPO is difficult. The first thing most people without GPO experience expect when they are told about it is that they will be able to log into a central console and see the status of what has been applied and where that application has succeeded (and where it has failed.) They expect that the central AD system will somehow have monitoring and alerting as that is what would make this process valuable.

                      But there isn't. With Salt, for example, or an RMM or an MDM, we'd never accept this kind of management without a central system that tells us that status of the endpoints. If an agent fails, we get a notification. We might still have to fix it manually (or maybe not, because with alerting comes the opportunity for automation) but at least we are told to fix it rather than either dedicated absurd amounts of manpower to seek out problems that we don't know are out there, or waiting for machines to not behave as desired and then try to track down the failed GPO as a cause.

                      DashrenderD 1 Reply Last reply Reply Quote 1
                      • DashrenderD
                        Dashrender @scottalanmiller
                        last edited by Dashrender

                        @scottalanmiller said in How Do You Replace Active Directory?:

                        @Dashrender said in How Do You Replace Active Directory?:

                        @scottalanmiller said in How Do You Replace Active Directory?:

                        @Dashrender said in How Do You Replace Active Directory?:

                        @scottalanmiller said in How Do You Replace Active Directory?:

                        @siringo said in How Do You Replace Active Directory?:

                        I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.

                        Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends.

                        Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO.

                        Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days...

                        Reliability. Hoping that the operating system will successfully pull GPO without an agent is a flaky process. You can make a lot of billable hours getting paid to troubleshoot GPO failures because Windows doesn't have a good way to get the data, process the data, and report on that processing. It's the agents that do all the things that make this type of process reliable.

                        I guess I don't follow. Something in Windows Pro is what tells the PC to pull and process the GPO - there are logs for that process in Windows. of course I've had issues before - are you saying you've never had issues with something that has a third party agent before?

                        I'm saying that the GPO system is flaky and useless. It's pathetically complex and unreliable. Those that use it tend to either have to keep it very, very basic or do a ton of work to make it work and rarely can you find a shop that's really confident that it is working.

                        The very idea that you have to go onto the endpoints to look at logs shows how big the problem is. There's no warning, no alerting that something has failed. No central repository. You have to build out some kind of log monitoring solution with an AGENT and deploy it to the end points to bandaid the kind of centralized data into GPO that you'd just expect with any modern solution (or competent solution.)

                        Everything "has" problems. But how often they have problems, how the agent handles problems, and how you have to deal with problems are what matters. And obviously nothing you'd actually deploy should have the kinds of unreliability or difficulty in monitoring as GPO. If it even comes close, it's not something you'd trust.

                        You are asking "GPO is bad, so you are saying other solutions are perfect?" Do you see why that is a bad question? Nothing is perfect, why do you ask if other solutions are perfect but don't expect GPO to be?

                        The way that you ask these questions makes you sound crazy. Don't ask if GPO is perfect. What you should be asking is something like "Oh, so you've found that the good third party agents are reasonably more reliable than the native GPO?" It's logical, it's rational, and it doesn't imply that perfect is a requirement, because obviously it is not.

                        I guess I've just had good luck. I haven't had to poor huge amounts of time into my GPOs not working.
                        not zero - but no RMM type solution would I expect zero issues with when setting up.

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said in How Do You Replace Active Directory?:

                          @Dashrender said in How Do You Replace Active Directory?:

                          of course I've had issues before

                          And did your central monitoring report that to you? This is where GPO is difficult. The first thing most people without GPO experience expect when they are told about it is that they will be able to log into a central console and see the status of what has been applied and where that application has succeeded (and where it has failed.) They expect that the central AD system will somehow have monitoring and alerting as that is what would make this process valuable.

                          But there isn't. With Salt, for example, or an RMM or an MDM, we'd never accept this kind of management without a central system that tells us that status of the endpoints. If an agent fails, we get a notification. We might still have to fix it manually (or maybe not, because with alerting comes the opportunity for automation) but at least we are told to fix it rather than either dedicated absurd amounts of manpower to seek out problems that we don't know are out there, or waiting for machines to not behave as desired and then try to track down the failed GPO as a cause.

                          yeah, makes sense.

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said in How Do You Replace Active Directory?:

                            @scottalanmiller said in How Do You Replace Active Directory?:

                            @Dashrender said in How Do You Replace Active Directory?:

                            @scottalanmiller said in How Do You Replace Active Directory?:

                            @Dashrender said in How Do You Replace Active Directory?:

                            @scottalanmiller said in How Do You Replace Active Directory?:

                            @siringo said in How Do You Replace Active Directory?:

                            I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.

                            Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends.

                            Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO.

                            Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days...

                            Reliability. Hoping that the operating system will successfully pull GPO without an agent is a flaky process. You can make a lot of billable hours getting paid to troubleshoot GPO failures because Windows doesn't have a good way to get the data, process the data, and report on that processing. It's the agents that do all the things that make this type of process reliable.

                            I guess I don't follow. Something in Windows Pro is what tells the PC to pull and process the GPO - there are logs for that process in Windows. of course I've had issues before - are you saying you've never had issues with something that has a third party agent before?

                            I'm saying that the GPO system is flaky and useless. It's pathetically complex and unreliable. Those that use it tend to either have to keep it very, very basic or do a ton of work to make it work and rarely can you find a shop that's really confident that it is working.

                            The very idea that you have to go onto the endpoints to look at logs shows how big the problem is. There's no warning, no alerting that something has failed. No central repository. You have to build out some kind of log monitoring solution with an AGENT and deploy it to the end points to bandaid the kind of centralized data into GPO that you'd just expect with any modern solution (or competent solution.)

                            Everything "has" problems. But how often they have problems, how the agent handles problems, and how you have to deal with problems are what matters. And obviously nothing you'd actually deploy should have the kinds of unreliability or difficulty in monitoring as GPO. If it even comes close, it's not something you'd trust.

                            You are asking "GPO is bad, so you are saying other solutions are perfect?" Do you see why that is a bad question? Nothing is perfect, why do you ask if other solutions are perfect but don't expect GPO to be?

                            The way that you ask these questions makes you sound crazy. Don't ask if GPO is perfect. What you should be asking is something like "Oh, so you've found that the good third party agents are reasonably more reliable than the native GPO?" It's logical, it's rational, and it doesn't imply that perfect is a requirement, because obviously it is not.

                            I guess I've just had good luck. I haven't had to poor huge amounts of time into my GPOs not working.
                            not zero - but no RMM type solution would I expect zero issues with when setting up.

                            No, not zero for sure. GPOs tend to be better when you have a very LAN-centric, very homogenous environment. The more variation you add, especially in terms of latency and connection, the harder it gets. GPOs start to get flaky, especially over the WAN, and you start getting a lot of time spent just trying to get them to process.

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @scottalanmiller
                              last edited by

                              @scottalanmiller said in How Do You Replace Active Directory?:

                              @Dashrender said in How Do You Replace Active Directory?:

                              @scottalanmiller said in How Do You Replace Active Directory?:

                              @Dashrender said in How Do You Replace Active Directory?:

                              @scottalanmiller said in How Do You Replace Active Directory?:

                              @Dashrender said in How Do You Replace Active Directory?:

                              @scottalanmiller said in How Do You Replace Active Directory?:

                              @siringo said in How Do You Replace Active Directory?:

                              I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.

                              Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends.

                              Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO.

                              Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days...

                              Reliability. Hoping that the operating system will successfully pull GPO without an agent is a flaky process. You can make a lot of billable hours getting paid to troubleshoot GPO failures because Windows doesn't have a good way to get the data, process the data, and report on that processing. It's the agents that do all the things that make this type of process reliable.

                              I guess I don't follow. Something in Windows Pro is what tells the PC to pull and process the GPO - there are logs for that process in Windows. of course I've had issues before - are you saying you've never had issues with something that has a third party agent before?

                              I'm saying that the GPO system is flaky and useless. It's pathetically complex and unreliable. Those that use it tend to either have to keep it very, very basic or do a ton of work to make it work and rarely can you find a shop that's really confident that it is working.

                              The very idea that you have to go onto the endpoints to look at logs shows how big the problem is. There's no warning, no alerting that something has failed. No central repository. You have to build out some kind of log monitoring solution with an AGENT and deploy it to the end points to bandaid the kind of centralized data into GPO that you'd just expect with any modern solution (or competent solution.)

                              Everything "has" problems. But how often they have problems, how the agent handles problems, and how you have to deal with problems are what matters. And obviously nothing you'd actually deploy should have the kinds of unreliability or difficulty in monitoring as GPO. If it even comes close, it's not something you'd trust.

                              You are asking "GPO is bad, so you are saying other solutions are perfect?" Do you see why that is a bad question? Nothing is perfect, why do you ask if other solutions are perfect but don't expect GPO to be?

                              The way that you ask these questions makes you sound crazy. Don't ask if GPO is perfect. What you should be asking is something like "Oh, so you've found that the good third party agents are reasonably more reliable than the native GPO?" It's logical, it's rational, and it doesn't imply that perfect is a requirement, because obviously it is not.

                              I guess I've just had good luck. I haven't had to poor huge amounts of time into my GPOs not working.
                              not zero - but no RMM type solution would I expect zero issues with when setting up.

                              No, not zero for sure. GPOs tend to be better when you have a very LAN-centric, very homogenous environment. The more variation you add, especially in terms of latency and connection, the harder it gets. GPOs start to get flaky, especially over the WAN, and you start getting a lot of time spent just trying to get them to process.

                              yeah - that definitely makes sense.

                              I'm curious - haven't dug in enough yet - how much Intune notifies you of non compliant machines?

                              scottalanmillerS jt1001001J ObsolesceO 3 Replies Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by

                                @Dashrender said in How Do You Replace Active Directory?:

                                I'm curious - haven't dug in enough yet - how much Intune notifies you of non compliant machines?

                                I've not checked either. But I bet a lot.

                                jt1001001J 1 Reply Last reply Reply Quote 0
                                • jt1001001J
                                  jt1001001 @scottalanmiller
                                  last edited by

                                  admittedly, our deployment will be more "seat of the pants' as we had a DC failure and I'm the new guy so make him do it. I haven't even looked at all the potential issues and pitfalls. I just know that for a company of our size (less than 100 users, workforce now primarily remote) a central active directory structure is not necessary nor needed. We aren't doing LDAP/ADFS/SAML anywhere today. Heck we don't know yet if we even need MDM (Intune) but if the higher ups are allowing up to get licenses might as well play with it.

                                  1 Reply Last reply Reply Quote 1
                                  • jt1001001J
                                    jt1001001 @Dashrender
                                    last edited by

                                    @Dashrender I'll be finding out next week.

                                    1 Reply Last reply Reply Quote 0
                                    • siringoS
                                      siringo
                                      last edited by

                                      Sorry, TLDR, very busy ATM. I really appreciate the input from everyone, this is very interesting.

                                      If I were starting from scratch and didn't want to use AD and only had Windows devices and sysadmins with only Windows experience, what would you use?

                                      The network size is small, 15 client PCs, 2 servers, everything is Windows.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @siringo
                                        last edited by

                                        @siringo said in How Do You Replace Active Directory?:

                                        Sorry, TLDR, very busy ATM. I really appreciate the input from everyone, this is very interesting.

                                        If I were starting from scratch and didn't want to use AD and only had Windows devices and sysadmins with only Windows experience, what would you use?

                                        The network size is small, 15 client PCs, 2 servers, everything is Windows.

                                        So I'd say that that isn't enough to go on. Size isn't really a big factor. And all Windows is a small factor. But it is really management style and needs. I wouldn't worry about the experience of the system admins either, if they are truly skilled admins they can manage anything about the same, there's no real skill difference between platforms. If they have only memorized Windows then we have other issues and need to outsource the oversight no matter what. But for a network of that size, you should always outsource and always to a competent shop. You need hundreds or thousands of devices to justify any full time person, but even a one person firm needs solid IT guidance. So you can never really consider anything but outsourcing. That's another issue, but since it is in the question. An environment of that size would only be what, $500-$1000 a month for full outsourcing. Where will you find multiple internal system admins for $500 a month?

                                        Under MOST circumstances, and I truly just mean like 50% or more, I'd do nothing. And I have hundreds of environments that are super close to this (10-30 machines, 2-3 servers, mostly Windows but almost never exclusively) and definitely the answer is "nothing". Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD. In fact, the majority had AD and we removed it because we are paid flat rate, not by the hour, and we save a lot of time by managing manually at that size.

                                        Now, manually managing would be inefficient if we had to sit at each machine. For us, we use MeshCentral and TacticalRMM and manage most machines that way. You've got scripts, you've got remote access, you've got remote console so no need to interrupt the user, do everything from the command line which is best practice regardless and the effort to manage the environment is so minimal that you will be like "wow, why did I ever put AD in anywhere?"

                                        Typically we move DNS and DHCP to something like Unifi routers so we can do remote, rapid management and insight way better than Windows does. So any network configuration gets pushed out from there.

                                        J 2 Replies Last reply Reply Quote 0
                                        • J
                                          JasGot @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in How Do You Replace Active Directory?:

                                          Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD

                                          So how do you set up the shares? Open to everyone?
                                          How do you handle passwords for the local machine and sync them to the passwords required for the server?

                                          scottalanmillerS 2 Replies Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @JasGot
                                            last edited by

                                            @JasGot said in How Do You Replace Active Directory?:

                                            So how do you set up the shares? Open to everyone?

                                            I don't have a time machine so don't need to worry about shares 🙂 This is 2022, I don't think I have more than one or two customers still doing shared drives for files. I've had very little of this in the last ten years. Almost none today, except in cases where we are brought in to modernize the environment.

                                            We DO have a number of customers forced by a vendor to use mapped drives, but in that specific case the vendor requires and will not support any environment where the shares have any security. They are required to be wide open (customers are all warned that the vendor is reckless and unprofessional and a malicious entity but people like to not change things up.) They use the shares purely for the app, not for file sharing.

                                            J 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 5 / 6
                                            • First post
                                              Last post