I do realize this is an OLD post (relatively speaking) but I appreciate(d) finding it, as I'm currently revisiting "Salt vs. Ansible," and while I thought I was leaning towards Salt, perhaps it might be Ansible instead at this point. Not yet settled.

Nothing needs to be used, anything that is used will be primarily to ease my job of administering - primarily - client machines. (Currently not rolling out enough Linux (or Windows for that matter) servers to be considering a/ny config mgmt system - at this time).

Most sites have or can have a linux vm that I setup and maintain.
My need is for one mgmt tool that is: Viable for Windows and Mac OS endpoint management, and for simple basic (check for and) application of system updates, both fit the bill.

Security is also (especially, as we all know) not at all a non-factor.
I do like that as of now - with the current build of Windows 10, ssh(d) is included.
And I hope to use a setup that will work over ssh, with client-nodes limiting connections (from source IP) by firewall, and ssh config limiting connections to/by key only.
I know that the default config of OpenSSH in Windows uses
"C: \ProgramData\ssh\administrators_authorized_keys"

for said config, I have yet to verify if the MS-included (Apps > Optional Features) sshd uses the same.

Doing a little victory dance after successfully: Upgrading a Server2008R2 VM to 2012R2, then its SQL Express 2008R2 installation upgraded to 2012R2, and setting up RDS for making the OLD LOB app available via RDP. Because archival financial info.

What a PITA, so many very Microsoft-ian errors along the way to overcome.
For anyone that cares, yes an upgrade. The 2008R2 VM itself was created by me (fresh and shiny new & clean, a handful of years ago), in which I had to do a clean install of said OS and SQL Server Express, and restore data which had been backed up, but the server of origin had died, hard, not long after I recommended replacing it in fact (won't miss that single box running SBS 2011, ever).

Client-side app won't run in Windows 10 (total non-starter), did in Win 8 and earlier.
So this is a nice way to still provide access to said valued data for the remaining years the client will need or care about it.

Thanks for this ! Sorry for major necro-posting, but the recommendations in that article are pretty horrible (even as of the date of that article) - effectively: "With Windows, NTLM is easiest so just use that." That should be a non-starter.

I found the following that nicely covers using Kerberos with AD & DNS for managed hosts, which should be far preferable of course:
https://argonsys.com/microsoft-cloud/articles/configuring-ansible-manage-windows-servers-step-step/

@scottalanmiller
Thanks for all your considerate words and careful thoughts about this. I'm very appreciative of this thread, and particularly this post of yours, SAM.

I wasn't (yet) kicked of SW, but have always found it an extremely odd place with many demonstrating being either very new to IT, or painfully constrained in their thinking based on knowing only what they know (due to their given opportunities thus far, in terms of exposure and "experience"), and often confusing any calls to review their established and limited (sometimes, not always) and/or ingrained assumptions about a problem and how to best approach it, with personal criticism. Which is also commonplace for people new to IT or particularly defensive about their knowledge of IT (and the manifold topics and considerations that "IT" encompasses).

I was also sad to see you go/be forced out of SW, but theres much history there that I wasn't party to, nor (would I ever) care to be. While I already was definitely aware of MangoLassi long ago, when I saw that dbeato had joined here and/or become more active, I was happy to see it, and made a point of checking in here more often.

Very interesting to get some of your behind-the-scenes perspectives, SAM. All of this certainly gives some pause in terms of what will happen now or eventually with SW and anything we post there.

See the following for ideas as to how you can accomplish what you're seeking to do:

https://macmule.com/2011/09/08/how-to-map-drives-printers-based-on-ad-group-membership-on-osx/

@dbeato Stated exactly what I was thinking.
Note: this not meant to disregard (that would be silly & pointless) the specifics that Scott has mentioned. In other words, one size (or solution) does not necessarily fit all (scenarios).

But I use Caddy in a Dockerized setup for a server that isn’t publicly available (not wide open) as it doesn’t need to be nor do I want it to be).
In my case I use dnsmadeeasy and their API. Does require DNS (records) access/ability to manage some records.

All of which adds “complexity” (not much, but some), enough that I wouldn’t recommend it if the tech involved was new for someone (if so, home lab it first) for anything in production.

@hobbit666

Exactly.

https://support.microsoft.com/en-us/help/4015079/lifecycle-dates-extended-for-windows-server-2012

So, security updates til 10/2023.

Plenty of time, given that the timeframe access to this data will be needed is another three years.

Other considerations:

1. An available lic for 2012R2 already existed.
2. Given the age of the old financial software product, I didn’t know if/that it would even work. Thankfully it does, just fine. Really seriously doubt it could/will run, at all, on anything newer. Have already established that the client component does not run in W10.

@stacksofplates

Thank-you !
https://hooks.technology/2017/08/ansible-tower-provisioning-callbacks/

" or you can just use curl.
curl --data "host_config_key=d13a7b6e08e84c7d8f412b9754400a00"https://tower.example.com/api/v1/job_templates/26/callback/ -k
This has many benefits beyond just physical host provisioning. This allows systems to “check in” without using Ansible pull."

Or, for Windows instead of curl, powerhsell Invoke-WebRequest

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-6

Food for thought there... (emphasis added by me)