ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Large network of Windows machines without AD - GO!

    Scheduled Pinned Locked Moved IT Discussion
    68 Posts 10 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @scottalanmiller
      last edited by

      @scottalanmiller said in Large network of Windows machines without AD - GO!:

      @Dashrender said in Large network of Windows machines without AD - GO!:

      @scottalanmiller said in Large network of Windows machines without AD - GO!:

      @Dashrender said in Large network of Windows machines without AD - GO!:

      @coliver said in Large network of Windows machines without AD - GO!:

      @Dashrender said in Large network of Windows machines without AD - GO!:

      Do you have a single admin level account pre-setup on every machine?

      You should be doing this anyway.

      Well, you get this through normal AD, and I've only ever used an AAD account to add machines to AAD, and that user does then get local admin, but beyond that....

      Not local accounts. And with AD, we always have local, too, because AD tends to be fragile.

      I haven't failed back to a local account for an AD joined computer in I don't know how long - probably more than 8 years. And if that happened today - I'm not sure I'd do it at all - I'd just wipe and reload.

      We do it very often. Small environments, AD is a huge problem.

      you're environments must just be a disaster then.. I don't have this issue.

      In those cases, have you pitched to them to remove AD completely?

      1 Reply Last reply Reply Quote 0
      • IRJI
        IRJ
        last edited by

        If you use a service like jumpcloud you can require MFA to do things like login to systems with separate accounts (just like ad) systems need to have an agent installed, but you get the same centralized management and its done locally.

        If you want even more features you integrate that with something even more advanced like Okta Advance Server Access which creates groups and sets permission on fly from a centralized location. It is certficate based and allow you to authenticate once with short lived cert, but anytime you call action it reaches out to directory to make sure account still has appropriate permissions.

        1 Reply Last reply Reply Quote 1
        • DashrenderD
          Dashrender @Obsolesce
          last edited by

          @Obsolesce said in Large network of Windows machines without AD - GO!:

          @Dashrender said in Large network of Windows machines without AD - GO!:

          @marcinozga said in Large network of Windows machines without AD - GO!:

          Intune is $6/user/month, so at 200 users you're looking at $14,400 annually. Windows Server 2019 Standard license is $800 and $8000 for user CALs, or $0 is you go with Samba.

          and you didn't include the AAD license. yeah that shit is hella expensive!!! and a major reason why on prem AD continues to stick around.

          It's way less than having an extra IT Admin / engineer hanging around to set up and manage all the SAMBA, Ansible, on-prem, etc., crap involved in taking care of every single point.

          It's all ready to go built in management, administration, app deployment / user management / policy / compliance / reporting / updating, LANless/Global/distributed/mobile, such a huge damn list of things all ready to go, that'd you'll end up needing anyways, no building from the ground up. A basic 200-user setup for all the things would be minimal.

          It's not a simple "oh just install ansible and samba". That will take a ton of work to build the entire environment unless you use something like others mentioned like Zentyal if you really want to keep the on-prem mindset going.

          For 200 users, you would just need one person to set it up.

          You could use ansible or something, but I'm telling you that'd be a huge PITA for a full Windows environment. I wouldn't got the on-prem or SAMBA route.

          Those system's aren't any more "just ready to go" than SAMBA/Ansible, etc.. you still need IT staff to manage and maintain the AAD stuff, granted after it's initially setup, it might be less maintenance...
          But you don't just decide - hey I'm going the AAD/Intune way and just buy licenses and poof it's done, there is a tone of work there to make that stuff work.

          1 Reply Last reply Reply Quote 1
          • IRJI
            IRJ @Obsolesce
            last edited by

            @Obsolesce said in Large network of Windows machines without AD - GO!:

            At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.

            Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.

            ObsolesceO 1 Reply Last reply Reply Quote 0
            • ObsolesceO
              Obsolesce @IRJ
              last edited by

              @IRJ said in Large network of Windows machines without AD - GO!:

              @Obsolesce said in Large network of Windows machines without AD - GO!:

              At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.

              Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.

              I was under the impression no on-prem stuff like that.

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Obsolesce
                last edited by

                @Obsolesce said in Large network of Windows machines without AD - GO!:

                @IRJ said in Large network of Windows machines without AD - GO!:

                @Obsolesce said in Large network of Windows machines without AD - GO!:

                At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.

                Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.

                I was under the impression no on-prem stuff like that.

                AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.

                DashrenderD 1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @scottalanmiller
                  last edited by

                  @scottalanmiller said in Large network of Windows machines without AD - GO!:

                  @Obsolesce said in Large network of Windows machines without AD - GO!:

                  @IRJ said in Large network of Windows machines without AD - GO!:

                  @Obsolesce said in Large network of Windows machines without AD - GO!:

                  At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.

                  Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.

                  I was under the impression no on-prem stuff like that.

                  AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.

                  To me this basically breaks down to LAN-centric or LANless...

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Dashrender
                    last edited by

                    @Dashrender said in Large network of Windows machines without AD - GO!:

                    @scottalanmiller said in Large network of Windows machines without AD - GO!:

                    @Obsolesce said in Large network of Windows machines without AD - GO!:

                    @IRJ said in Large network of Windows machines without AD - GO!:

                    @Obsolesce said in Large network of Windows machines without AD - GO!:

                    At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.

                    Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.

                    I was under the impression no on-prem stuff like that.

                    AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.

                    To me this basically breaks down to LAN-centric or LANless...

                    Right, which can both be on or off prem.

                    DashrenderD ObsolesceO 2 Replies Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @scottalanmiller
                      last edited by

                      @scottalanmiller said in Large network of Windows machines without AD - GO!:

                      @Dashrender said in Large network of Windows machines without AD - GO!:

                      @scottalanmiller said in Large network of Windows machines without AD - GO!:

                      @Obsolesce said in Large network of Windows machines without AD - GO!:

                      @IRJ said in Large network of Windows machines without AD - GO!:

                      @Obsolesce said in Large network of Windows machines without AD - GO!:

                      At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.

                      Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.

                      I was under the impression no on-prem stuff like that.

                      AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.

                      To me this basically breaks down to LAN-centric or LANless...

                      Right, which can both be on or off prem.

                      The idea of AD off prem is - weird... so I don't really consider AD an off-prem solution

                      yeah I know you can do things like Direct Access, or setup VPNs to the AD stuff, etc.
                      talk about fragile!

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said in Large network of Windows machines without AD - GO!:

                        The idea of AD off prem is - weird... so I don't really consider AD an off-prem solution

                        Not weird at all. Do it all the time. Did it today. AD is designed to work just fine off prem.

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said in Large network of Windows machines without AD - GO!:

                          @Dashrender said in Large network of Windows machines without AD - GO!:

                          The idea of AD off prem is - weird... so I don't really consider AD an off-prem solution

                          Not weird at all. Do it all the time. Did it today. AD is designed to work just fine off prem.

                          I mean I get it - I do it daily as well. My AD servers are at my main location, and we have two remote sites with P2P VPNs and all authentication comes back to the main location, etc.

                          But this solution just sucks when it comes to really mobile users. VPNs that users have to manage just suck!

                          IF you can get ZT to work, I suppose that would be awesome, but ZT and AD don't play well together.

                          ObsolesceO scottalanmillerS 2 Replies Last reply Reply Quote 0
                          • ObsolesceO
                            Obsolesce @scottalanmiller
                            last edited by

                            @scottalanmiller said in Large network of Windows machines without AD - GO!:

                            @Dashrender said in Large network of Windows machines without AD - GO!:

                            @scottalanmiller said in Large network of Windows machines without AD - GO!:

                            @Obsolesce said in Large network of Windows machines without AD - GO!:

                            @IRJ said in Large network of Windows machines without AD - GO!:

                            @Obsolesce said in Large network of Windows machines without AD - GO!:

                            At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.

                            Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.

                            I was under the impression no on-prem stuff like that.

                            AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.

                            To me this basically breaks down to LAN-centric or LANless...

                            Right, which can both be on or off prem.

                            Oh he did mention on-prem LAN based file shares, printers, apps, etc., also roaming users and system patching management and monitoring.

                            Just looking at that and the 200 Windows devices... no other considerations....

                            Sure, Ansible. Samba. I'd question why keep Windows then, with only those considerations.

                            DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                            • ObsolesceO
                              Obsolesce @Dashrender
                              last edited by Obsolesce

                              @Dashrender said in Large network of Windows machines without AD - GO!:

                              @scottalanmiller said in Large network of Windows machines without AD - GO!:

                              @Dashrender said in Large network of Windows machines without AD - GO!:

                              The idea of AD off prem is - weird... so I don't really consider AD an off-prem solution

                              Not weird at all. Do it all the time. Did it today. AD is designed to work just fine off prem.

                              I mean I get it - I do it daily as well. My AD servers are at my main location, and we have two remote sites with P2P VPNs and all authentication comes back to the main location, etc.

                              But this solution just sucks when it comes to really mobile users. VPNs that users have to manage just suck!

                              IF you can get ZT to work, I suppose that would be awesome, but ZT and AD don't play well together.

                              AD and on/off-prem isn't the point. AD is lan-based, whether on or off-prem. That doens't matter.

                              AAD != AD, so different fruit; different tech all the way through.

                              1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @Obsolesce
                                last edited by

                                @Obsolesce said in Large network of Windows machines without AD - GO!:

                                @scottalanmiller said in Large network of Windows machines without AD - GO!:

                                @Dashrender said in Large network of Windows machines without AD - GO!:

                                @scottalanmiller said in Large network of Windows machines without AD - GO!:

                                @Obsolesce said in Large network of Windows machines without AD - GO!:

                                @IRJ said in Large network of Windows machines without AD - GO!:

                                @Obsolesce said in Large network of Windows machines without AD - GO!:

                                At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.

                                Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.

                                I was under the impression no on-prem stuff like that.

                                AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.

                                To me this basically breaks down to LAN-centric or LANless...

                                Right, which can both be on or off prem.

                                Oh he did mention on-prem LAN based file shares, printers, apps, etc., also roaming users and system patching management and monitoring.

                                Just looking at that and the 200 Windows devices... no other considerations....

                                Sure, Ansible. Samba. I'd question why keep Windows then, with only those considerations.

                                because local apps require windows.

                                ObsolesceO 1 Reply Last reply Reply Quote 0
                                • ObsolesceO
                                  Obsolesce @Dashrender
                                  last edited by

                                  @Dashrender said in Large network of Windows machines without AD - GO!:

                                  @Obsolesce said in Large network of Windows machines without AD - GO!:

                                  @scottalanmiller said in Large network of Windows machines without AD - GO!:

                                  @Dashrender said in Large network of Windows machines without AD - GO!:

                                  @scottalanmiller said in Large network of Windows machines without AD - GO!:

                                  @Obsolesce said in Large network of Windows machines without AD - GO!:

                                  @IRJ said in Large network of Windows machines without AD - GO!:

                                  @Obsolesce said in Large network of Windows machines without AD - GO!:

                                  At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.

                                  Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.

                                  I was under the impression no on-prem stuff like that.

                                  AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.

                                  To me this basically breaks down to LAN-centric or LANless...

                                  Right, which can both be on or off prem.

                                  Oh he did mention on-prem LAN based file shares, printers, apps, etc., also roaming users and system patching management and monitoring.

                                  Just looking at that and the 200 Windows devices... no other considerations....

                                  Sure, Ansible. Samba. I'd question why keep Windows then, with only those considerations.

                                  because local apps require windows.

                                  I see. Well you could dish it out to an MSP for super cheap and quit your job!

                                  DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Dashrender
                                    last edited by

                                    @Dashrender said in Large network of Windows machines without AD - GO!:

                                    But this solution just sucks when it comes to really mobile users. VPNs that users have to manage just suck!

                                    Sure, but there weren't mobile users in your initial example. Nor were any mobile users that might have been overlooked addressed with the existing AD solution.

                                    I agree, that AD and VPN such for mobile users. But the question was about replacing AD, not about addressing something we didn't know about.

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Obsolesce
                                      last edited by

                                      @Obsolesce said in Large network of Windows machines without AD - GO!:

                                      Sure, Ansible. Samba. I'd question why keep Windows then, with only those considerations.

                                      Good thing to look at, but I assume a requirement from somewhere.

                                      1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @Obsolesce
                                        last edited by

                                        @Obsolesce said in Large network of Windows machines without AD - GO!:

                                        @Dashrender said in Large network of Windows machines without AD - GO!:

                                        @Obsolesce said in Large network of Windows machines without AD - GO!:

                                        @scottalanmiller said in Large network of Windows machines without AD - GO!:

                                        @Dashrender said in Large network of Windows machines without AD - GO!:

                                        @scottalanmiller said in Large network of Windows machines without AD - GO!:

                                        @Obsolesce said in Large network of Windows machines without AD - GO!:

                                        @IRJ said in Large network of Windows machines without AD - GO!:

                                        @Obsolesce said in Large network of Windows machines without AD - GO!:

                                        At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.

                                        Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.

                                        I was under the impression no on-prem stuff like that.

                                        AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.

                                        To me this basically breaks down to LAN-centric or LANless...

                                        Right, which can both be on or off prem.

                                        Oh he did mention on-prem LAN based file shares, printers, apps, etc., also roaming users and system patching management and monitoring.

                                        Just looking at that and the 200 Windows devices... no other considerations....

                                        Sure, Ansible. Samba. I'd question why keep Windows then, with only those considerations.

                                        because local apps require windows.

                                        I see. Well you could dish it out to an MSP for super cheap and quit your job!

                                        LOL - it's not my network - someone else asked me - and I figured it was better to have a discussion here.

                                        ObsolesceO 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Obsolesce
                                          last edited by

                                          @Obsolesce said in Large network of Windows machines without AD - GO!:

                                          @Dashrender said in Large network of Windows machines without AD - GO!:

                                          @Obsolesce said in Large network of Windows machines without AD - GO!:

                                          @scottalanmiller said in Large network of Windows machines without AD - GO!:

                                          @Dashrender said in Large network of Windows machines without AD - GO!:

                                          @scottalanmiller said in Large network of Windows machines without AD - GO!:

                                          @Obsolesce said in Large network of Windows machines without AD - GO!:

                                          @IRJ said in Large network of Windows machines without AD - GO!:

                                          @Obsolesce said in Large network of Windows machines without AD - GO!:

                                          At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.

                                          Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.

                                          I was under the impression no on-prem stuff like that.

                                          AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.

                                          To me this basically breaks down to LAN-centric or LANless...

                                          Right, which can both be on or off prem.

                                          Oh he did mention on-prem LAN based file shares, printers, apps, etc., also roaming users and system patching management and monitoring.

                                          Just looking at that and the 200 Windows devices... no other considerations....

                                          Sure, Ansible. Samba. I'd question why keep Windows then, with only those considerations.

                                          because local apps require windows.

                                          I see. Well you could dish it out to an MSP for super cheap and quit your job!

                                          The MSP model is so strong that quite often internal IT can do that... bring so much cost savings to the table that you can stop working (but still get paid) and have an MSP do it all for you and the company makes out. This is actually quite common. It's so easy to do, in fact, that the title "IT Manager" often refers to someone doing this, and they often use a VAR accidentally instead of an MSP and it still works out well enough that people don't catch on.

                                          1 Reply Last reply Reply Quote 0
                                          • ObsolesceO
                                            Obsolesce @Dashrender
                                            last edited by

                                            @Dashrender said in Large network of Windows machines without AD - GO!:

                                            @Obsolesce said in Large network of Windows machines without AD - GO!:

                                            @Dashrender said in Large network of Windows machines without AD - GO!:

                                            @Obsolesce said in Large network of Windows machines without AD - GO!:

                                            @scottalanmiller said in Large network of Windows machines without AD - GO!:

                                            @Dashrender said in Large network of Windows machines without AD - GO!:

                                            @scottalanmiller said in Large network of Windows machines without AD - GO!:

                                            @Obsolesce said in Large network of Windows machines without AD - GO!:

                                            @IRJ said in Large network of Windows machines without AD - GO!:

                                            @Obsolesce said in Large network of Windows machines without AD - GO!:

                                            At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.

                                            Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.

                                            I was under the impression no on-prem stuff like that.

                                            AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.

                                            To me this basically breaks down to LAN-centric or LANless...

                                            Right, which can both be on or off prem.

                                            Oh he did mention on-prem LAN based file shares, printers, apps, etc., also roaming users and system patching management and monitoring.

                                            Just looking at that and the 200 Windows devices... no other considerations....

                                            Sure, Ansible. Samba. I'd question why keep Windows then, with only those considerations.

                                            because local apps require windows.

                                            I see. Well you could dish it out to an MSP for super cheap and quit your job!

                                            LOL - it's not my network - someone else asked me - and I figured it was better to have a discussion here.

                                            Ah, i see. There's so many options, and there's no single-size-fits-all option either. So it, as always, depends on the full picture, all things considered IMHO.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 4 / 4
                                            • First post
                                              Last post