SAMIT: Do You Really Need Active Directory
-
-
My TLDNR answer: No
-
@travisdh1 said in SAMIT: Do You Really Need Active Directory:
My TLDNR answer: No
How do you then manage 100 Windows machines in a company?
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@travisdh1 said in SAMIT: Do You Really Need Active Directory:
My TLDNR answer: No
How do you then manage 100 Windows machines in a company?
Same way you manage any large number of machines, lol. Why does Windows making it particularly challenging? And what management do you feel that you need? AD provides only very basic features, things that 1) few people actually need and 2) that are easy to replicate with other systems.
AD primarily handles passwords. There is absolutely no need for centralized passwords in general, that's an MS AD sales pitch. It wasn't standardly needed in the past, it's not now. It has its place, but it's easy to tackle.
The real question that we always ask is... since we don't know why AD would be needed... what is AD providing that you think is special or unique or needed for management? Why do companies with hundreds or thousands of machines do so without AD and not run into problems? And why do single companies with 100 people but not MSPs with 100s of small clients have different needs?
MSPs are the easy "proof" that AD can't be needed, because they represent large scale Windows deployments far larger than people assume AD is needed, yet can't use AD. So since AD isn't needed or even offered, yet that model performs really well for management, we know that AD can't be needed.
-
@Dashrender the first piece is....
You just don't need any perceived management by default. There is a feeling that you do, because people want to sell you software. So they promote the value of heavy IT control where none is necessarily needed.
You can argue that AD lays the ground work for lots of cool management features. But how often do we really need them? The biggest ones, like SMB shares, are practically built to promote AD rather than being an obvious need. Sure, it's already in place, but you can't look at existing infrastructure and wonder how to remove it, because it's all designed to get you stuck. But look at a fresh deployment, while AD has its place, it should hardly even be your first assumption to look at. Until there is a specific need that it addresses, it's nothing but extra cost.
-
I was able to move away from active directory because the requirements and the way the computers was used had changed. They became more of a kiosk workstations.
-
It's not needed because there are better ways to do it without the AD limitations and vulnerabilities.
For example:
Central identity and access management (AAD, Okta)
Central device policy (and security policy) management (AAD, Intune, Jamf)
Central application deployment, management (Intune, Jamf) -
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@travisdh1 said in SAMIT: Do You Really Need Active Directory:
My TLDNR answer: No
How do you then manage 100 Windows machines in a company?
Same way you manage any large number of machines, lol. Why does Windows making it particularly challenging? And what management do you feel that you need? AD provides only very basic features, things that 1) few people actually need and 2) that are easy to replicate with other systems.
AD primarily handles passwords. There is absolutely no need for centralized passwords in general, that's an MS AD sales pitch. It wasn't standardly needed in the past, it's not now. It has its place, but it's easy to tackle.
The real question that we always ask is... since we don't know why AD would be needed... what is AD providing that you think is special or unique or needed for management? Why do companies with hundreds or thousands of machines do so without AD and not run into problems? And why do single companies with 100 people but not MSPs with 100s of small clients have different needs?
MSPs are the easy "proof" that AD can't be needed, because they represent large scale Windows deployments far larger than people assume AD is needed, yet can't use AD. So since AD isn't needed or even offered, yet that model performs really well for management, we know that AD can't be needed.
Instead of simply attacking my question - why not actually answer it? I was mainly asking this question so you could provide the actual management solutions that MSPs or other huge clients use to manage their fleets of computers without AD.
I.e. - If you don't think centralized password management is needed, then - do all users run as local admin? If not, do the users then have two accounts? and admin and non-admin one? so basically they can still do whatever/whenever they want? If the user doesn't have the local admin account, let's assume this means IT does - how does It manage it?
Is the assumption that instead of AD, RMM is used to manage the computers? Do you not monitor patch levels of devices (RMM can handle that). What is the cost difference between the RMM and AD? I realize that frequently the RMM will have a lot of additional functionality, so you can't directly compare these costs, likely have to add several other tools to AD to get the same functions, so that's added costs as well.
-
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender the first piece is....
You just don't need any perceived management by default. There is a feeling that you do, because people want to sell you software. So they promote the value of heavy IT control where none is necessarily needed.
You can argue that AD lays the ground work for lots of cool management features. But how often do we really need them? The biggest ones, like SMB shares, are practically built to promote AD rather than being an obvious need. Sure, it's already in place, but you can't look at existing infrastructure and wonder how to remove it, because it's all designed to get you stuck. But look at a fresh deployment, while AD has its place, it should hardly even be your first assumption to look at. Until there is a specific need that it addresses, it's nothing but extra cost.
SMB shares is a pretty good example - assuming 100 users, how do you manage the password lists between the PC's and the SMB share (assume a NAS device)? Since you have nothing pushing out driving mappings since you have no centralized authority, this has to be done by hand... so do you make it LANless - create 100 accounts on the NAS and give those accounts to the users where they then manually map a drive? Most NAS don't have an interface that allows the users to change their passwords, so that's another potential pitfall at some point, though could be minor.
I suppose instead of a NAS - you could use Google Drive/OD/ODF4B/Dropbox/NC, etc, and again, create 100 accounts, hand out the creds, and the users have to manage connecting to them themselves... -
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
It's not needed because there are better ways to do it without the AD limitations and vulnerabilities.
For example:
Central identity and access management (AAD, Okta)
Central device policy (and security policy) management (AAD, Intune, Jamf)
Central application deployment, management (Intune, Jamf)Please don't glom onto Scott's whatever it is of my question.
AND - thank you actually answering the question, not just berating me for asking it. The purpose of asking was to get actual answers - again thanks for providing them.
Now the next part is - Many of these options are Super expensive compared to an AD implementation, they could easily be many times the cost - the question is, do they provide many times the value, and does the company agree with that value.
I'm guessing that Scott wouldn't go with ADD/Intune because of costs along - unless a specific feature was needed that came from there and no where else. -
@Dashrender said in SAMIT: Do You Really Need Active Directory:
the question is, do they provide many times the value, and does the company agree with that value.
That completely depends on the needs/values/requirements/policies/etc. I will not tell you yes or no, because as with most things, it depends. In many cases, yes it does if they are what you need and cheaper or free options do not.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Instead of simply attacking my question - why not actually answer it? I was mainly asking this question so you could provide the actual management solutions that MSPs or other huge clients use to manage their fleets of computers without AD.
You can't, that's the issue. Your question implies something... that having 100 machines or larger, with Windows, has some inherent problem that needs to be overcome. There are loads and loads of ways to manage fleets of any OS, including the traditional methods of "do nothing" which are way, way more viable than people realize.
MSPs very often default to this, as wide spread management isn't an option generally for them. It could be, but not with AD. But MSPs handle huge numbers of desktops, without the benefits of AD, quite well. They often have AD in pockets, but in such a way as it is useless for management and actually makes management no better, often harder.
The reason I have to "attack" the question is because it implies that AD was filling a necessary need. But it doesn't. Or it implies that there is something needed to manage larger numbers of computers, but there is not. They need to be managed, but managed as individuals is a completely working and viable option and the right one for tons of businesses.
Tons more will see tools like AD, Salt, MDM, scripts, LDAP, etc. as being even better for them. But as a baseline, no tools are needed to deal with managing a fleet of even thousands of machines.
It's much like RMM and console based AV tools. So many shops believe that they are necessary. But if you remove them... in most cases nothing breaks and everything works just the same as before. RMM tools often provide nothing but useless and noisy alerts, rarely provide good management options that really warrant the extra tooling, look good and feel nice but often don't provide much value beyond a simple inventory, etc. Central AV is odd because there is almost no action for IT to take. If AV catches a problem, it fixes it. Alerting IT to this in most cases just creates background noise - like logging something where no one will read it.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
thank you actually answering the question, not just berating me for asking it.
No, he's pandering. He's letting the implication lead that "something" is needed. But nothing is "needed". All those things are good and have value at times. But central application deployment, central identity, central device policies are all "extras" that can be good, can have value, but are not needs. And also, AD doesn't provide all of those.
Your question implies so much... that AD actually manages systems for example, and that management is needed. His examples act as if AD is something it is not, and that the things AD is not, are necessary.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Many of these options are Super expensive compared to an AD implementation
This isn't necessarily true. AD is anything but cheap. Server infrastructure, Windows server licensing, CALs, managing all of those pieces, etc. AD isn't overly expensive, but it's not cheap either. There are situations where everyone one of the products he mentions is cheaper, and situations where every one (I think) is more expensive. It's not a costly vs. cheap, it's different pricing models.
AD is pretty cheap for an existing Windows server based shop (CALs already purchased) with 100 devices on a single LAN, for a single legal org. But once any piece of that changes (and your example didn't specify that) AD can fall down really quickly... if you don't have enough devices, if you need CALs just for this, if you don't have a single LAN or a single legal entity. Change any factor and AD costs can skyrocket.
Not only can cost skyrocket, but they can make the management overhead actually higher, not lower, than doing nothing at all. It's a far more complex thing to approach than simply throwing out that AD does X, X is needed, what's the alternative. The bottom line is... X isn't necessarily needed, AD doesn't do X, and so an alternative isn't necessarily necessary.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
SMB shares is a pretty good example - assuming 100 users, how do you manage the password lists between the PC's and the SMB share (assume a NAS device)?
The point of mentioning SMB in my example is that it is a service designed around the purpose of selling AD. You fix it by removing services put in for that purpose. Don't use SMB, and suddenly AD seems like a really silly amount of overhead for a lot of shops. And these days, the use of mapped drives is dropping fast, really fast. Even shops without IT oversight are often opting out of it for more modern systems because SMB hasn't met the needs of most modern companies in a decade or even two.
-
So what's your starting point? And I realize that this is almost a trick question, because you coming into an existing environment of 100+ units isn't greenfield, so the starting point is already past.
Let's say we're at 100+ already - have AD, and it's time to start looking at new licensing for that AD - what's your general way of going? I'm guessing you're going to say - it depends - what are the requirements.
We'll use my office then for requirements - must be HIPAA compliant. So I have to show that AV is installed (and I assuming I have to show it's getting updates - but maybe I don't HAVE to), I'm pretty sure I have to show that updates are being applied.
I think those are the two main things at the PC level I need for HIPAA compliance. or do you disagree with those?
But more things of note for my environment - user needs to be able to log into roughly 60 different computers.
it would be nice that upon logon, as I currently have - shortcuts are setup, printers are setup, Outlook will configure mostly if not entirely automatically. -
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
SMB shares is a pretty good example - assuming 100 users, how do you manage the password lists between the PC's and the SMB share (assume a NAS device)?
The point of mentioning SMB in my example is that it is a service designed around the purpose of selling AD. You fix it by removing services put in for that purpose. Don't use SMB, and suddenly AD seems like a really silly amount of overhead for a lot of shops. And these days, the use of mapped drives is dropping fast, really fast. Even shops without IT oversight are often opting out of it for more modern systems because SMB hasn't met the needs of most modern companies in a decade or even two.
yeah I get that - Google Drive/NC/DropBox - the mobility aspects are nice.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Since you have nothing pushing out driving mappings since you have no centralized authority, this has to be done by hand... so do you make it LANless - create 100 accounts on the NAS and give those accounts to the users where they then manually map a drive?
AD is neither a central authority nor does it "push out" anything. AD does nothing of the sort. We just had this thread...
https://mangolassi.it/topic/21063/anyway-i-can-learn-ad/
@WrCombs said in Anyway I can Learn AD?:
What is Active Directory?
It is literally a directory service. It is called Active because it's a good marketing name, and because individual systems are constantly updating their own information in the directory
AD is a central "white pages" like service where computers and applications on the network can literally "look up" information about computers or users. Like they can look up a users full name, their extension number, or their email address. Very basic in concept, but obviously super useful.
how is it used? (I think I understand this on a basic level)
It's basic fundamental use case is to store a list of computers on your authorized network, and a list of users for those machines. And the one really cool feature is that it can tell a computer on the network if the password it was given for a user is valid.
I worded that carefully. The password is not send to AD, AD doesn't hand out password, etc. AD maintains a list of password hashes and will give a pass/fail response to a node asking if a user is who they say that they are.
That's basically it. AD also maintains a list of groups to which computers and/or users can belong.
That's really it. The moment that you feel AD does something more than "look up" some basic info, some understanding is wrong. It's extremely simple (and powerful) in what it does. Most people associate AD with all kinds of things that aren't AD, but that commonly use AD. AD itself is a very, very simple directory service. It's magic is that it is fast and secure, not that it does anything special.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
SMB shares is a pretty good example - assuming 100 users, how do you manage the password lists between the PC's and the SMB share (assume a NAS device)?
The point of mentioning SMB in my example is that it is a service designed around the purpose of selling AD. You fix it by removing services put in for that purpose. Don't use SMB, and suddenly AD seems like a really silly amount of overhead for a lot of shops. And these days, the use of mapped drives is dropping fast, really fast. Even shops without IT oversight are often opting out of it for more modern systems because SMB hasn't met the needs of most modern companies in a decade or even two.
yeah I get that - Google Drive/NC/DropBox - the mobility aspects are nice.
Yes, and today most companies have some portion that is mobile that expects to "just work" because it does for everyone else. SMB makes a "just doesn't work" for most mobile users and in many ways just doesn't fit in the majority of the modern world. The only cases where we still see it are clinics where it is just "in clinic data" and AD is of no use even with that SMB, or in legacy situations where they want to phase it out and just need time.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
So what's your starting point? And I realize that this is almost a trick question, because you coming into an existing environment of 100+ units isn't greenfield, so the starting point is already past.
Right, designing a company to not need AD is typically trivial. Moving an AD-entrenched company off of AD is often difficult because workflows and everything else are based around how AD works and systems that AD has tendrils into are often deployed (GPO, SMB, etc.)
