SAMIT: Do You Really Need Active Directory
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
If that's not the case - then I really cant envision Scott's typical ideal setup?
DING DING DING
There is no ideal setup. IT isn't a checkbox. There can't be, IT would have no purpose if there was a single ideal setup. IT is a business endeavor. The moment that there is one ideal setup, you don't need IT at all, there is one script to follow and a monkey could do it.
IT is complex and creative. We are like any business people... we are given problems, and we work to best solve them. Thinking that there is one solution to rule them all will always cause confusion and disaster.
You can certainly find prototype solutions that work for common scenarios really well. AD + GPO + LAN + SMB is one of those sample sets, it's easy to produce contrived environmental examples where that is a really great fit, and trivial to show contrived ones where it is absolutely insane. It's pretty trivial to show any example falling down somewhere. Which is not a bad thing, it just demonstrates that there can't be a single solution and we shouldn't seek one.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?
100 desktops, 100 users, and they play musical
chargeschairs daily - now what?We've covered this before, but...
- Now you are adding more and more "trying to find a situation where AD is valuable." That you have to keep making it more and more specific is proving the point that it is not blanket valuable. No one is arguing that it has a use case, it's that it isn't anywhere close to being an "always" or a "requirement" or possibly even the majority case. That people need to move around an office falls under "common" but "far short of average." It's not niche, but it is a minority case.
- This is specifically AD's strong suit, no question. This is specifically what it was built for, mobile workers on a single LAN, on Windows homogeneously. Make it not any of those things, and it all falls apart to quite a degree. A niche in today's world.
- You can do this with scripts, it's not nearly as hard as people think. If this is your environment, you can build scripts to do this really quickly. In fact, I bet you can automate this without AD faster than you can with AD. We have O365 customers where we have to automate this and yes, that's harder than AD automation, but it's a million times worse than local scripts. Scripts always sound like a kludge, but really, what's AD other than tons of really good, well reviewed scripts (basically.)
- There are third part products that do this well. Basically doing #3 for you.
- Salt / Ansible and their ilk provide built in mechanisms for this.
- If your users go off network, how does AD handle it? It doesn't it falls down.
- MDM products could have this, I assume some do, but I've not looked.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
So, if you get rid of AD, you'll also be getting rid of Group Policy and whatever else is in use with it. So, you'll not just be replacing AD and that's it, typically.
That's not correct, though. GPO exists without AD. It's part of Windows itself. You can, and still do, use it even when AD isn't there. That's part of the continuing myth that not only the part you point out that AD doesn't do what people think, but the second part is that the things that people think depend on AD, don't actually. SMB, GPO, etc. they all keep working without AD.
Right, but you know I wasn't talking about Local group policy.
Then the point becomes moot because getting right of non-local group policy doesn't matter, as you still have group policy.
If you only meant AD, what was the point of the statement? It basically says "without AD, you don't have AD", back to my point of being circular. Consistently the argument seems to be "AD for AD's sake".
you don't have centrally managed Group Policy - but your retort is that you that you can - just use salt or ansible or RMM, right?
My retort is that state machines can be used to set GPO, or they can be used to bypass GPO. They can meet the "goal" requirements, and/or they can meet the "interim assumed approach". They cover both bases.
-
@IRJ said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?
100 desktops, 100 users, and they play musical charges daily - now what?
Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.
You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.
These are great "change it all" approaches. Which when thinking at the goal level is ideal... don't try to make old assumptions work.
This is more of a greenfield thinking approach. If we approach more brownfield, we can still keep a lot of the existing file shares and working models, without needing AD to handle the passwords. Meaning, we can retain desktop security in a similar way if we need to. Or we can abandon as many now do.
-
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
If that's not the case - then I really cant envision Scott's typical ideal setup?
DING DING DING
There is no ideal setup. IT isn't a checkbox. There can't be, IT would have no purpose if there was a single ideal setup. IT is a business endeavor. The moment that there is one ideal setup, you don't need IT at all, there is one script to follow and a monkey could do it.
IT is complex and creative. We are like any business people... we are given problems, and we work to best solve them. Thinking that there is one solution to rule them all will always cause confusion and disaster.
You can certainly find prototype solutions that work for common scenarios really well. AD + GPO + LAN + SMB is one of those sample sets, it's easy to produce contrived environmental examples where that is a really great fit, and trivial to show contrived ones where it is absolutely insane. It's pretty trivial to show any example falling down somewhere. Which is not a bad thing, it just demonstrates that there can't be a single solution and we shouldn't seek one.
low slow breath... yes.. I know.. words.. you took them 100% literal and this is where you wound up.
For the record - ideal in this situation was never to suggest only, or even most, just an ideal setup where AD isn't involved at all, yet the workstations are managed - or not, because apparently there are situations where the end user device doesn't need to be managed at all.
-
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?
100 desktops, 100 users, and they play musical
chargeschairs daily - now what?We've covered this before, but...
- Now you are adding more and more "trying to find a situation where AD is valuable." That you have to keep making it more and more specific is proving the point that it is not blanket valuable. No one is arguing that it has a use case, it's that it isn't anywhere close to being an "always" or a "requirement" or possibly even the majority case. That people need to move around an office falls under "common" but "far short of average." It's not niche, but it is a minority case.
Perhaps you think I'm taking the side where I believe that AD should be deployed more often than not - FYI, I'm not.
But you are correct - I'm definitely primarily coming at this conversation from my own environment - and trying to find solutions to my problems specifically to be solved if I ditched AD and GPO and SMB - not sure I could ditch LAN - I have printers that are shared (I suppose some printers could have their own authentication setup and they too become LANless).
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@coliver said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
We'll use my office then for requirements - must be HIPAA compliant. So I have to show that AV is installed (and I assuming I have to show it's getting updates - but maybe I don't HAVE to), I'm pretty sure I have to show that updates are being applied.
AV is part of the OS. There's really nothing to show. You'd have to have removed it. And updates are automatic, again, you'd have to have disabled them. If you are audited, each machine shows you the status. That's trivial.
So you've been through an audit and the auditor allowed you to say - and to see the status of each machine's AV level - we'll be going around to every machine now - and they still passed your audit?
AD doesn't provide this... Am I missing something?
We were well beyond just AD at that point.
We don't seem to be, the questions keep coming back to "how do I do something without AD, that AD never did".
and yet some are missing the point that the masses are talking about all the components, just just the directory service - but central admin of settings - that's probably the big two.
centralized authentication so that local user DBs don't need to be managed
centralized settings admin, again, so local settings don't have to be managedWell the purpose of the video and thread is to educate the masses. The masses are confused. They are confused about what they need (goals) and how to achieve them and even what they have currently. The masses can't be helped if they refuse to be helped.
The masses need to understand that seeing local user lists not being managed is not a goal and is a failure as an approach. As long as the masses don't use goal level thinking, they will never approach problem solving correctly. They are focused on means, not ends. That's always wrong. The end goal would be to make user management easy. If you ignore what is often the easiest option, of course they are lost. They rule out whatever ends doesn't meat the means that they want to use.
Local settings is the same. Why do they care where they manage them instead of caring if goals are met?
The masses focus on "means", good IT focuses on "ends". Solve a problem, meet a goal. How you get there doesn't matter. The ends always justify the means. The common phrase of the ends don't justify the means is wrong, it assumes that people can't determine what the ends are.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
But basically - you are saying - BYOD all the things, and just not give a shit about the end device at all...
But you still have regulations, the reason you're running an SIEM.BYOD isn't the same. It's an option, surely, but BYOD is a leap to a different discussion. That's about device ownership, not about device management.
When I worked at a big California non-profit, they didn't use AD, SMB, GPO or any of those things. Nor did they use BYOD. Nor did they have central user management. They just handed out laptops, that they owned, and they had some MDM to monitor where they were and push out apps. But they didn't manage users or system settings. Just not needed. That was for 250-300 users. And it worked great. And you could seat swap by taking your laptop with you, rather than using desktops (not my favourite, but it worked.)
So using IRJ's approach, but with zero BYOD.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
I wonder if a workstation can be hacked to look for a directory that houses the GPO files and integrate them without being a domain member? i.e. is there a registry key for that? lol
I'm pretty certain that you can do this. You wouldn't, because GPO is actually a train wreck of a mechanism. Once going to this effort, you'd move past it and do something better for practical reasons. But could you? I'm sure you could.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Now - using Salt/Ansible/RMM to centrally manage GPO, OK - now we're talking about actual potential replacements.
No, now you are onto a different topic. There is a different. GPO is one tool for managing desktop functions. Salt, Ansible, SMB are different tools for managing GPO. None of those are AD or the topic here.
Did you even read the sentence you quoted? The quoted part is not talking about directory services (AD) it's specifically talking about GPOs
Hence my point... this is an AD thread.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
If you have questions unrelated or loosely related to AD like "what are good ways to replace Windows Server components in a Windows desktop world while retaining tight control and visibility of individual workstations", that should be its own thread.
yeah - we need a more useful thread like "if even needed, and not going BYOD, how do I replace all the components that go along with Windows AD (i.e. directory services, workstation settings management).
Yes, which is a great discussion and we should have it. You should write up the goals for a business, real or contrived, and then we work backwards from the goals to find what we feel would be good approaches for it.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
So literally the most common answer is "how do I replace X" component from the Windows Server ecosystem is truly "you don't."
How do you replace the functionality of auto deployed printers - you don't, you make the users add them manually when needed... yeah that sounds awesome.
No - of course, you're going to tell me, uh, duh of course not, we use powershell to push it out to all the workstations. or an RMM, but you see, those are things that REPLACED powershell. The only not replacement is the user doing it themselves, or the IT staff visiting the workstations doing it for the users (physically or remotely).
Sure, but if you have a deployment script for a printer, what does that take? A couple seconds per machine? And it responds that it worked or failed, unlike GPO where you just trust that it worked. It's like Dr. Evil putting Austin Powers in the pit with the sharks or the lava. Of course he is likely to die, but there is a chance that your GPO will escape and thwart your printer plans. Even if deploying thousands of printers, doing so from script is pretty trivial as long as you have a text list of your machines (you likely would.)
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@IRJ said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@IRJ said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?
100 desktops, 100 users, and they play musical charges daily - now what?
Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.
You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.
But basically - you are saying - BYOD all the things, and just not give a shit about the end device at all...
But you still have regulations, the reason you're running an SIEM.Not BYOD and have standard builds with restricted permissions, but you dont really push anything because they are just a basic OS that lets you access resources. You let them update on their own.
I could definitely see this working in a 1 to 1 situation because there would be so little to manage.. and once the user is setup, they aren't likely going to need much IT support. But in a shared environment, it gets stickier.
It seems to work pretty well from what I've seen. And the cost to 1:1 often is small compared to other costs of management. So when you get close, it often pans out. This style also allows for heterogenous environments really easily.
-
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
In a greenfield, it's pretty darn easy. Easier, in lots of cases.
Right, but nobody ever mentioned greenfield, but seems to be the basis of your stances.
-
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
But basically - you are saying - BYOD all the things, and just not give a shit about the end device at all...
But you still have regulations, the reason you're running an SIEM.BYOD isn't the same. It's an option, surely, but BYOD is a leap to a different discussion. That's about device ownership, not about device management.
When I worked at a big California non-profit, they didn't use AD, SMB, GPO or any of those things. Nor did they use BYOD. Nor did they have central user management. They just handed out laptops, that they owned, and they had some MDM to monitor where they were and push out apps. But they didn't manage users or system settings. Just not needed. That was for 250-300 users. And it worked great. And you could seat swap by taking your laptop with you, rather than using desktops (not my favourite, but it worked.)
So using IRJ's approach, but with zero BYOD.
Is there a name for what you described? We kinda need one - especially if you're starting to see this as a more and more common approach, where the device is mostly user managed, except where MDM steps in.
-
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
If you have questions unrelated or loosely related to AD like "what are good ways to replace Windows Server components in a Windows desktop world while retaining tight control and visibility of individual workstations", that should be its own thread.
yeah - we need a more useful thread like "if even needed, and not going BYOD, how do I replace all the components that go along with Windows AD (i.e. directory services, workstation settings management).
Yes, which is a great discussion and we should have it. You should write up the goals for a business, real or contrived, and then we work backwards from the goals to find what we feel would be good approaches for it.
done
-
@Obsolesce said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
In a greenfield, it's pretty darn easy. Easier, in lots of cases.
Right, but nobody ever mentioned greenfield, but seems to be the basis of your stances.
Doesn't need to be mentioned (although it was.) The question is "do you really need AD", and the answer is no, in greenfield very commonly and in brownfield commonly enough, AD is unnecessary. If there is a new, very niche, brownfield only scenario being assumed, it needs to be mentioned. Because otherwise, both are considered.
The question was never "is AD ever useful". Of course it is, a lot of the time. But almost exclusively in brownfields. You are looking at it in reverse. If you want to isolate an open field (haha) discussion to only brownfields, that has to be mentioned.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
But basically - you are saying - BYOD all the things, and just not give a shit about the end device at all...
But you still have regulations, the reason you're running an SIEM.BYOD isn't the same. It's an option, surely, but BYOD is a leap to a different discussion. That's about device ownership, not about device management.
When I worked at a big California non-profit, they didn't use AD, SMB, GPO or any of those things. Nor did they use BYOD. Nor did they have central user management. They just handed out laptops, that they owned, and they had some MDM to monitor where they were and push out apps. But they didn't manage users or system settings. Just not needed. That was for 250-300 users. And it worked great. And you could seat swap by taking your laptop with you, rather than using desktops (not my favourite, but it worked.)
So using IRJ's approach, but with zero BYOD.
Is there a name for what you described? We kinda need one - especially if you're starting to see this as a more and more common approach, where the device is mostly user managed, except where MDM steps in.
Unmanaged? Default? It's just the baseline, more or less. It's a tough one to put a name on because it's the lack of things, rather than the presence of things, that makes it what it is.
It's easy enough to describe... non-BYOD, snowflake managed, end points.
-
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@IRJ said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@IRJ said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?
100 desktops, 100 users, and they play musical charges daily - now what?
Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.
You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.
But basically - you are saying - BYOD all the things, and just not give a shit about the end device at all...
But you still have regulations, the reason you're running an SIEM.Not BYOD and have standard builds with restricted permissions, but you dont really push anything because they are just a basic OS that lets you access resources. You let them update on their own.
I could definitely see this working in a 1 to 1 situation because there would be so little to manage.. and once the user is setup, they aren't likely going to need much IT support. But in a shared environment, it gets stickier.
It seems to work pretty well from what I've seen. And the cost to 1:1 often is small compared to other costs of management. So when you get close, it often pans out. This style also allows for heterogenous environments really easily.
Definitely not a fan of working on a laptop and only a laptop - but I suppose you could deploy monitors and keybaords to every desk, and you just hook up where ever you are working that day.
They more or less did that at Drop box when I visited there 4 years ago. Just monitors - they still had to type on the laptop keyboard.. ug.
-
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@scottalanmiller said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@IRJ said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
@IRJ said in SAMIT: Do You Really Need Active Directory:
@Dashrender said in SAMIT: Do You Really Need Active Directory:
Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?
100 desktops, 100 users, and they play musical charges daily - now what?
Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.
You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.
But basically - you are saying - BYOD all the things, and just not give a shit about the end device at all...
But you still have regulations, the reason you're running an SIEM.Not BYOD and have standard builds with restricted permissions, but you dont really push anything because they are just a basic OS that lets you access resources. You let them update on their own.
I could definitely see this working in a 1 to 1 situation because there would be so little to manage.. and once the user is setup, they aren't likely going to need much IT support. But in a shared environment, it gets stickier.
It seems to work pretty well from what I've seen. And the cost to 1:1 often is small compared to other costs of management. So when you get close, it often pans out. This style also allows for heterogenous environments really easily.
Definitely not a fan of working on a laptop and only a laptop - but I suppose you could deploy monitors and keybaords to every desk, and you just hook up where ever you are working that day.
They more or less did that at Drop box when I visited there 4 years ago. Just monitors - they still had to type on the laptop keyboard.. ug.
Same, I hated that about the environment. They spent a fortune to overcome the laptop crap of it. But it remained crap.