Large network of Windows machines without AD - GO!
-
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@coliver said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
Do you have a single admin level account pre-setup on every machine?
You should be doing this anyway.
Well, you get this through normal AD, and I've only ever used an AAD account to add machines to AAD, and that user does then get local admin, but beyond that....
Not local accounts. And with AD, we always have local, too, because AD tends to be fragile.
I haven't failed back to a local account for an AD joined computer in I don't know how long - probably more than 8 years. And if that happened today - I'm not sure I'd do it at all - I'd just wipe and reload.
We do it very often. Small environments, AD is a huge problem.
you're environments must just be a disaster then.. I don't have this issue.
In those cases, have you pitched to them to remove AD completely?
-
If you use a service like jumpcloud you can require MFA to do things like login to systems with separate accounts (just like ad) systems need to have an agent installed, but you get the same centralized management and its done locally.
If you want even more features you integrate that with something even more advanced like Okta Advance Server Access which creates groups and sets permission on fly from a centralized location. It is certficate based and allow you to authenticate once with short lived cert, but anytime you call action it reaches out to directory to make sure account still has appropriate permissions.
-
@Obsolesce said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@marcinozga said in Large network of Windows machines without AD - GO!:
Intune is $6/user/month, so at 200 users you're looking at $14,400 annually. Windows Server 2019 Standard license is $800 and $8000 for user CALs, or $0 is you go with Samba.
and you didn't include the AAD license. yeah that shit is hella expensive!!! and a major reason why on prem AD continues to stick around.
It's way less than having an extra IT Admin / engineer hanging around to set up and manage all the SAMBA, Ansible, on-prem, etc., crap involved in taking care of every single point.
It's all ready to go built in management, administration, app deployment / user management / policy / compliance / reporting / updating, LANless/Global/distributed/mobile, such a huge damn list of things all ready to go, that'd you'll end up needing anyways, no building from the ground up. A basic 200-user setup for all the things would be minimal.
It's not a simple "oh just install ansible and samba". That will take a ton of work to build the entire environment unless you use something like others mentioned like Zentyal if you really want to keep the on-prem mindset going.
For 200 users, you would just need one person to set it up.
You could use ansible or something, but I'm telling you that'd be a huge PITA for a full Windows environment. I wouldn't got the on-prem or SAMBA route.
Those system's aren't any more "just ready to go" than SAMBA/Ansible, etc.. you still need IT staff to manage and maintain the AAD stuff, granted after it's initially setup, it might be less maintenance...
But you don't just decide - hey I'm going the AAD/Intune way and just buy licenses and poof it's done, there is a tone of work there to make that stuff work. -
@Obsolesce said in Large network of Windows machines without AD - GO!:
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.
-
@IRJ said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.
I was under the impression no on-prem stuff like that.
-
@Obsolesce said in Large network of Windows machines without AD - GO!:
@IRJ said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.
I was under the impression no on-prem stuff like that.
AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.
-
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@IRJ said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.
I was under the impression no on-prem stuff like that.
AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.
To me this basically breaks down to LAN-centric or LANless...
-
@Dashrender said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@IRJ said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.
I was under the impression no on-prem stuff like that.
AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.
To me this basically breaks down to LAN-centric or LANless...
Right, which can both be on or off prem.
-
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@IRJ said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.
I was under the impression no on-prem stuff like that.
AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.
To me this basically breaks down to LAN-centric or LANless...
Right, which can both be on or off prem.
The idea of AD off prem is - weird... so I don't really consider AD an off-prem solution
yeah I know you can do things like Direct Access, or setup VPNs to the AD stuff, etc.
talk about fragile! -
@Dashrender said in Large network of Windows machines without AD - GO!:
The idea of AD off prem is - weird... so I don't really consider AD an off-prem solution
Not weird at all. Do it all the time. Did it today. AD is designed to work just fine off prem.
-
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
The idea of AD off prem is - weird... so I don't really consider AD an off-prem solution
Not weird at all. Do it all the time. Did it today. AD is designed to work just fine off prem.
I mean I get it - I do it daily as well. My AD servers are at my main location, and we have two remote sites with P2P VPNs and all authentication comes back to the main location, etc.
But this solution just sucks when it comes to really mobile users. VPNs that users have to manage just suck!
IF you can get ZT to work, I suppose that would be awesome, but ZT and AD don't play well together.
-
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@IRJ said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.
I was under the impression no on-prem stuff like that.
AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.
To me this basically breaks down to LAN-centric or LANless...
Right, which can both be on or off prem.
Oh he did mention on-prem LAN based file shares, printers, apps, etc., also roaming users and system patching management and monitoring.
Just looking at that and the 200 Windows devices... no other considerations....
Sure, Ansible. Samba. I'd question why keep Windows then, with only those considerations.
-
@Dashrender said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
The idea of AD off prem is - weird... so I don't really consider AD an off-prem solution
Not weird at all. Do it all the time. Did it today. AD is designed to work just fine off prem.
I mean I get it - I do it daily as well. My AD servers are at my main location, and we have two remote sites with P2P VPNs and all authentication comes back to the main location, etc.
But this solution just sucks when it comes to really mobile users. VPNs that users have to manage just suck!
IF you can get ZT to work, I suppose that would be awesome, but ZT and AD don't play well together.
AD and on/off-prem isn't the point. AD is lan-based, whether on or off-prem. That doens't matter.
AAD != AD, so different fruit; different tech all the way through.
-
@Obsolesce said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@IRJ said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.
I was under the impression no on-prem stuff like that.
AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.
To me this basically breaks down to LAN-centric or LANless...
Right, which can both be on or off prem.
Oh he did mention on-prem LAN based file shares, printers, apps, etc., also roaming users and system patching management and monitoring.
Just looking at that and the 200 Windows devices... no other considerations....
Sure, Ansible. Samba. I'd question why keep Windows then, with only those considerations.
because local apps require windows.
-
@Dashrender said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@IRJ said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.
I was under the impression no on-prem stuff like that.
AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.
To me this basically breaks down to LAN-centric or LANless...
Right, which can both be on or off prem.
Oh he did mention on-prem LAN based file shares, printers, apps, etc., also roaming users and system patching management and monitoring.
Just looking at that and the 200 Windows devices... no other considerations....
Sure, Ansible. Samba. I'd question why keep Windows then, with only those considerations.
because local apps require windows.
I see. Well you could dish it out to an MSP for super cheap and quit your job!
-
@Dashrender said in Large network of Windows machines without AD - GO!:
But this solution just sucks when it comes to really mobile users. VPNs that users have to manage just suck!
Sure, but there weren't mobile users in your initial example. Nor were any mobile users that might have been overlooked addressed with the existing AD solution.
I agree, that AD and VPN such for mobile users. But the question was about replacing AD, not about addressing something we didn't know about.
-
@Obsolesce said in Large network of Windows machines without AD - GO!:
Sure, Ansible. Samba. I'd question why keep Windows then, with only those considerations.
Good thing to look at, but I assume a requirement from somewhere.
-
@Obsolesce said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@IRJ said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.
I was under the impression no on-prem stuff like that.
AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.
To me this basically breaks down to LAN-centric or LANless...
Right, which can both be on or off prem.
Oh he did mention on-prem LAN based file shares, printers, apps, etc., also roaming users and system patching management and monitoring.
Just looking at that and the 200 Windows devices... no other considerations....
Sure, Ansible. Samba. I'd question why keep Windows then, with only those considerations.
because local apps require windows.
I see. Well you could dish it out to an MSP for super cheap and quit your job!
LOL - it's not my network - someone else asked me - and I figured it was better to have a discussion here.
-
@Obsolesce said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@IRJ said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.
I was under the impression no on-prem stuff like that.
AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.
To me this basically breaks down to LAN-centric or LANless...
Right, which can both be on or off prem.
Oh he did mention on-prem LAN based file shares, printers, apps, etc., also roaming users and system patching management and monitoring.
Just looking at that and the 200 Windows devices... no other considerations....
Sure, Ansible. Samba. I'd question why keep Windows then, with only those considerations.
because local apps require windows.
I see. Well you could dish it out to an MSP for super cheap and quit your job!
The MSP model is so strong that quite often internal IT can do that... bring so much cost savings to the table that you can stop working (but still get paid) and have an MSP do it all for you and the company makes out. This is actually quite common. It's so easy to do, in fact, that the title "IT Manager" often refers to someone doing this, and they often use a VAR accidentally instead of an MSP and it still works out well enough that people don't catch on.
-
@Dashrender said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@IRJ said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.
I was under the impression no on-prem stuff like that.
AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.
To me this basically breaks down to LAN-centric or LANless...
Right, which can both be on or off prem.
Oh he did mention on-prem LAN based file shares, printers, apps, etc., also roaming users and system patching management and monitoring.
Just looking at that and the 200 Windows devices... no other considerations....
Sure, Ansible. Samba. I'd question why keep Windows then, with only those considerations.
because local apps require windows.
I see. Well you could dish it out to an MSP for super cheap and quit your job!
LOL - it's not my network - someone else asked me - and I figured it was better to have a discussion here.
Ah, i see. There's so many options, and there's no single-size-fits-all option either. So it, as always, depends on the full picture, all things considered IMHO.
