I do realize this is an OLD post (relatively speaking) but I appreciate(d) finding it, as I'm currently revisiting "Salt vs. Ansible," and while I thought I was leaning towards Salt, perhaps it might be Ansible instead at this point. Not yet settled.

Nothing needs to be used, anything that is used will be primarily to ease my job of administering - primarily - client machines. (Currently not rolling out enough Linux (or Windows for that matter) servers to be considering a/ny config mgmt system - at this time).

Most sites have or can have a linux vm that I setup and maintain.
My need is for one mgmt tool that is: Viable for Windows and Mac OS endpoint management, and for simple basic (check for and) application of system updates, both fit the bill.

Security is also (especially, as we all know) not at all a non-factor.
I do like that as of now - with the current build of Windows 10, ssh(d) is included.
And I hope to use a setup that will work over ssh, with client-nodes limiting connections (from source IP) by firewall, and ssh config limiting connections to/by key only.
I know that the default config of OpenSSH in Windows uses
"C: \ProgramData\ssh\administrators_authorized_keys"

for said config, I have yet to verify if the MS-included (Apps > Optional Features) sshd uses the same.

Doing a little victory dance after successfully: Upgrading a Server2008R2 VM to 2012R2, then its SQL Express 2008R2 installation upgraded to 2012R2, and setting up RDS for making the OLD LOB app available via RDP. Because archival financial info.

What a PITA, so many very Microsoft-ian errors along the way to overcome.
For anyone that cares, yes an upgrade. The 2008R2 VM itself was created by me (fresh and shiny new & clean, a handful of years ago), in which I had to do a clean install of said OS and SQL Server Express, and restore data which had been backed up, but the server of origin had died, hard, not long after I recommended replacing it in fact (won't miss that single box running SBS 2011, ever).

Client-side app won't run in Windows 10 (total non-starter), did in Win 8 and earlier.
So this is a nice way to still provide access to said valued data for the remaining years the client will need or care about it.

Thanks for this ! Sorry for major necro-posting, but the recommendations in that article are pretty horrible (even as of the date of that article) - effectively: "With Windows, NTLM is easiest so just use that." That should be a non-starter.

I found the following that nicely covers using Kerberos with AD & DNS for managed hosts, which should be far preferable of course:
https://argonsys.com/microsoft-cloud/articles/configuring-ansible-manage-windows-servers-step-step/

@scottalanmiller
Thanks for all your considerate words and careful thoughts about this. I'm very appreciative of this thread, and particularly this post of yours, SAM.

I wasn't (yet) kicked of SW, but have always found it an extremely odd place with many demonstrating being either very new to IT, or painfully constrained in their thinking based on knowing only what they know (due to their given opportunities thus far, in terms of exposure and "experience"), and often confusing any calls to review their established and limited (sometimes, not always) and/or ingrained assumptions about a problem and how to best approach it, with personal criticism. Which is also commonplace for people new to IT or particularly defensive about their knowledge of IT (and the manifold topics and considerations that "IT" encompasses).

I was also sad to see you go/be forced out of SW, but theres much history there that I wasn't party to, nor (would I ever) care to be. While I already was definitely aware of MangoLassi long ago, when I saw that dbeato had joined here and/or become more active, I was happy to see it, and made a point of checking in here more often.

Very interesting to get some of your behind-the-scenes perspectives, SAM. All of this certainly gives some pause in terms of what will happen now or eventually with SW and anything we post there.

See the following for ideas as to how you can accomplish what you're seeking to do:

https://macmule.com/2011/09/08/how-to-map-drives-printers-based-on-ad-group-membership-on-osx/

@dbeato Stated exactly what I was thinking.
Note: this not meant to disregard (that would be silly & pointless) the specifics that Scott has mentioned. In other words, one size (or solution) does not necessarily fit all (scenarios).

But I use Caddy in a Dockerized setup for a server that isn’t publicly available (not wide open) as it doesn’t need to be nor do I want it to be).
In my case I use dnsmadeeasy and their API. Does require DNS (records) access/ability to manage some records.

All of which adds “complexity” (not much, but some), enough that I wouldn’t recommend it if the tech involved was new for someone (if so, home lab it first) for anything in production.

@hobbit666

Exactly.

https://support.microsoft.com/en-us/help/4015079/lifecycle-dates-extended-for-windows-server-2012

So, security updates til 10/2023.

Plenty of time, given that the timeframe access to this data will be needed is another three years.

Other considerations:

1. An available lic for 2012R2 already existed.
2. Given the age of the old financial software product, I didn’t know if/that it would even work. Thankfully it does, just fine. Really seriously doubt it could/will run, at all, on anything newer. Have already established that the client component does not run in W10.

@stacksofplates

Thank-you !
https://hooks.technology/2017/08/ansible-tower-provisioning-callbacks/

" or you can just use curl.
curl --data "host_config_key=d13a7b6e08e84c7d8f412b9754400a00"https://tower.example.com/api/v1/job_templates/26/callback/ -k
This has many benefits beyond just physical host provisioning. This allows systems to “check in” without using Ansible pull."

Or, for Windows instead of curl, powerhsell Invoke-WebRequest

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-6

Food for thought there... (emphasis added by me)

@dbeato Stated exactly what I was thinking.
Note: this not meant to disregard (that would be silly & pointless) the specifics that Scott has mentioned. In other words, one size (or solution) does not necessarily fit all (scenarios).

But I use Caddy in a Dockerized setup for a server that isn’t publicly available (not wide open) as it doesn’t need to be nor do I want it to be).
In my case I use dnsmadeeasy and their API. Does require DNS (records) access/ability to manage some records.

All of which adds “complexity” (not much, but some), enough that I wouldn’t recommend it if the tech involved was new for someone (if so, home lab it first) for anything in production.

Err... Activation != licensing.

This will get you working activation but - using this method you still will not own a legitimate license for Windows 10 doing this.

Yes, you “can” but should not. A rep from Microsoft licensing stated this unequivocally over at Spiceworks. NOT in this thread but same info:
https://community.spiceworks.com/topic/2200671-upgrade-to-windows-10-pro-from-windows-7?page=2

To be clear: do what you like with your home computing devices. But for any business purposes this is simply an unadvisable (at best) way to proceed. If a Microsoft licensing audit ever occurs, blame for the resulting fines will rest squarely on your shoulders. Don’t let it happen

@dbeato Thank-you sir ! Very nice and actually rather apropos for an existing location that I have particular concerns about.

@scottalanmiller
Thanks for all your considerate words and careful thoughts about this. I'm very appreciative of this thread, and particularly this post of yours, SAM.

I wasn't (yet) kicked of SW, but have always found it an extremely odd place with many demonstrating being either very new to IT, or painfully constrained in their thinking based on knowing only what they know (due to their given opportunities thus far, in terms of exposure and "experience"), and often confusing any calls to review their established and limited (sometimes, not always) and/or ingrained assumptions about a problem and how to best approach it, with personal criticism. Which is also commonplace for people new to IT or particularly defensive about their knowledge of IT (and the manifold topics and considerations that "IT" encompasses).

I was also sad to see you go/be forced out of SW, but theres much history there that I wasn't party to, nor (would I ever) care to be. While I already was definitely aware of MangoLassi long ago, when I saw that dbeato had joined here and/or become more active, I was happy to see it, and made a point of checking in here more often.

Very interesting to get some of your behind-the-scenes perspectives, SAM. All of this certainly gives some pause in terms of what will happen now or eventually with SW and anything we post there.

@hobbit666

Exactly.

https://support.microsoft.com/en-us/help/4015079/lifecycle-dates-extended-for-windows-server-2012

So, security updates til 10/2023.

Plenty of time, given that the timeframe access to this data will be needed is another three years.

Other considerations:

1. An available lic for 2012R2 already existed.
2. Given the age of the old financial software product, I didn’t know if/that it would even work. Thankfully it does, just fine. Really seriously doubt it could/will run, at all, on anything newer. Have already established that the client component does not run in W10.

Doing a little victory dance after successfully: Upgrading a Server2008R2 VM to 2012R2, then its SQL Express 2008R2 installation upgraded to 2012R2, and setting up RDS for making the OLD LOB app available via RDP. Because archival financial info.

What a PITA, so many very Microsoft-ian errors along the way to overcome.
For anyone that cares, yes an upgrade. The 2008R2 VM itself was created by me (fresh and shiny new & clean, a handful of years ago), in which I had to do a clean install of said OS and SQL Server Express, and restore data which had been backed up, but the server of origin had died, hard, not long after I recommended replacing it in fact (won't miss that single box running SBS 2011, ever).

Client-side app won't run in Windows 10 (total non-starter), did in Win 8 and earlier.
So this is a nice way to still provide access to said valued data for the remaining years the client will need or care about it.

@stacksofplates

Thank-you !
https://hooks.technology/2017/08/ansible-tower-provisioning-callbacks/

" or you can just use curl.
curl --data "host_config_key=d13a7b6e08e84c7d8f412b9754400a00"https://tower.example.com/api/v1/job_templates/26/callback/ -k
This has many benefits beyond just physical host provisioning. This allows systems to “check in” without using Ansible pull."

Or, for Windows instead of curl, powerhsell Invoke-WebRequest

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-6

Food for thought there... (emphasis added by me)

@scottalanmiller Thanks very much for starting this discussion, and to everyone who has contributed. Very interested in this.

@scottalanmiller There is ANTS for Linux & macOS, https://github.com/ANTS-Framework/ants which uses an Ansible pull method.

• but for Windows that would mean adding Python (pip).

As far as my usage of Ansible is (or, will be) concerned, all workstations will be (are in the midst of being moved to) the latest build of Windows 10, where ssh(d) are supplied natively, and connections will be made via ssh. Again, primarily on the LAN where hostname resolution (given AD & Windows-provided DNS) is a solved problem.

So, my primary usage for Ansible will be (meaning I'm not there yet, gearing up while handling some other major projects on the go already) something primarily LAN-based. I do have RMM software I can leverage for Windows, but they (RMM & the world of such competing products, some with questionable security practices) all suck at some things, and what I'm using is ok but sucks in terms of being up to date (current and correct) at reporting patch status for Windows & 3rd-party apps.

I'm just thinking out loud here, but for remote units, perhaps a cloud-hosted VM, but... that means relying on something like "fail2ban" to block repeat offenders, hard to limit incoming connections in an ideal way. Some kind of scripted phone-home system ? On OS X this is easily accomplished (in response to detected network change) via something like crankd
Parse the originating IP out an email, temporarily allow ssh from said address...

So, inordinately complex hackery to chase a less-than-ideal solution.

Generally, my thinking was - for when and where I want to leverage Ansible - a dedicated VM on each client (primary) network.

@wrx7m

What’s the goal of your question ?

With edu institutions ? Yes, some.

@flaxking

Most client laptops are reliably in-house on set days.
For real road-warriors, I’ll leverage our RMM (Solarwinds), which is ok (I have to overcome shortcomings for the Mac with custom shell scripts, and shortcomings for Windows with custom powershell).

But I’d much rather leverage Ansible where possible.

Other tools are DEP & MDM (Mosyle.com for macOS & does iOS), and Munki.