ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How Do You Replace Active Directory?

    Scheduled Pinned Locked Moved Water Closet
    105 Posts 9 Posters 15.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @JasGot
      last edited by

      @JasGot said in How Do You Replace Active Directory?:

      @scottalanmiller said in How Do You Replace Active Directory?:

      Could be either. Some places have no central office, that's starting to be a thing. Those that have a central office might not want their files stored there as it creates risk... how do you work when you aren't in the office, even if normally you are? Those that do can do modern non-mapped drives inside of the office (NextCloud, as an example, works that way.)

      Thanks.

      Although the concept is NOT foreign to us, we have NO customers that operate with offsite data.
      All are 9-5 office only shops with apps that require onsite centralized storage and a ton of scattered printers available to all departments.

      That's wild. That those exist is of no surprise. Of course they do. But especially in the post (or still) COVID world, the need for working from home and eliminating offices has become so key to disaster prevention and continuity of business that any remnants we saw two years ago of offices holding out on modernizing away from office dependency (not use, just dependency) faded away.

      Even places that make normal offices seem mired in locality like human and animal medical have moved (for us) to being location independent. We do tons of veterinary (and...fingers crossed... I think we just made the leap to building our first clinic of our own!!!) and that is moving in that direction rapidly. Nearly all of our clinics still store their data onsite (it's the wise move for sure), but make it available offsite. And they don't work with files, everything is application and database driven. And more and more of their staff works offsite, at least part time. Every role from reception to backoffice to even the vets themselves.

      We even keep vet offices in Managua and Leon for our own vets to provide services to clinics in the US. Obviously they are medical professionals working 100% outside the office.

      Vets are at the absolute peak of "everything needs to be onsite", and even they have mostly abandoned any office lock in that they can today. COVID was a nice push for that.

      But I should mention, they do NOT use cloud-based apps 99% of the time, that would be insanely dumb for that business model.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @Dashrender said in How Do You Replace Active Directory?:

        @scottalanmiller said in How Do You Replace Active Directory?:

        @Dashrender said in How Do You Replace Active Directory?:

        @scottalanmiller said in How Do You Replace Active Directory?:

        @JasGot said in How Do You Replace Active Directory?:

        How do you handle passwords for the local machine and sync them to the passwords required for the server?

        Not really something that comes up for us that often. Because we push hard to modernize and secure networks and to lower cost, things like mapped drives tend to fall by the wayside quickly. Customers often have that stuff when they come to us and I'm not saying it has no place or never stays. But it is anything but the norm.

        The idea that workstation user accounts need to sync to server user accounts because they are sharing LAN resources is something I deal with literally with months of time in between seeing it. It's super rare. Even with hundreds of customers, we don't see it as normal anymore.

        What are you normally deploying for file storage? Sure it would be great to get companies away from them, but I can't imagine you've managed to do that for most of your clients. I'm assuming you have some combination of box/dropbox/Nextcloud/zoho files/google drive/OD, etc?

        We have a good number on no files. In medical this is surprisingly easy since you need to maintain so much control files present a big risk. Any medical style industry will be an easy candidate to get away from that. And IT, of course. We should not have files.

        We have a crap ton of files - just not PHI. that lives in the EMR.

        The files are things like reviews, forms that are then entered into the EMR, accounting records, compliance records, etc.

        Why does the EMR use them as files rather than contextualizing them? That's what the EMR is for. Making an EMR to just be a file server is, weird.

        We make Veterinary EMR and of course having file fall back capability for one off files that can't be contextualized is important for flexibility, but it is never meant to be used, it means someone got data that was unexpected and we are in a failure avoidance mode.

        Accounting records, compliance records, etc. should not be kept as files generally. Keeping files means you've essentially fallen back to paper, just digitized paper. It's far better than paper, but it's not embracing computers as data devices, just computers as paper enhancements.

        DashrenderD 1 Reply Last reply Reply Quote 0
        • M
          Mario Jakovina @scottalanmiller
          last edited by Mario Jakovina

          @scottalanmiller said in How Do You Replace Active Directory?:

          @Mario-Jakovina said in How Do You Replace Active Directory?:

          @scottalanmiller said in How Do You Replace Active Directory?:

          RDS, sadly, has AD as a requirement. Although you can localize it and make it irrelevant.

          What do you mean with "RDS has AD as requirement"
          In my previous company, most of us used RDS, and we did not used AD

          You have to, RDS won't deploy without it. When you go to install RDS it checks for AD and won't enable until you add it.

          Well it is not true, because RDS is still there, and AD services are not deployed.
          (I checked it)

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Mario Jakovina
            last edited by

            @Mario-Jakovina said in How Do You Replace Active Directory?:

            @scottalanmiller said in How Do You Replace Active Directory?:

            @Mario-Jakovina said in How Do You Replace Active Directory?:

            @scottalanmiller said in How Do You Replace Active Directory?:

            RDS, sadly, has AD as a requirement. Although you can localize it and make it irrelevant.

            What do you mean with "RDS has AD as requirement"
            In my previous company, most of us used RDS, and we did not used AD

            You have to, RDS won't deploy without it. When you go to install RDS it checks for AD and won't enable until you add it.

            Well it is not true, because RDS is still there, and AD services are not deployed.
            (I checked it)

            Interesting. I found a guide. So what's the purpose of doing this? Looks like a bit more work and what benefit since you normally just deploy AD local to the RDS server when you don't want to deploy it otherwise it acts (and is) local when done that way anyway. Why do the effort to work around it and have it not fully featured?

            http://woshub.com/install-remote-desktop-services-rdsh-workgroup-without-domain/

            M 1 Reply Last reply Reply Quote 0
            • M
              Mario Jakovina @scottalanmiller
              last edited by

              @scottalanmiller Maybe it is complicated if you have User RDS CALs.
              We had Device RDS CALs, and things are very simple with them.

              DashrenderD scottalanmillerS 3 Replies Last reply Reply Quote 0
              • DashrenderD
                Dashrender @scottalanmiller
                last edited by

                @scottalanmiller said in How Do You Replace Active Directory?:

                @Dashrender said in How Do You Replace Active Directory?:

                @scottalanmiller said in How Do You Replace Active Directory?:

                @Dashrender said in How Do You Replace Active Directory?:

                @scottalanmiller said in How Do You Replace Active Directory?:

                @JasGot said in How Do You Replace Active Directory?:

                How do you handle passwords for the local machine and sync them to the passwords required for the server?

                Not really something that comes up for us that often. Because we push hard to modernize and secure networks and to lower cost, things like mapped drives tend to fall by the wayside quickly. Customers often have that stuff when they come to us and I'm not saying it has no place or never stays. But it is anything but the norm.

                The idea that workstation user accounts need to sync to server user accounts because they are sharing LAN resources is something I deal with literally with months of time in between seeing it. It's super rare. Even with hundreds of customers, we don't see it as normal anymore.

                What are you normally deploying for file storage? Sure it would be great to get companies away from them, but I can't imagine you've managed to do that for most of your clients. I'm assuming you have some combination of box/dropbox/Nextcloud/zoho files/google drive/OD, etc?

                We have a good number on no files. In medical this is surprisingly easy since you need to maintain so much control files present a big risk. Any medical style industry will be an easy candidate to get away from that. And IT, of course. We should not have files.

                We have a crap ton of files - just not PHI. that lives in the EMR.

                The files are things like reviews, forms that are then entered into the EMR, accounting records, compliance records, etc.

                Why does the EMR use them as files rather than contextualizing them? That's what the EMR is for. Making an EMR to just be a file server is, weird.

                I don't disagree, Most of the data that we create is live data, typed into the system, stored in a DB, but faxes that come in (hundreds of pages a day) have not been shown to be reliably transcribed via OCR, therefore the "paper" copy must be kept for any related issues there.

                Additionally, anything human transcribed is also scanned and stored as CYA for bad data entry.

                We continue to look at solutions where the data can be entered directly by the patient, the roadblock there - costs.

                Accounting records, compliance records, etc. should not be kept as files generally. Keeping files means you've essentially fallen back to paper, just digitized paper. It's far better than paper, but it's not embracing computers as data devices, just computers as paper enhancements.

                I've been asking about this for ages - again, costs is the reason frequently given (and staff pushback).

                1 Reply Last reply Reply Quote 1
                • DashrenderD
                  Dashrender @Mario Jakovina
                  last edited by

                  @Mario-Jakovina said in How Do You Replace Active Directory?:

                  @scottalanmiller Maybe it is complicated if you have User RDS CALs.
                  We had Device RDS CALs, and things are very simple with them.

                  Something still has to deploy those CALs.

                  Since you're on premises you can control the number of devices you have, so device CALs work - if you opened it up and allowed people to work from home, User CALs would likely pay off.

                  Though I can't imagine what AD would have to do with it in either case?

                  scottalanmillerS 1 Reply Last reply Reply Quote 1
                  • scottalanmillerS
                    scottalanmiller @Mario Jakovina
                    last edited by

                    @Mario-Jakovina said in How Do You Replace Active Directory?:

                    We had Device RDS CALs, and things are very simple with them.

                    Can be, if you have locked down devices. But that's not related to the AD issue. AD isn't to make the CALs simpler.

                    M 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Mario Jakovina
                      last edited by

                      @Mario-Jakovina said in How Do You Replace Active Directory?:

                      Maybe it is complicated if you have User RDS CALs.

                      How do CALs relate?

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said in How Do You Replace Active Directory?:

                        Though I can't imagine what AD would have to do with it in either case?

                        My thoughts, too. I'm not sure how that relates. AD doesn't interact with CALs, nor does the use of AD influence the CALs.

                        1 Reply Last reply Reply Quote 0
                        • J
                          JasGot @scottalanmiller
                          last edited by

                          @scottalanmiller said in How Do You Replace Active Directory?:

                          Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

                          Curious.... How are you enforcing password changes at the local PC for users?

                          DashrenderD scottalanmillerS ObsolesceO 4 Replies Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @JasGot
                            last edited by

                            @JasGot said in How Do You Replace Active Directory?:

                            @scottalanmiller said in How Do You Replace Active Directory?:

                            Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

                            Curious.... How are you enforcing password changes at the local PC for users?

                            Why does this matter?

                            J 1 Reply Last reply Reply Quote 0
                            • J
                              JasGot @Dashrender
                              last edited by

                              @Dashrender said in How Do You Replace Active Directory?:

                              @JasGot said in How Do You Replace Active Directory?:

                              @scottalanmiller said in How Do You Replace Active Directory?:

                              Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

                              Curious.... How are you enforcing password changes at the local PC for users?

                              Why does this matter?

                              Because we're required to enforce it.

                              DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @JasGot
                                last edited by

                                @JasGot said in How Do You Replace Active Directory?:

                                @Dashrender said in How Do You Replace Active Directory?:

                                @JasGot said in How Do You Replace Active Directory?:

                                @scottalanmiller said in How Do You Replace Active Directory?:

                                Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

                                Curious.... How are you enforcing password changes at the local PC for users?

                                Why does this matter?

                                Because we're required to enforce it.

                                I assume - because company - not because law...

                                Anyway - one way to do it would be whatever management solution you choose - Intune/MeshCentral/ScreenConnect/etc - you push a script that flips the switch making them have to change their password as needed.

                                You could also schedule a job to run locally that could do the same.

                                J 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @JasGot
                                  last edited by

                                  @JasGot said in How Do You Replace Active Directory?:

                                  @scottalanmiller said in How Do You Replace Active Directory?:

                                  Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

                                  Curious.... How are you enforcing password changes at the local PC for users?

                                  We don't, that's considered a security violation. It's unsafe and not good for productivity. One of the reasons we want AD out is that it encourages this outdated myth and by default people do things that are reckless with it.

                                  Youtube Video

                                  1 Reply Last reply Reply Quote 1
                                  • scottalanmillerS
                                    scottalanmiller @JasGot
                                    last edited by

                                    @JasGot said in How Do You Replace Active Directory?:

                                    @Dashrender said in How Do You Replace Active Directory?:

                                    @JasGot said in How Do You Replace Active Directory?:

                                    @scottalanmiller said in How Do You Replace Active Directory?:

                                    Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

                                    Curious.... How are you enforcing password changes at the local PC for users?

                                    Why does this matter?

                                    Because we're required to enforce it.

                                    By whom?

                                    J 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @JasGot
                                      last edited by

                                      @JasGot said in How Do You Replace Active Directory?:

                                      @scottalanmiller said in How Do You Replace Active Directory?:

                                      Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

                                      Curious.... How are you enforcing password changes at the local PC for users?

                                      We have never been asked to lower our security in this way. As the IT department to most of our customers we typically make these recommendations so don't run into the problem. I can certainly see when it could happen and we'd have no choice, we've just been lucky.

                                      If you are using local accounts you certainly don't lose this functionality. It isn't special with AD. It's just that the culture around AD users is to always have it, and the culture over local accounts is not to. It's amazing how many things are just cultural preferences in IT.

                                      Here is where you set it...

                                      Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy

                                      1 Reply Last reply Reply Quote 1
                                      • ObsolesceO
                                        Obsolesce @JasGot
                                        last edited by Obsolesce

                                        @JasGot said in How Do You Replace Active Directory?:

                                        @scottalanmiller said in How Do You Replace Active Directory?:

                                        Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

                                        Curious.... How are you enforcing password changes at the local PC for users?

                                        If you are using corporate identities for employees on corporate owned devices, there's no need for local user accounts. You can use, for example, Okta/Azure AD/etc as your identity provider along with MFA with Azure/Okta/Duo/etc and the users can use their corporate provided identities to log on to their devices. Using that method there is no need to do anything there locally on the device.

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          JasGot @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in How Do You Replace Active Directory?:

                                          @JasGot said in How Do You Replace Active Directory?:

                                          @Dashrender said in How Do You Replace Active Directory?:

                                          @JasGot said in How Do You Replace Active Directory?:

                                          @scottalanmiller said in How Do You Replace Active Directory?:

                                          Just use local accounts. It's so easy that you can manage the whole environment for less effort than maintaining AD.

                                          Curious.... How are you enforcing password changes at the local PC for users?

                                          Why does this matter?

                                          Because we're required to enforce it.

                                          By whom?

                                          General Motors

                                          1 Reply Last reply Reply Quote 0
                                          • J
                                            JasGot @Dashrender
                                            last edited by

                                            @Dashrender said in How Do You Replace Active Directory?:

                                            you push a script that flips the switch making them have to change their password as needed.

                                            For environments without AD, we'll set these rules at the local PC.

                                            This is the script I came up with:
                                            PassRules.Cmd

                                            rem Create a random number between 42 and 90 for password aging
                                            set /a _rand=(%random%*48/32768)+42
                                            
                                            rem Set Minimum Password Length
                                            net accounts /minpwlen:12
                                            
                                            rem Set Max Password Age to our random number
                                            net accounts /maxpwage:%_rand%
                                            
                                            rem Set refusal to allow any of the last 5 passwords
                                            net accounts /uniquepw:5
                                            
                                            rem Lockout user after 10 failed login attempts
                                            net accounts /lockoutthreshold:10
                                            
                                            rem Set screen timeout to 15 minutes for both AC and battery power
                                            powercfg /change monitor-timeout-ac 15
                                            powercfg /change monitor-timeout-dc 15
                                            
                                            rem Lock workstation after 15 minutes of idleness for both AC and battery power
                                            powercfg.exe /setacvalueindex scheme_current sub_video videoconlock 900
                                            powercfg.exe /setdcvalueindex scheme_current sub_video videoconlock 900
                                            
                                            DashrenderD 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 5 / 6
                                            • First post
                                              Last post