ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Large network of Windows machines without AD - GO!

    Scheduled Pinned Locked Moved IT Discussion
    68 Posts 10 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @coliver
      last edited by

      @coliver said in Large network of Windows machines without AD - GO!:

      @Dashrender said in Large network of Windows machines without AD - GO!:

      How do you manage and get knowledge that systems are updated?

      Active Directory can't do this. Even WSUS has a hard time doing these reports.

      I know it's a WSUS function, and that is less than great, but it's something - and could be just part of the expense of AD.

      1 Reply Last reply Reply Quote 0
      • coliverC
        coliver
        last edited by coliver

        You could also look at Amazon Directory Services. https://aws.amazon.com/directoryservice/pricing/. Although that ends up being more expensive in the long run as well, at least from a SKU standpoint.

        1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @coliver
          last edited by

          @coliver said in Large network of Windows machines without AD - GO!:

          @Dashrender said in Large network of Windows machines without AD - GO!:

          What user accounts are on the machine - and how do they get there?

          If you're using Office 365 then you most likely have AAD included (obviously you need to have an Office 365 license per each user) Exchange Online not so much.

          Other then that Local accounts are completely manageable. You could do it with any number of configuration management toolkits for very little actual cost, outside of man hours.

          You can very easily do this Powershell too.

          yeah I know scripting tools can be made to do these, but as mentioned at a pretty heady manpower cost at minimum. Purchasing a tool seems like it would be better served, but the reoccuring costs will likely be high, as already pointed out above for things like Intune and AAD.

          1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @coliver
            last edited by

            @coliver said in Large network of Windows machines without AD - GO!:

            @Dashrender said in Large network of Windows machines without AD - GO!:

            Do you have a single admin level account pre-setup on every machine?

            You should be doing this anyway.

            Well, you get this through normal AD, and I've only ever used an AAD account to add machines to AAD, and that user does then get local admin, but beyond that....

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender @coliver
              last edited by

              @coliver said in Large network of Windows machines without AD - GO!:

              @Dashrender said in Large network of Windows machines without AD - GO!:

              What about situations where users roam from computer to computer?

              This can be accomplished in a number of ways. Configuration Management, or create the user account with Powershell.

              How are you proposing using powershell? or Configuration management? I assume CM is a third party tool - say salt, and you're pushing configs via that? OK I can see that. Powershell can do this as well, but I really don't like the idea of opening powershell ports on the machine - I like the agent based solution instead.

              1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @coliver
                last edited by

                @coliver said in Large network of Windows machines without AD - GO!:

                @Dashrender said in Large network of Windows machines without AD - GO!:

                What about mapping network resources like printers and fileshares?

                You can do this with just local accounts.

                OK sure, but then I have to know the passwords to all of those accounts so I can make matching ones on the server - or, they end up with different creds for logon vs resource use. I.E. no SSO like you get with AD and Windows resources, so user experience could be lessened - and before you say - but you don't need to do it everything - you only need to do it the first time they attach to the resource.. yeah I know that.

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • IRJI
                  IRJ
                  last edited by

                  You dont really need AAD, though.

                  You could ditch AD and just get SSO like Okta or Jumpcloud.

                  1 Reply Last reply Reply Quote 1
                  • notverypunnyN
                    notverypunny
                    last edited by notverypunny

                    Would something like Zentyal be appropriate?

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said in Large network of Windows machines without AD - GO!:

                      How do you manage and get knowledge that systems are updated?

                      How do you do it with AD? AD doesn't do any management on its own, nor does it report on this. This is good stuff to have, but awkward to answer in a "how do we ditch X" when you are then asking about Y.

                      DashrenderD 1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said in Large network of Windows machines without AD - GO!:

                        What user accounts are on the machine - and how do they get there?

                        Local users. For most large environments, that's one user per machine. So Salt or Ansible is easy, as is manually creating when the system is set up. Nothing complicated normally needed.

                        If you have a lot of roaming or shared machines, then Ansible or Salt or similar is a great way to handle that.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Dashrender
                          last edited by

                          @Dashrender said in Large network of Windows machines without AD - GO!:

                          Do you have a single admin level account pre-setup on every machine?

                          For desktops, generally. Depends on your security needs. One controlled by Ansible/Salt makes this secure and easy. But making a unique one for each machine is an option, too, if you want to jump way beyond the security that AD would normally give you. Or push out loads of admin accounts for every admin user. Loads of options depending on your needs.

                          With Ansible/Salt... do you even need an admin account?

                          1 Reply Last reply Reply Quote 1
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said in Large network of Windows machines without AD - GO!:

                            @coliver said in Large network of Windows machines without AD - GO!:

                            @Dashrender said in Large network of Windows machines without AD - GO!:

                            Do you have a single admin level account pre-setup on every machine?

                            You should be doing this anyway.

                            Well, you get this through normal AD, and I've only ever used an AAD account to add machines to AAD, and that user does then get local admin, but beyond that....

                            Not local accounts. And with AD, we always have local, too, because AD tends to be fragile.

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @Dashrender said in Large network of Windows machines without AD - GO!:

                              @coliver said in Large network of Windows machines without AD - GO!:

                              @Dashrender said in Large network of Windows machines without AD - GO!:

                              What about mapping network resources like printers and fileshares?

                              You can do this with just local accounts.

                              OK sure, but then I have to know the passwords to all of those accounts so I can make matching ones on the server - or, they end up with different creds for logon vs resource use. I.E. no SSO like you get with AD and Windows resources, so user experience could be lessened - and before you say - but you don't need to do it everything - you only need to do it the first time they attach to the resource.. yeah I know that.

                              Maybe at initial creation, but not for them to use them. This isn't an actual problem. Centralized passwords are totally possible without you knowing them or using AD.

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @notverypunny
                                last edited by

                                @notverypunny said in Large network of Windows machines without AD - GO!:

                                Would something like Zentyal be appropriate?

                                Just a package of Samba 4 which is just a third party AD. So this is just another way of saying to use Samba, which is another way of saying "keep AD." 🙂

                                If the question is "how can I more affordably do AD", then Zentyal is a great AD distro. But if the question is "how do I ditch AD", Zentyal isn't ditching it at all.

                                DashrenderD notverypunnyN 2 Replies Last reply Reply Quote 2
                                • DashrenderD
                                  Dashrender @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in Large network of Windows machines without AD - GO!:

                                  @Dashrender said in Large network of Windows machines without AD - GO!:

                                  How do you manage and get knowledge that systems are updated?

                                  How do you do it with AD? AD doesn't do any management on its own, nor does it report on this. This is good stuff to have, but awkward to answer in a "how do we ditch X" when you are then asking about Y.

                                  /sigh.. yeah, you're right.

                                  Let me rephrase - using all of the tools that come along with Standard Windows Licensing, and typcially seen deployed in an AD environment - how would you do these things without AD/Windows Server/etc.

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @scottalanmiller
                                    last edited by

                                    @scottalanmiller said in Large network of Windows machines without AD - GO!:

                                    @Dashrender said in Large network of Windows machines without AD - GO!:

                                    @coliver said in Large network of Windows machines without AD - GO!:

                                    @Dashrender said in Large network of Windows machines without AD - GO!:

                                    Do you have a single admin level account pre-setup on every machine?

                                    You should be doing this anyway.

                                    Well, you get this through normal AD, and I've only ever used an AAD account to add machines to AAD, and that user does then get local admin, but beyond that....

                                    Not local accounts. And with AD, we always have local, too, because AD tends to be fragile.

                                    I haven't failed back to a local account for an AD joined computer in I don't know how long - probably more than 8 years. And if that happened today - I'm not sure I'd do it at all - I'd just wipe and reload.

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in Large network of Windows machines without AD - GO!:

                                      @notverypunny said in Large network of Windows machines without AD - GO!:

                                      Would something like Zentyal be appropriate?

                                      Just a package of Samba 4 which is just a third party AD. So this is just another way of saying to use Samba, which is another way of saying "keep AD." 🙂

                                      If the question is "how can I more affordably do AD", then Zentyal is a great AD distro. But if the question is "how do I ditch AD", Zentyal isn't ditching it at all.

                                      Great point - and one I have been waiting for someone to make.

                                      So - which is really better way to go? Ditch it altogether and try a LANless solution, or AD alternative?

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @Dashrender said in Large network of Windows machines without AD - GO!:

                                        @scottalanmiller said in Large network of Windows machines without AD - GO!:

                                        @Dashrender said in Large network of Windows machines without AD - GO!:

                                        How do you manage and get knowledge that systems are updated?

                                        How do you do it with AD? AD doesn't do any management on its own, nor does it report on this. This is good stuff to have, but awkward to answer in a "how do we ditch X" when you are then asking about Y.

                                        /sigh.. yeah, you're right.

                                        Let me rephrase - using all of the tools that come along with Standard Windows Licensing, and typcially seen deployed in an AD environment - how would you do these things without AD/Windows Server/etc.

                                        That's a very different question. Nothing wrong with moving away from Windows, just it's very different than moving away from AD.

                                        Now, really, Windows doesn't come with much in that vein, either. Group Policy is weak and non-deterministic, only marginally qualifying as "management". WSUS has gotten so bad, it's almost a stumbling block to updates.

                                        All of Group Policy and WSUS functions (other than local caching) can pretty easily be replaced deterministically with something like Salt or Ansible. Even if you have AD, they'd be the way I'd want to tackle those problems.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @Dashrender said in Large network of Windows machines without AD - GO!:

                                          @scottalanmiller said in Large network of Windows machines without AD - GO!:

                                          @Dashrender said in Large network of Windows machines without AD - GO!:

                                          @coliver said in Large network of Windows machines without AD - GO!:

                                          @Dashrender said in Large network of Windows machines without AD - GO!:

                                          Do you have a single admin level account pre-setup on every machine?

                                          You should be doing this anyway.

                                          Well, you get this through normal AD, and I've only ever used an AAD account to add machines to AAD, and that user does then get local admin, but beyond that....

                                          Not local accounts. And with AD, we always have local, too, because AD tends to be fragile.

                                          I haven't failed back to a local account for an AD joined computer in I don't know how long - probably more than 8 years. And if that happened today - I'm not sure I'd do it at all - I'd just wipe and reload.

                                          We do it very often. Small environments, AD is a huge problem.

                                          DashrenderD 1 Reply Last reply Reply Quote 1
                                          • scottalanmillerS
                                            scottalanmiller @Dashrender
                                            last edited by

                                            @Dashrender said in Large network of Windows machines without AD - GO!:

                                            So - which is really better way to go? Ditch it altogether and try a LANless solution, or AD alternative?

                                            Really depends. Basically it's LAN-centric vs LANless (LAN-agnostic.) Samba 4 will pretty much give you all the AD features you normally use, plus GPO and the like, but not WSUS, for free. But it becomes only a cost savings, not a change of approach. You are tied to the LAN, whether local or VPN extended, and have all of the headache that that brings still. But you can do things in a traditional way.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 3 / 4
                                            • First post
                                              Last post