ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    SAMIT: Do You Really Need Active Directory

    Scheduled Pinned Locked Moved IT Discussion
    samitscott alan milleryoutubeactive directory
    135 Posts 10 Posters 18.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @Dashrender said in SAMIT: Do You Really Need Active Directory:

      Sure - because, as stated a moment ago - almost no one ever talks about AD - but they are talking about AD DS or whatever you want to call the total and complete bundle of things that come with the Windows Server license that typical shops use.

      AD DS is 20% of AD, it's more specific and under the hood, not less specific and under the hood. It's actually making the discussion worse, not better.

      Imagine if we called every single thing on Linux "Apache" because Linux often ships with Apache. Imagine calling Samba, DNS, and LibreOffice "Apache" and just going "everyone means everything when they say Apache?"

      Then how the heck do they talk about Apache? No wonder every Windows admin is confused, if your claim is true - not a single Windows admin knows any Windows component, feature, or functionality? That's crazy. How do they function? How do they communicate? No wonder so many Windows components get rolled out when they are not needed if everyone thinks that it's all one thing and none of it has a name or known purpose!

      DashrenderD 2 Replies Last reply Reply Quote 0
      • DashrenderD
        Dashrender @IRJ
        last edited by

        @IRJ said in SAMIT: Do You Really Need Active Directory:

        @Dashrender said in SAMIT: Do You Really Need Active Directory:

        Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?

        100 desktops, 100 users, and they play musical charges daily - now what?

        Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.

        You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.

        why would you even have OD if you can prevent local storage of files?

        Actually I think I can answer that one myself - because local Excel wants to be used by the user - so they need either OD or SP to pull the file from the cloud.

        But basically - you are saying - BYOD all the things, and just not give a shit about the end device at all...
        But you still have regulations, the reason you're running an SIEM.

        IRJI scottalanmillerS 3 Replies Last reply Reply Quote 1
        • ObsolesceO
          Obsolesce @Dashrender
          last edited by Obsolesce

          @Dashrender said in SAMIT: Do You Really Need Active Directory:

          Scott keeps mentioning that as an MSP he doesn't need AD - and that I would agree, his clients, because NTG is an MSP, AD (and the other associated things) aren't designed to work from a central situation across different customers - but - so what? that's not the use case any one here is really talking about - Except Scott. But we'll leave that lie.

          I'm gathering that Scott is of the opinion that most offices would just have a single user setup on each PC, Scott, as the IT or MSP would have an admin account on that machine (again local only) and everything else would be setup as LANless as possible.

          If that's not the case - then I really cant envision Scott's typical ideal setup?

          Scott's an MSP, so obviously wants to do what is easiest for him to make him the most money.

          He'll rip out a fully working AD (and friends) setup, and replace it with 100 separate things they can manage for money, and bill for the time it takes to replace, redesign, and build everything.

          FOllowing it all up tens of thousands of dollars later saying "see, AD was not needed".

          ObsolesceO 1 Reply Last reply Reply Quote 0
          • ObsolesceO
            Obsolesce @Obsolesce
            last edited by

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender @scottalanmiller
              last edited by

              @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

              @Dashrender said in SAMIT: Do You Really Need Active Directory:

              Sure - because, as stated a moment ago - almost no one ever talks about AD - but they are talking about AD DS or whatever you want to call the total and complete bundle of things that come with the Windows Server license that typical shops use.

              AD DS is 20% of AD, it's more specific and under the hood, not less specific and under the hood. It's actually making the discussion worse, not better.

              Imagine if we called every single thing on Linux "Apache" because Linux often ships with Apache. Imagine calling Samba, DNS, and LibreOffice "Apache" and just going "everyone means everything when they say Apache?"

              Then how the heck do they talk about Apache? No wonder every Windows admin is confused, if your claim is true - not a single Windows admin knows any Windows component, feature, or functionality? That's crazy. How do they function? How do they communicate? No wonder so many Windows components get rolled out when they are not needed if everyone thinks that it's all one thing and none of it has a name or known purpose!

              yeah, I realized that after I posted - i went the wrong direction - which I did correct in a followup post with Dustin.

              1 Reply Last reply Reply Quote 1
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @Dashrender said in SAMIT: Do You Really Need Active Directory:

                Now - using Salt/Ansible/RMM to centrally manage GPO, OK - now we're talking about actual potential replacements.

                No, now you are onto a different topic. There is a different. GPO is one tool for managing desktop functions. Salt, Ansible, SMB are different tools for managing GPO. None of those are AD or the topic here.

                This is getting wildly confusing, because this thread is about AD, actual AD. But every time you talk about AD, you are specifically talking about almost every function of Windows Server that isn't AD. The context of this thread is AD and only AD. Not just AD DS, but primarily AD DS. But anything that isn't AD, isn't part of this thread.

                If you have questions unrelated or loosely related to AD like "what are good ways to replace Windows Server components in a Windows desktop world while retaining tight control and visibility of individual workstations", that should be its own thread.

                DashrenderD 2 Replies Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @scottalanmiller
                  last edited by

                  @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

                  @Dashrender said in SAMIT: Do You Really Need Active Directory:

                  Sure - because, as stated a moment ago - almost no one ever talks about AD - but they are talking about AD DS or whatever you want to call the total and complete bundle of things that come with the Windows Server license that typical shops use.

                  AD DS is 20% of AD, it's more specific and under the hood, not less specific and under the hood. It's actually making the discussion worse, not better.

                  Imagine if we called every single thing on Linux "Apache" because Linux often ships with Apache. Imagine calling Samba, DNS, and LibreOffice "Apache" and just going "everyone means everything when they say Apache?"

                  Then how the heck do they talk about Apache? No wonder every Windows admin is confused, if your claim is true - not a single Windows admin knows any Windows component, feature, or functionality? That's crazy. How do they function? How do they communicate? No wonder so many Windows components get rolled out when they are not needed if everyone thinks that it's all one thing and none of it has a name or known purpose!

                  As you mention - GPOs is nothing more than files on a SMB file share, it's not really an installed thing - it becomes "enabled" for lack of a better work only after a PC has joined a domain.

                  I wonder if a workstation can be hacked to look for a directory that houses the GPO files and integrate them without being a domain member? i.e. is there a registry key for that? lol

                  IRJI scottalanmillerS 2 Replies Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Dashrender
                    last edited by

                    @Dashrender said in SAMIT: Do You Really Need Active Directory:

                    But If AD doesn't - then what does? I mean - the workstation only checks the DC for these files in a very specific location IF it's a member of AD (granted could be MS or Linux based AD)... otherwise the workstation won't do that.

                    Well there are two ways to look at this.

                    What does it? It's the local workstation. Windows is "pull" management as an ecosystem. The workstations are self managed, they are not managed by a server (AD or otherwise.) You can replace this mechanism, but not while staying as part of the "MS Windows Server ecosystem". You can still use Windows Servers, but not in the "Microsoft way." But there is nothing wrong with pull management, that's the standard for every desktop OS. It's a viable approach and is relatively resource light.

                    What provides the mechanism for this? That's Windows SMB (aka Windows Server.) Confusingly, SMB services from Windows Server is literally called Windows Server! Yes, the same name as the parent product. Facepalm. But to keep it straight, we generally call it the Windows File Server or the WIndows SMB Server, not just Windows Server.

                    It's an historic artefact that when Windows Server and the SMB service were first introduced, the idea what that Windows Server only had one function in the first place.

                    1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @scottalanmiller
                      last edited by

                      @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

                      @Dashrender said in SAMIT: Do You Really Need Active Directory:

                      Now - using Salt/Ansible/RMM to centrally manage GPO, OK - now we're talking about actual potential replacements.

                      No, now you are onto a different topic. There is a different. GPO is one tool for managing desktop functions. Salt, Ansible, SMB are different tools for managing GPO. None of those are AD or the topic here.

                      Did you even read the sentence you quoted? The quoted part is not talking about directory services (AD) it's specifically talking about GPOs

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Obsolesce
                        last edited by

                        @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                        Yeah, you can replace it all. There's no doubt there and I don't think anyone was saying otherwise. The question is how much trouble do you go through to replace something working with a bunch of different things and to manage/maintain it all.

                        Yes, and that's why replacing any working system is difficult (aka brownfield.) In a greenfield, it's pretty darn easy. Easier, in lots of cases.

                        The thing that is hardest is the "replace" word here. That's where the challenges tend to be. In lots of environments, and truly most environments that I run across, the simplest answer is literally to not replace, but to remove. GPO is often more of a problem than it is worth, it is non-deterministic, doesn't work well in a disparate network, and is very complicated to manage. It actually struggles to add value over "having nothing" for lots, and lots of companies.

                        So literally the most common answer is "how do I replace X" component from the Windows Server ecosystem is truly "you don't."

                        DashrenderD ObsolesceO 2 Replies Last reply Reply Quote 0
                        • IRJI
                          IRJ @Dashrender
                          last edited by

                          @Dashrender said in SAMIT: Do You Really Need Active Directory:

                          @IRJ said in SAMIT: Do You Really Need Active Directory:

                          @Dashrender said in SAMIT: Do You Really Need Active Directory:

                          Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?

                          100 desktops, 100 users, and they play musical charges daily - now what?

                          Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.

                          You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.

                          why would you even have OD if you can prevent local storage of files?

                          That statement makes no sense. If you prevent local storage you have to have a service like OD to access files.

                          DashrenderD 1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @scottalanmiller
                            last edited by

                            @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

                            If you have questions unrelated or loosely related to AD like "what are good ways to replace Windows Server components in a Windows desktop world while retaining tight control and visibility of individual workstations", that should be its own thread.

                            yeah - we need a more useful thread like "if even needed, and not going BYOD, how do I replace all the components that go along with Windows AD (i.e. directory services, workstation settings management).

                            scottalanmillerS 1 Reply Last reply Reply Quote 1
                            • IRJI
                              IRJ @Dashrender
                              last edited by

                              @Dashrender said in SAMIT: Do You Really Need Active Directory:

                              @IRJ said in SAMIT: Do You Really Need Active Directory:

                              @Dashrender said in SAMIT: Do You Really Need Active Directory:

                              Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?

                              100 desktops, 100 users, and they play musical charges daily - now what?

                              Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.

                              You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.

                              But basically - you are saying - BYOD all the things, and just not give a shit about the end device at all...
                              But you still have regulations, the reason you're running an SIEM.

                              Not BYOD and have standard builds with restricted permissions, but you dont really push anything because they are just a basic OS that lets you access resources. You let them update on their own.

                              DashrenderD 1 Reply Last reply Reply Quote 1
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by

                                @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                And is it really GPO if you're using Salt/Ansible/RMM to set registry keys, and not the GPO tool and the XML files it generates? I mean the end goal is the same, sure, but the tech to get there is slightly different - I think.

                                No, it is definitely not GPO if you are using PS to set the registry. That highlights why GPO is often not to be maintained, because there are other, often better ways to handle it. GPO isn't the end all of value. That said, though, you can use Salt / Ansible / PowerShell to do set GPOs, or to bypass them. Most people use the GPO approach because of momentum of conversations like this - people get convinced that they need GPO, so they want tools to automate GPO rather than starting from the goal and figuring out how to achieve it.

                                ObsolesceO 1 Reply Last reply Reply Quote 0
                                • IRJI
                                  IRJ @Dashrender
                                  last edited by

                                  @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                  @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

                                  @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                  Sure - because, as stated a moment ago - almost no one ever talks about AD - but they are talking about AD DS or whatever you want to call the total and complete bundle of things that come with the Windows Server license that typical shops use.

                                  AD DS is 20% of AD, it's more specific and under the hood, not less specific and under the hood. It's actually making the discussion worse, not better.

                                  Imagine if we called every single thing on Linux "Apache" because Linux often ships with Apache. Imagine calling Samba, DNS, and LibreOffice "Apache" and just going "everyone means everything when they say Apache?"

                                  Then how the heck do they talk about Apache? No wonder every Windows admin is confused, if your claim is true - not a single Windows admin knows any Windows component, feature, or functionality? That's crazy. How do they function? How do they communicate? No wonder so many Windows components get rolled out when they are not needed if everyone thinks that it's all one thing and none of it has a name or known purpose!

                                  As you mention - GPOs is nothing more than files on a SMB file share, it's not really an installed thing - it becomes "enabled" for lack of a better work only after a PC has joined a domain.

                                  I wonder if a workstation can be hacked to look for a directory that houses the GPO files and integrate them without being a domain member? i.e. is there a registry key for that? lol

                                  Uh, what?

                                  Why would anyone want to do that? If you hacked a system you just scan the registry (if you care, but unlikely).

                                  1 Reply Last reply Reply Quote 1
                                  • DashrenderD
                                    Dashrender @scottalanmiller
                                    last edited by

                                    @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

                                    So literally the most common answer is "how do I replace X" component from the Windows Server ecosystem is truly "you don't."

                                    How do you replace the functionality of auto deployed printers - you don't, you make the users add them manually when needed... yeah that sounds awesome.

                                    No - of course, you're going to tell me, uh, duh of course not, we use powershell to push it out to all the workstations. or an RMM, but you see, those are things that REPLACED powershell. The only not replacement is the user doing it themselves, or the IT staff visiting the workstations doing it for the users (physically or remotely).

                                    scottalanmillerS ObsolesceO 2 Replies Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Dashrender
                                      last edited by

                                      @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                      Scott keeps mentioning that as an MSP he doesn't need AD - and that I would agree, his clients, because NTG is an MSP, AD (and the other associated things) aren't designed to work from a central situation across different customers - but - so what? that's not the use case any one here is really talking about - Except Scott. But we'll leave that lie.

                                      Is that true? Does everyone else see the world of IT purely from a "single large LAN" perspective without exception? There are no VPNs? No remote workers? No outside consultants? No multi-organizational entities?

                                      Because as an MSP, I deal with this within individual clients, most individual clients, not just between clients. AD is a problem in every org I deal with. Mostly because of being multiple sites or having remote users. Everything from small vet clinics and doctors offices to tiny funeral homes to multi-state manufacturing. The overhead of AD and Windows Server ecosystem is high, the benefits are low, and it's not designed around how modern companies are built, or modern workers expect to work.

                                      My MSP perspective should represent a massive percentage of the field. But beyond that, my non-MSP perspective maintains the same view.

                                      1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @IRJ
                                        last edited by Dashrender

                                        @IRJ said in SAMIT: Do You Really Need Active Directory:

                                        @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                        @IRJ said in SAMIT: Do You Really Need Active Directory:

                                        @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                        Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?

                                        100 desktops, 100 users, and they play musical charges daily - now what?

                                        Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.

                                        You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.

                                        why would you even have OD if you can prevent local storage of files?

                                        That statement makes no sense. If you prevent local storage you have to have a service like OD to access files.

                                        Thanks for pulling a scott and not reading the followup where I answered my own question - but left it there anyways for other people who might have had the same thought I originally did.

                                        that said - the file is still saved locally - in the cache of OD. I don't believe you can work locally with a non cached file.
                                        I'm prepared to be wrong that account though if you have an article from MS stating as much.

                                        IRJI 1 Reply Last reply Reply Quote 0
                                        • IRJI
                                          IRJ @Dashrender
                                          last edited by

                                          @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                          @IRJ said in SAMIT: Do You Really Need Active Directory:

                                          @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                          @IRJ said in SAMIT: Do You Really Need Active Directory:

                                          @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                          Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?

                                          100 desktops, 100 users, and they play musical charges daily - now what?

                                          Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.

                                          You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.

                                          why would you even have OD if you can prevent local storage of files?

                                          That statement makes no sense. If you prevent local storage you have to have a service like OD to access files.

                                          Thanks for pulling a scott and not reading the followup where I answered my own question - but left it there anyways for other people who might have had the same thought I originally did.

                                          that said - the file is still saved locally - in the cache of OD. I don't believe you can work locally with a non cached file.
                                          I'm prepared to be wrong that account though if you have an article from MS stating as much.

                                          Why would you need to use Desktop Office? Why not use Office Online?

                                          DashrenderD 1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @IRJ
                                            last edited by

                                            @IRJ said in SAMIT: Do You Really Need Active Directory:

                                            @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                            @IRJ said in SAMIT: Do You Really Need Active Directory:

                                            @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                            Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?

                                            100 desktops, 100 users, and they play musical charges daily - now what?

                                            Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.

                                            You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.

                                            But basically - you are saying - BYOD all the things, and just not give a shit about the end device at all...
                                            But you still have regulations, the reason you're running an SIEM.

                                            Not BYOD and have standard builds with restricted permissions, but you dont really push anything because they are just a basic OS that lets you access resources. You let them update on their own.

                                            I could definitely see this working in a 1 to 1 situation because there would be so little to manage.. and once the user is setup, they aren't likely going to need much IT support. But in a shared environment, it gets stickier.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 4 / 7
                                            • First post
                                              Last post