How Do You Replace Active Directory?
-
@scottalanmiller said in What Are You Doing Right Now:
@siringo said in What Are You Doing Right Now:
What will you replace AD with?
A common answer is... nothing. AD doesn't serve a really obvious need. In many cases, you just remove it. Not replace it.
I continue to have a near impossible time wrapping my head around this. You replace it with nothing.
so you have 100+ devices, 100+ users and what? they all have local admin and they just log into the devices anyway they want? If the answer is - of course not Dash, don't be stupid..
Then what? how do you manage user accounts on the devices? How do you manage local admin on the devices?Nearly everything outside of the local device I can understand how one could manage - Email has it's own creds, file storage could be something like Zoho or ODfB or Google Drive and be part of the same system as email, or could be something like NextCloud or DropBox or Box, etc and have it's own creds. The LOB also has it's own creds - or you're super cool company and you've tied all that stuff together with SSO... but non of that manages the device. Even printing can be handled by these types of services, printing is redirected to a service which has a connection to your local printer, and ta da - printing (though I do wonder what the speed of printing is like in those cases).
So, do you just not care about the device at all? again, user has local admin rights? BOYD, etc? or something else that you've undoubtedly told me about before that I've forgotten.
-
@Dashrender said in What Are You Doing Right Now:
I continue to have a near impossible time wrapping my head around this. You replace it with nothing.
It's how computers work by default. You deal with it every day at home, for example. The idea that you NEED all this extra user management is a weird 1990s thing that somehow really caught hold but isn't clear what the "need" is.
-
I sorta understand where you're going with that - but users are users - they infect their computers, etc. Just taking admin rights away resolves a noticeable if not significant amount of that.
-
In Gene's case, I know his company is providing RDS sessions to everyone - this removes a lot of the concern over the local device, though a key logger would still be bad...
-
@Dashrender said in What Are You Doing Right Now:
I sorta understand where you're going with that - but users are users - they infect their computers, etc. Just taking admin rights away resolves a noticeable if not significant amount of that.
You've made some non-existing leap. What are you talking about? Certainly whatever you are thinking is 100% not related to AD.
-
@Dashrender said in What Are You Doing Right Now:
In Gene's case, I know his company is providing RDS sessions to everyone - this removes a lot of the concern over the local device, though a key logger would still be bad...
RDS, sadly, has AD as a requirement. Although you can localize it and make it irrelevant.
-
@Dashrender said in What Are You Doing Right Now:
so you have 100+ devices, 100+ users and what?
Treat it the same way you would any individual device. Imagine if you supported a one person company. AD would provide quite literally zero possible features. Instead of changing the design as you grow to accommodate AD, simple scale "as it is" from a single user device.
It's kind of like asking "what would a cheeseburger be without avocado"? Um, it would just be a normal cheeseburger. AD isn't the default, it's not the native, it's the special case. Just "normal" is what we are like without it.
You would never have local admin given to the end user with a single device situation. Why would you change that when you added a second device?
Even in the Microsoft world, Microsoft has never recommended AD below ten devices. So whatever model you'd use there, you just keep using.
-
@Dashrender said in What Are You Doing Right Now:
Then what? how do you manage user accounts on the devices? How do you manage local admin on the devices?
This is a leap. WHY do you manage user accounts on the devices? That's not something most shops need. They might have it, they might "want" it, but it serves little purpose to most companies. Often it comes at a cost that you can't recoup. But that said, user management is built into Windows. So I'm confused. AD doesn't provide this, so why bring it up as it's not changed by removing AD.
Local admin again, manage it the same as you did with AD.
-
In this discussion "What do I do without AD", I think it's always going to come back to "you'd have to articulate what AD is doing for you that has value" before we could answer that. In 90% of environments that I found AD in, it is serving no function whatsoever. So there's no questions to answer. It's like your appendix. What will you do when they remove it? You'll act just like you did before, what would change?
-
@Dashrender said in What Are You Doing Right Now:
but non of that manages the device
Just like AD. AD doesn't manage the device. This is the big myth. AD does so little.
-
@Dashrender said in What Are You Doing Right Now:
So, do you just not care about the device at all?
Generally, no. I have no idea why a normal business would. High security business, sure, it's plausible. but normal companies, no. Definitely nothing in healthcare, insurance, veterinarian, manufacturing, etc. where the device should have no value and any management of it would just be a waste.
But let's not assume that, that's easy to just dismiss. Instead lets talk about those cases where you do need it.
If I need to manage the device, AD would be a pretty bad choice. Not the worse, but bad. First if security had any priority, Windows would be off the table so AD would play no obvious role whatsoever. But let's assume total oxymoronic situation any just assume we want to overly secure Windows.
Basic tools like remote access, RMM, state machines... they all take the kind of Group Policy tools that AD is mistakenly associated with and do them properly or at least better. No matter what your need, it is hard to see when AD would make the short list. AD represents a huge security risk, and is designed around super insecure architectures. If you are attempting to secure anything, AD's value proposition goes to a huge negative really quickly.
-
@Dashrender said in What Are You Doing Right Now:
again, user has local admin rights?
Can't figure out where this comes from.
-
@Dashrender said in What Are You Doing Right Now:
BOYD, etc?
This is fine. It falls into irrelevant. What does this have to do with AD decisions?
-
@scottalanmiller as I found in our case, AD here was adding absolutes 0% while actually creating more of an administrative headache. 99% of our applications here are "in the cloud" (unlike my old company) and all the DC was doing was print, some file shares, and 1 or 2 group policies (that weren't even working right!). So moving to Teams (see post in other discussion) will alleviate the file share; may build a linux file server for 1 or 2 use cases where Teams/Sharepoint won't work. Group policies are unnecessary and worst case we can upgrade our licenses and go Azure AD/Intune if we need to. Printing, well its printing and it sucks but we'll figure it out. Best is the CTO and President are on board without so much as a blink.
-
@Dashrender said in What Are You Doing Right Now:
or something else that you've undoubtedly told me about before that I've forgotten.
It's just that none of it matters. None of these things are related to AD. AD just does SO little.
-
@jt1001001 said in How Do You Replace Active Directory?:
as I found in our case, AD here was adding absolutes 0% while actually creating more of an administrative headache.
This is generally what I find. AD providing nothing and making us do a lot of work for nothing. Especially when we log in to the command prompt via MeshCentral and never see AD creds in use! ANd in theory, never even need to do that.
-
@Dashrender do they need local admin rights? For us the answer is NO.
Right now I'm working on an image for our systems with apps re-installed and Chocolaty for future package management. A local admin user with password known to IT (different foe each machine) is created, and I-T person adds machine to Azure AD though Accounts section of Win 10 (with pre-set password). Reboot, new user logs in and is prompted to change their password. Will simplify this as time goes on but its a good start. -
@jt1001001 said in How Do You Replace Active Directory?:
A local admin user with password known to IT (different foe each machine) is created
Yeah, no reason not to do that. So easy to do and how is that different than with AD where you'd need some form of admin creds for the machines anyway. With AD we still create, manage, and track all these local admin accounts. AD doesn't manage that at all. So having AD on top of the user management is awful.
And that local admin account can be used to manage the local user accounts. Plus you CAN decide to make different local admin accounts for each admin if you prefer (that's how Linux recommends it.)
But with most tools today (RMM, MeshCentral, Salt, Ansible, ScreenConnect, etc.) you manage the users through that and don't need to log in at all.
-
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in What Are You Doing Right Now:
I sorta understand where you're going with that - but users are users - they infect their computers, etc. Just taking admin rights away resolves a noticeable if not significant amount of that.
You've made some non-existing leap. What are you talking about? Certainly whatever you are thinking is 100% not related to AD.
the quoted comment was in another thread, and not specifically about AD - but about users. and goes back to my full post - let's say you do create non admin accounts - how are you doing that?
-
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in What Are You Doing Right Now:
so you have 100+ devices, 100+ users and what?
Treat it the same way you would any individual device. Imagine if you supported a one person company. AD would provide quite literally zero possible features. Instead of changing the design as you grow to accommodate AD, simple scale "as it is" from a single user device.
It's kind of like asking "what would a cheeseburger be without avocado"? Um, it would just be a normal cheeseburger. AD isn't the default, it's not the native, it's the special case. Just "normal" is what we are like without it.
You would never have local admin given to the end user with a single device situation. Why would you change that when you added a second device?
Even in the Microsoft world, Microsoft has never recommended AD below ten devices. So whatever model you'd use there, you just keep using.
/sigh, now this is a road we've gone down before - you're the one assuming since we started talking about AD you feel that I somehow feel that's the only option, of course it's not. You could use Salt of other management tools to create users, etc...
So please - if that's what your intention is, just say that, don't just say - of course we don't give local admin.