SAMIT: Do You Really Need Active Directory
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
So what's your starting point? And I realize that this is almost a trick question, because you coming into an existing environment of 100+ units isn't greenfield, so the starting point is already past.
Right, designing a company to not need AD is typically trivial. Moving an AD-entrenched company off of AD is often difficult because workflows and everything else are based around how AD works and systems that AD has tendrils into are often deployed (GPO, SMB, etc.)
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Let's say we're at 100+ already - have AD, and it's time to start looking at new licensing for that AD - what's your general way of going? I'm guessing you're going to say - it depends - what are the requirements.
Correct, it depends. And often we keep AD in those cases, because while it might not be ideal, it's often too costly to remove. Or the removal process will take "generations" in IT terms.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
We'll use my office then for requirements - must be HIPAA compliant. So I have to show that AV is installed (and I assuming I have to show it's getting updates - but maybe I don't HAVE to), I'm pretty sure I have to show that updates are being applied.
AV is part of the OS. There's really nothing to show. You'd have to have removed it. And updates are automatic, again, you'd have to have disabled them. If you are audited, each machine shows you the status. That's trivial.
-
After reading this I have a few questions as well. Hopefully the answers will be a benefit to this topic. I don't have a use-case so this is just in theory if possible. To me I think Powershell would be a good way to do a lot of this but I'm not an admin so want to hear others opinions also.
- What is the best way to handle accounts without Ad?
- What are alternatives to typical AD tasks?
- Is there a good directory service alternative to AD?
- Can I use Windows Admin Center for a lot of this?
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
I think those are the two main things at the PC level I need for HIPAA compliance. or do you disagree with those?
I agree that you need them and that they are good things. But they aren't things requiring, or suggesting, any centralization.
-
@jmoore said in SAMIT: Do You Really Need Active Directory:
> 1. What is the best way to handle accounts without Ad?
This is very broad. The best way for most shops is "do nothing". Most companies "manage accounts" because they were told this is why they needed AD, and they bought AD, so they need to do it to justify it. But generally you don't need to do this. AD doesn't provide this benefit for us as an MSP, and we don't need it, so that's a good example of just not having it. Obviously accounts DO need to be managed, but just locally on machines is really fast and easy. I do this all day, every day, and it is often faster to do it locally than to even access an AD server.
But if you need account management, you can use CMD or PS scripts, you can use tools like RMM, you can use state machines like Salt or Ansible, you can use online services like AzureAD or Centrify.
> 2. What are alternatives to typical AD tasks?
AD itself doesn't have any typical tasks. Other than what you mention otherwise... looking up passwords and group membership. Those things are done on the local machine natively when AD is removed. So for the actual tasks associated with AD proper, just disable AD and they shift to the local machine where half of them were done anyway even with AD.
All tasks that people associate with AD are still available without AD. If you are thinking SMB shares, those still work without AD. If you are thinking GPO, that still is available without AD. What are you feeling are "AD tasks"? Most AD tasks are... managing AD, which is obviously unneeded without AD.
> 3. Is there a good directory service alternative to AD?
AD is just a copy of LDAP. There are many free and non-free LDAP options. Although you'd be hard pressed to come up with why you'd choose LDAP without AD, when AD has free options (Samba's AD is 100% free.) So once you are trying to replicate AD, youd' just use AD. The question really doesn't make sense in a local mode... the question should be "why do you need a directory service?" Because this is rarely used today, AD kind of fell flat on this one and most people ignore this functionality.
If you really need it, you have to define what for. You could use a shared notepad, a service like AzureAD, any number of things. But since this isn't a predictable use case, we'd have to know exactly what you are trying to use directory services for. For example, NTG uses a wiki page listing people's phone numbers. It's faster and easier than pulling those phone numbers from AD's directory.
> 4. Can I use Windows Admin Center for a lot of this?
No, it depends on AD WAC, like SMB and GPO, is meant to sell AD.
-
I don't want to make AD sound bad, it isn't. It's a great tool, but just one of many tools for doing tasks that many people don't need done. A circular saw is a great tool for certain tasks, but the average person needs no saw at all, and people who are sawing only need a circular saw part of the time. It's great for cutting lumber lengths, but terrible at removing tree limbs, and doesn't knit at all.
One of the key problems with AD is circular reasoning. "We need AD, because we want what AD does, we want what AD does, because we paid for AD" and around we go. If you remove AD (greenfield) from the design, often all of the needs for AD disappear with it. The moment you add AD, AD is needed. So if you accidentally include the "needs created by having AD" in your design, because most people have been taught to do this, then AD is the obvious answer. But if you leave out those pieces, it's often unclear why AD even comes up.
-
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
We'll use my office then for requirements - must be HIPAA compliant. So I have to show that AV is installed (and I assuming I have to show it's getting updates - but maybe I don't HAVE to), I'm pretty sure I have to show that updates are being applied.
AV is part of the OS. There's really nothing to show. You'd have to have removed it. And updates are automatic, again, you'd have to have disabled them. If you are audited, each machine shows you the status. That's trivial.
So you've been through an audit and the auditor allowed you to say - and to see the status of each machine's AV level - we'll be going around to every machine now - and they still passed your audit?
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
So you've been through an audit and the auditor allowed you to say - and to see the status of each machine's AV level - we'll be going around to every machine now - and they still passed your audit?
It meets the requirements. Are you saying that your auditor will require that you run a quick PowerShell script instead? One, that seems to make no sense. And two, that's such an easy fix that it's not worth mentioning.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
and they still passed your audit?
At what point do you file a fraud case against them for intentionally working to sell you services that aren't related to what they are auditing?
Your issue isn't with HIPAA, but with a belief that a crooked auditor will try to extort you and that it is better to roll over and do something unnecessary because the auditors are really Microsoft salespeople. I find it unlikely that an auditor would risk their careers over something so trivial, especially as it could easily turn into a criminal case.
-
I think it is safe to assume that assuming an auditor will make up a requirement that isn't suggested and doesn't exist, and then building your infrastructure around that assumption, makes little sense. You could use that logic to do absolutely anything.
This is such a trivial thing to work around, and doctors do this every day. To assume that your auditor will make your HIPAA requirements different than the rest of the world... is a bizarre assumption unless you know you are dealing with a criminal and aren't taking the necessary legal action, but in that case, they will just find something else to extort you over.
But even if the auditor decides to require this, there is no reason to assume AD is the solution. AD doesn't do anything for AD or updates in fact. So how that helps the auditor, I have no idea.
-
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
I think it is safe to assume that assuming an auditor will make up a requirement that isn't suggested and doesn't exist, and then building your infrastructure around that assumption, makes little sense. You could use that logic to do absolutely anything.
This is such a trivial thing to work around, and doctors do this every day. To assume that your auditor will make your HIPAA requirements different than the rest of the world... is a bizarre assumption unless you know you are dealing with a criminal and aren't taking the necessary legal action, but in that case, they will just find something else to extort you over.
But even if the auditor decides to require this, there is no reason to assume AD is the solution. AD doesn't do anything for AD or updates in fact. So how that helps the auditor, I have no idea.
OK OK OK - you win.. I'm clearly over thinking this. they can't require a way to get the information - so if I want them to get it by visiting every machine - that's my prerogative.
Though as you said - a PS script can do it (and well, we assume as IT we have the local admin account password so we can do this at a network level - alright... )
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
We'll use my office then for requirements - must be HIPAA compliant. So I have to show that AV is installed (and I assuming I have to show it's getting updates - but maybe I don't HAVE to), I'm pretty sure I have to show that updates are being applied.
AV is part of the OS. There's really nothing to show. You'd have to have removed it. And updates are automatic, again, you'd have to have disabled them. If you are audited, each machine shows you the status. That's trivial.
So you've been through an audit and the auditor allowed you to say - and to see the status of each machine's AV level - we'll be going around to every machine now - and they still passed your audit?
AD doesn't provide this... Am I missing something?
-
Thanks for the reply Scott. Some of my perceptions are based on the way things are done here but I am always trying to learn better methods. In my looking for a better position I'm trying to be as informed as possible and have a good grasp on alternative methods.
-
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@jmoore said in SAMIT: Do You Really Need Active Directory:
> 1. What is the best way to handle accounts without Ad?
This is very broad. The best way for most shops is "do nothing". Most companies "manage accounts" because they were told this is why they needed AD, and they bought AD, so they need to do it to justify it. But generally you don't need to do this. AD doesn't provide this benefit for us as an MSP, and we don't need it, so that's a good example of just not having it. Obviously accounts DO need to be managed, but just locally on machines is really fast and easy. I do this all day, every day, and it is often faster to do it locally than to even access an AD server.
What do you use to sync accounts and passwords between the computer and services such as storage, email, and whatever other services require login?
For example:
Local computer login
Email
Git*
Intranet/company portal
etc.How do you handle 2FA centrally for all services?
What about password changes, what do you use to sync their local computer password with other services and enforce 2FA if there are these requirements?
Or, is it that you are saying to keep everything separate and let all employees manage their own accounts everywhere?
-
I think the confusion here lies with the fact that when talking about AD, there's an assumption that of all of what AD DS is and typically includes in the bucket such as Group Policy, MS DNS, etc... When you have MS AD DS, you will have Group Policy and such, so that's a part of having it.
So, if you get rid of AD, you'll also be getting rid of Group Policy and whatever else is in use with it. So, you'll not just be replacing AD and that's it, typically.
But yes, AD, by itself, is just a database that stores "objects".
-
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
I think the confusion here lies with the fact that when talking about AD, there's an assumption that of all of what AD DS is and typically includes in the bucket such as Group Policy, MS DNS, etc... When you have MS AD DS, you will have Group Policy and such, so that's a part of having it.
Exactly, which is why I keep referencing what it is and isn't and saying that it doesn't do those things. We just had this discussion yesterday in the "learning AD" thread and covered how little AD does.
-
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
So, if you get rid of AD, you'll also be getting rid of Group Policy and whatever else is in use with it. So, you'll not just be replacing AD and that's it, typically.
That's not correct, though. GPO exists without AD. It's part of Windows itself. You can, and still do, use it even when AD isn't there. That's part of the continuing myth that not only the part you point out that AD doesn't do what people think, but the second part is that the things that people think depend on AD, don't actually. SMB, GPO, etc. they all keep working without AD.
-
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
So, if you get rid of AD, you'll also be getting rid of Group Policy and whatever else is in use with it. So, you'll not just be replacing AD and that's it, typically.
That's not correct, though. GPO exists without AD. It's part of Windows itself. You can, and still do, use it even when AD isn't there. That's part of the continuing myth that not only the part you point out that AD doesn't do what people think, but the second part is that the things that people think depend on AD, don't actually. SMB, GPO, etc. they all keep working without AD.
I understand what you're saying because on windows you can run
gpedit.msc
and get your local computer GP system.The gotcha is no one in the world is using the local workstation settings for this, they are all using GPO Editor from an AD Server to push broad settings out.
-
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
What do you use to sync accounts and passwords between the computer and services such as storage, email, and whatever other services require login?
Why do you feel a need to do this, though? There is an obvious assumption, that generally stems from AD, that we want or even need this, when in fact, it's often not even desirable let alone a requirement.
If you do need it, AD doesn't do this for me anyway, so clearly AD replacement alone isn't enough. AD doesn't provide this today (nothing does just as a blanket) so why would something else suddenly need to? If you really need single sign in everywhere, you have to address that on a unique case by case basis and see what tools work at all, let alone work well, for your specific scenario. But AD is actually quite bad at this given its LAN-assumption architecture, it's one of the worst, rather than best, approaches.
But it's going back to the basics.... we keep approaching the problem from assumptions that are derived from AD.