Large network of Windows machines without AD - GO!
-
@Dashrender said in Large network of Windows machines without AD - GO!:
So Scott is always talking about ditching AD - so I'm asking - how would you ditch AD from a 200+ workstation/laptop environment where the users must remain using Windows on their local devices due to application requirements (let's not bring VDI/RDS into this at this time - that could be another thread).
How do you manage and get knowledge that systems are updated?
What user accounts are on the machine - and how do they get there?
Do you have a single admin level account pre-setup on every machine?
What about situations where users roam from computer to computer?
What about mapping network resources like printers and fileshares?AAD and Intune
-
Intune is $6/user/month, so at 200 users you're looking at $14,400 annually. Windows Server 2019 Standard license is $800 and $8000 for user CALs, or $0 is you go with Samba.
-
@Dashrender said in Large network of Windows machines without AD - GO!:
How do you manage and get knowledge that systems are updated?
Active Directory can't do this. Even WSUS has a hard time doing these reports.
What user accounts are on the machine - and how do they get there?
If you're using Office 365 then you most likely have AAD included (obviously you need to have an Office 365 license per each user) Exchange Online not so much.
Other then that Local accounts are completely manageable. You could do it with any number of configuration management toolkits for very little actual cost, outside of man hours.
You can very easily do this Powershell too.
Do you have a single admin level account pre-setup on every machine?
You should be doing this anyway.
What about situations where users roam from computer to computer?
This can be accomplished in a number of ways. Configuration Management, or create the user account with Powershell.
What about mapping network resources like printers and fileshares?
You can do this with just local accounts.
-
@marcinozga said in Large network of Windows machines without AD - GO!:
Intune is $6/user/month, so at 200 users you're looking at $14,400 annually. Windows Server 2019 Standard license is $800 and $8000 for user CALs, or $0 is you go with Samba.
and you didn't include the AAD license. yeah that shit is hella expensive!!! and a major reason why on prem AD continues to stick around.
-
@coliver said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
How do you manage and get knowledge that systems are updated?
Active Directory can't do this. Even WSUS has a hard time doing these reports.
I know it's a WSUS function, and that is less than great, but it's something - and could be just part of the expense of AD.
-
You could also look at Amazon Directory Services. https://aws.amazon.com/directoryservice/pricing/. Although that ends up being more expensive in the long run as well, at least from a SKU standpoint.
-
@coliver said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
What user accounts are on the machine - and how do they get there?
If you're using Office 365 then you most likely have AAD included (obviously you need to have an Office 365 license per each user) Exchange Online not so much.
Other then that Local accounts are completely manageable. You could do it with any number of configuration management toolkits for very little actual cost, outside of man hours.
You can very easily do this Powershell too.
yeah I know scripting tools can be made to do these, but as mentioned at a pretty heady manpower cost at minimum. Purchasing a tool seems like it would be better served, but the reoccuring costs will likely be high, as already pointed out above for things like Intune and AAD.
-
@coliver said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
Do you have a single admin level account pre-setup on every machine?
You should be doing this anyway.
Well, you get this through normal AD, and I've only ever used an AAD account to add machines to AAD, and that user does then get local admin, but beyond that....
-
@coliver said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
What about situations where users roam from computer to computer?
This can be accomplished in a number of ways. Configuration Management, or create the user account with Powershell.
How are you proposing using powershell? or Configuration management? I assume CM is a third party tool - say salt, and you're pushing configs via that? OK I can see that. Powershell can do this as well, but I really don't like the idea of opening powershell ports on the machine - I like the agent based solution instead.
-
@coliver said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
What about mapping network resources like printers and fileshares?
You can do this with just local accounts.
OK sure, but then I have to know the passwords to all of those accounts so I can make matching ones on the server - or, they end up with different creds for logon vs resource use. I.E. no SSO like you get with AD and Windows resources, so user experience could be lessened - and before you say - but you don't need to do it everything - you only need to do it the first time they attach to the resource.. yeah I know that.
-
You dont really need AAD, though.
You could ditch AD and just get SSO like Okta or Jumpcloud.
-
Would something like Zentyal be appropriate?
-
@Dashrender said in Large network of Windows machines without AD - GO!:
How do you manage and get knowledge that systems are updated?
How do you do it with AD? AD doesn't do any management on its own, nor does it report on this. This is good stuff to have, but awkward to answer in a "how do we ditch X" when you are then asking about Y.
-
@Dashrender said in Large network of Windows machines without AD - GO!:
What user accounts are on the machine - and how do they get there?
Local users. For most large environments, that's one user per machine. So Salt or Ansible is easy, as is manually creating when the system is set up. Nothing complicated normally needed.
If you have a lot of roaming or shared machines, then Ansible or Salt or similar is a great way to handle that.
-
@Dashrender said in Large network of Windows machines without AD - GO!:
Do you have a single admin level account pre-setup on every machine?
For desktops, generally. Depends on your security needs. One controlled by Ansible/Salt makes this secure and easy. But making a unique one for each machine is an option, too, if you want to jump way beyond the security that AD would normally give you. Or push out loads of admin accounts for every admin user. Loads of options depending on your needs.
With Ansible/Salt... do you even need an admin account?
-
@Dashrender said in Large network of Windows machines without AD - GO!:
@coliver said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
Do you have a single admin level account pre-setup on every machine?
You should be doing this anyway.
Well, you get this through normal AD, and I've only ever used an AAD account to add machines to AAD, and that user does then get local admin, but beyond that....
Not local accounts. And with AD, we always have local, too, because AD tends to be fragile.
-
@Dashrender said in Large network of Windows machines without AD - GO!:
@coliver said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
What about mapping network resources like printers and fileshares?
You can do this with just local accounts.
OK sure, but then I have to know the passwords to all of those accounts so I can make matching ones on the server - or, they end up with different creds for logon vs resource use. I.E. no SSO like you get with AD and Windows resources, so user experience could be lessened - and before you say - but you don't need to do it everything - you only need to do it the first time they attach to the resource.. yeah I know that.
Maybe at initial creation, but not for them to use them. This isn't an actual problem. Centralized passwords are totally possible without you knowing them or using AD.
-
@notverypunny said in Large network of Windows machines without AD - GO!:
Would something like Zentyal be appropriate?
Just a package of Samba 4 which is just a third party AD. So this is just another way of saying to use Samba, which is another way of saying "keep AD."
If the question is "how can I more affordably do AD", then Zentyal is a great AD distro. But if the question is "how do I ditch AD", Zentyal isn't ditching it at all.
-
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
How do you manage and get knowledge that systems are updated?
How do you do it with AD? AD doesn't do any management on its own, nor does it report on this. This is good stuff to have, but awkward to answer in a "how do we ditch X" when you are then asking about Y.
/sigh.. yeah, you're right.
Let me rephrase - using all of the tools that come along with Standard Windows Licensing, and typcially seen deployed in an AD environment - how would you do these things without AD/Windows Server/etc.
-
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@coliver said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
Do you have a single admin level account pre-setup on every machine?
You should be doing this anyway.
Well, you get this through normal AD, and I've only ever used an AAD account to add machines to AAD, and that user does then get local admin, but beyond that....
Not local accounts. And with AD, we always have local, too, because AD tends to be fragile.
I haven't failed back to a local account for an AD joined computer in I don't know how long - probably more than 8 years. And if that happened today - I'm not sure I'd do it at all - I'd just wipe and reload.