How Do You Replace Active Directory?
-
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in What Are You Doing Right Now:
so you have 100+ devices, 100+ users and what?
Treat it the same way you would any individual device. Imagine if you supported a one person company. AD would provide quite literally zero possible features. Instead of changing the design as you grow to accommodate AD, simple scale "as it is" from a single user device.
It's kind of like asking "what would a cheeseburger be without avocado"? Um, it would just be a normal cheeseburger. AD isn't the default, it's not the native, it's the special case. Just "normal" is what we are like without it.
You would never have local admin given to the end user with a single device situation. Why would you change that when you added a second device?
Even in the Microsoft world, Microsoft has never recommended AD below ten devices. So whatever model you'd use there, you just keep using.
/sigh, now this is a road we've gone down before - you're the one assuming since we started talking about AD you feel that I somehow feel that's the only option, of course it's not. You could use Salt of other management tools to create users, etc...
So please - if that's what your intention is, just say that, don't just say - of course we don't give local admin.
-
@Dashrender said in How Do You Replace Active Directory?:
let's say you do create non admin accounts - how are you doing that?
net user
Same way we always have. That goes back to the early NT days.
-
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in What Are You Doing Right Now:
Then what? how do you manage user accounts on the devices? How do you manage local admin on the devices?
This is a leap. WHY do you manage user accounts on the devices? That's not something most shops need. They might have it, they might "want" it, but it serves little purpose to most companies. Often it comes at a cost that you can't recoup. But that said, user management is built into Windows. So I'm confused. AD doesn't provide this, so why bring it up as it's not changed by removing AD.
Local admin again, manage it the same as you did with AD.
what? you can't manage local users the same way you do with AD.
Normal office users have no idea how to create a second user that isn't and admin - it's not in they typical round.
-
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in What Are You Doing Right Now:
So, do you just not care about the device at all?
Generally, no. I have no idea why a normal business would. High security business, sure, it's plausible. but normal companies, no. Definitely nothing in healthcare, insurance, veterinarian, manufacturing, etc. where the device should have no value and any management of it would just be a waste.
But let's not assume that, that's easy to just dismiss. Instead lets talk about those cases where you do need it.
If I need to manage the device, AD would be a pretty bad choice. Not the worse, but bad. First if security had any priority, Windows would be off the table so AD would play no obvious role whatsoever. But let's assume total oxymoronic situation any just assume we want to overly secure Windows.
Basic tools like remote access, RMM, state machines... they all take the kind of Group Policy tools that AD is mistakenly associated with and do them properly or at least better. No matter what your need, it is hard to see when AD would make the short list. AD represents a huge security risk, and is designed around super insecure architectures. If you are attempting to secure anything, AD's value proposition goes to a huge negative really quickly.
well - took around 5 posts to get here ...
-
@Dashrender said in How Do You Replace Active Directory?:
So please - if that's what your intention is, just say that, don't just say - of course we don't give local admin.
But you know no one would. Why keep bringing it up when you know the answer is "manage them any number of super obvious ways the same as it is already done in all other platforms and how it is done in Windows". You know the answer, but keep asking the question as if "give users local admin" is the answer. Obviously it is not.
It's a silly question to ask. It's the easiest thing ever. But there's no one answer, that would be silly. Even in our limited scope here we likely have four different ways at the ready at any given moment. Let's see....
ScreenConnect
MeshCentral
TacticalRMM
SaltAnd then if you log in first... net user or just use the GUI.
That's six ways quickly off of the top of my head. Not six options to deploy, six approaches I have on all of my machines right now. Local user management is so simple and straightforward, the question would have to be ... how can you not manage them? Every tool out there, including the OS itself, has this included. It's the first function everything does. Except, of course, AD. AD is the one tool that doesn't address this.
-
@Dashrender said in How Do You Replace Active Directory?:
hat? you can't manage local users the same way you do with AD.
Yes, you can. AD doesn't manage it at all. YOu are expected to log in and user "net user." That continues to work the same.
-
@Dashrender said in How Do You Replace Active Directory?:
Normal office users have no idea how to create a second user that isn't and admin - it's not in they typical round.
That's correct. But I don't understand why you mention it. What does normal office users, who obviously wouldn't be admins and couldn't make a user account if they wanted to, knowing or not knowing this task have to do with anything?
-
@Dashrender said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in What Are You Doing Right Now:
So, do you just not care about the device at all?
Generally, no. I have no idea why a normal business would. High security business, sure, it's plausible. but normal companies, no. Definitely nothing in healthcare, insurance, veterinarian, manufacturing, etc. where the device should have no value and any management of it would just be a waste.
But let's not assume that, that's easy to just dismiss. Instead lets talk about those cases where you do need it.
If I need to manage the device, AD would be a pretty bad choice. Not the worse, but bad. First if security had any priority, Windows would be off the table so AD would play no obvious role whatsoever. But let's assume total oxymoronic situation any just assume we want to overly secure Windows.
Basic tools like remote access, RMM, state machines... they all take the kind of Group Policy tools that AD is mistakenly associated with and do them properly or at least better. No matter what your need, it is hard to see when AD would make the short list. AD represents a huge security risk, and is designed around super insecure architectures. If you are attempting to secure anything, AD's value proposition goes to a huge negative really quickly.
well - took around 5 posts to get here ...
It would be faster if you started with "I care about devices because X." Because you care about them, but we don't know why. That we don't and shouldn't care about ours doesn't really help you. That 90% of businesses shouldn't care, doesn't help you. The only thing that matters to do is 1) Do you care and 2) why?
Answer that and none of this should matter.
-
So let's start asking the questions that really matter...
Why do you @Dashrender care about AD? What value do you see in what it does?
Why do you care about tightly managing a device that is designed to be self sufficient? And why would you want to introduce AD which often disables critical security features (like updates.) Why do you care about the tight control of non-local user accounts? And how are you managing local user accounts today?
All the things that you are asking us, ask yourself. You have asked us this many times. But I don't know why any of these topics matter to you because by default, none of them should matter except for very special needs.
-
@jt1001001 said in How Do You Replace Active Directory?:
@scottalanmiller as I found in our case, AD here was adding absolutes 0% while actually creating more of an administrative headache. 99% of our applications here are "in the cloud" (unlike my old company) and all the DC was doing was print, some file shares, and 1 or 2 group policies (that weren't even working right!). So moving to Teams (see post in other discussion) will alleviate the file share; may build a linux file server for 1 or 2 use cases where Teams/Sharepoint won't work. Group policies are unnecessary and worst case we can upgrade our licenses and go Azure AD/Intune if we need to. Printing, well its printing and it sucks but we'll figure it out. Best is the CTO and President are on board without so much as a blink.
While potentially a large shift in workflow - moving to teams/sharepoint from windows shares can be challenging though not impossible.
what is your plan for people logging into their devices provided by the company? Will you use something like salt to deploy state machines, a local admin that you know, but not the user? how about the user account itself? I mean sure, in this case, what that user account is I guess doesn't really matter, but I'm also guessing that you don't want to deploy "user" as everyone's username on all devices (again through something liek Salt, or even when you just roll out the machines).
Printing can be managed by web based printing solutions, or even Salt I assume could create local IP printers and everyone could print direct to the printers.
Last thing - Linux SMB share - is the plan to make an account on the Linux box for each user - and they'll manage that no different than they do their cloud services account? You'll likely have to help them map their drives - yeah, instructions in an email can likely get most users to get this working.
-
@jt1001001 said in How Do You Replace Active Directory?:
@Dashrender do they need local admin rights? For us the answer is NO.
Right now I'm working on an image for our systems with apps re-installed and Chocolaty for future package management. A local admin user with password known to IT (different foe each machine) is created, and I-T person adds machine to Azure AD though Accounts section of Win 10 (with pre-set password). Reboot, new user logs in and is prompted to change their password. Will simplify this as time goes on but its a good start.No - luckily we have nothing so broken as to require local admin to run.
Interesting - so you've added AAD to the mix.
so you're replacing AD with AAD for the user accounts. -
@scottalanmiller said in How Do You Replace Active Directory?:
@jt1001001 said in How Do You Replace Active Directory?:
A local admin user with password known to IT (different foe each machine) is created
Yeah, no reason not to do that. So easy to do and how is that different than with AD where you'd need some form of admin creds for the machines anyway. With AD we still create, manage, and track all these local admin accounts. AD doesn't manage that at all. So having AD on top of the user management is awful.
And that local admin account can be used to manage the local user accounts. Plus you CAN decide to make different local admin accounts for each admin if you prefer (that's how Linux recommends it.)
But with most tools today (RMM, MeshCentral, Salt, Ansible, ScreenConnect, etc.) you manage the users through that and don't need to log in at all.
MC manages the local user accounts? I'm going to have to read up on that.
I agree with the rest here. -
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
let's say you do create non admin accounts - how are you doing that?
net user
Same way we always have. That goes back to the early NT days.
How manual of you.
I suppose if you're touching all the computers for setup, you're already there, not that big of deal.... -
@Dashrender said in How Do You Replace Active Directory?:
MC manages the local user accounts? I'm going to have to read up on that.
The same as you would through sitting at the machine, through PowerShell Remoting, or SSH. You still have to user the commands. But MC provides the access. It's manual, not centralized. But that's how Windows works out of the box. MC just allows you to do it while a user is using the machine, without needing creds of any user.
-
@Dashrender said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
let's say you do create non admin accounts - how are you doing that?
net user
Same way we always have. That goes back to the early NT days.
How manual of you.
I suppose if you're touching all the computers for setup, you're already there, not that big of deal....Right, when setting up a computer you have to put in a hostname, supply other settings, etc. I don't see this as any more or less work than with AD.
With AD I have two basic choices when deploying a new computer. Either do a bit of creating a user and applying it only to the appropriate devices that it is expected to be used on. Or doing it the same for all machines. In both cases, I can do the same without AD using net user about the same. Either just manually as the machine is set up, or a simple script that sets them all the same on each device. This is where I'm always confused... what's AD providing me? Even with 1000 users and 1000 devices, I get no benefit at setup time.
Users having central password reset isn't something that Windows handles by default internally without AD, but even in AD environments this is rarely beneficial. When it is, it's really important. But when it is really important, it's not hard to provide any number of third party tools that handle that from a trivially simple script to Salt.
-
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
hat? you can't manage local users the same way you do with AD.
Yes, you can. AD doesn't manage it at all. YOu are expected to log in and user "net user." That continues to work the same.
you're right - local user - but I don't give a toss about local users. We have users who hope around to 6+ machines... so those users would either have 6 different accounts (potentially synced by the user themselves) or an account that is somehow synced between them. Considering we have AD today providing centralized user authentication (again, you're right not local user at all) I can't see management accepting a solution where a user has to manage these accounts between the machine themselves and not be centralized.
-
@scottalanmiller said in How Do You Replace Active Directory?:
So let's start asking the questions that really matter...
Why do you @Dashrender care about AD? What value do you see in what it does?
I don't care about AD - I care about centralized authentication of all devices. I'd likely be just as happy with JumpCloud/AAD/SAMBA/etc.
Why do you care about tightly managing a device that is designed to be self sufficient? And why would you want to introduce AD which often disables critical security features (like updates.)
AD doesn't disable update any more than AD provides GPO.
Why do you care about the tight control of non-local user accounts? And how are you managing local user accounts today?
Local user accounts are disabled.
I use GPOs a lot today. Learning other options like Salt or Ansible, etc, i.e. state machines would allow me to potentially move away from GPOs.
-
@Dashrender said in How Do You Replace Active Directory?:
I don't care about AD - I care about centralized authentication of all devices.
But... why? Why is this something that you care about? It's not an end goal. It's a means. But what is the ends?
-
@Dashrender said in How Do You Replace Active Directory?:
Local user accounts are disabled.
I use GPOs a lot today. Learning other options like Salt or Ansible, etc, i.e. state machines would allow me to potentially move away from GPOs.Or you can use them to deploy GPOs.
-
I dunno. Sorry I haven't read all this, my back is giving me hell ATM.
So how do you add a new shared printer to a group of PCs? You'd never visit each PC individually and add it.
I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.
I can understand how you could use an MDM to manage Windows devices, but why not just use native AD?
I cannot see any corp running 1000's of Windows devices without AD. However I could see a small business not using AD.