@scottalanmiller said in How Do You Replace Active Directory?:

@Dashrender said in How Do You Replace Active Directory?:

@scottalanmiller said in How Do You Replace Active Directory?:

@Dashrender said in How Do You Replace Active Directory?:

@scottalanmiller said in How Do You Replace Active Directory?:

@JasGot said in How Do You Replace Active Directory?:

How do you handle passwords for the local machine and sync them to the passwords required for the server?

Not really something that comes up for us that often. Because we push hard to modernize and secure networks and to lower cost, things like mapped drives tend to fall by the wayside quickly. Customers often have that stuff when they come to us and I'm not saying it has no place or never stays. But it is anything but the norm.

The idea that workstation user accounts need to sync to server user accounts because they are sharing LAN resources is something I deal with literally with months of time in between seeing it. It's super rare. Even with hundreds of customers, we don't see it as normal anymore.

What are you normally deploying for file storage? Sure it would be great to get companies away from them, but I can't imagine you've managed to do that for most of your clients. I'm assuming you have some combination of box/dropbox/Nextcloud/zoho files/google drive/OD, etc?

We have a good number on no files. In medical this is surprisingly easy since you need to maintain so much control files present a big risk. Any medical style industry will be an easy candidate to get away from that. And IT, of course. We should not have files.

We have a crap ton of files - just not PHI. that lives in the EMR.

The files are things like reviews, forms that are then entered into the EMR, accounting records, compliance records, etc.

Why does the EMR use them as files rather than contextualizing them? That's what the EMR is for. Making an EMR to just be a file server is, weird.

I don't disagree, Most of the data that we create is live data, typed into the system, stored in a DB, but faxes that come in (hundreds of pages a day) have not been shown to be reliably transcribed via OCR, therefore the "paper" copy must be kept for any related issues there.

Additionally, anything human transcribed is also scanned and stored as CYA for bad data entry.

We continue to look at solutions where the data can be entered directly by the patient, the roadblock there - costs.

Accounting records, compliance records, etc. should not be kept as files generally. Keeping files means you've essentially fallen back to paper, just digitized paper. It's far better than paper, but it's not embracing computers as data devices, just computers as paper enhancements.

I've been asking about this for ages - again, costs is the reason frequently given (and staff pushback).

@scottalanmiller said in How Do You Replace Active Directory?:

@Dashrender said in How Do You Replace Active Directory?:

@scottalanmiller said in How Do You Replace Active Directory?:

@JasGot said in How Do You Replace Active Directory?:

How do you handle passwords for the local machine and sync them to the passwords required for the server?

Not really something that comes up for us that often. Because we push hard to modernize and secure networks and to lower cost, things like mapped drives tend to fall by the wayside quickly. Customers often have that stuff when they come to us and I'm not saying it has no place or never stays. But it is anything but the norm.

The idea that workstation user accounts need to sync to server user accounts because they are sharing LAN resources is something I deal with literally with months of time in between seeing it. It's super rare. Even with hundreds of customers, we don't see it as normal anymore.

What are you normally deploying for file storage? Sure it would be great to get companies away from them, but I can't imagine you've managed to do that for most of your clients. I'm assuming you have some combination of box/dropbox/Nextcloud/zoho files/google drive/OD, etc?

We have a good number on no files. In medical this is surprisingly easy since you need to maintain so much control files present a big risk. Any medical style industry will be an easy candidate to get away from that. And IT, of course. We should not have files.

We have a crap ton of files - just not PHI. that lives in the EMR.

The files are things like reviews, forms that are then entered into the EMR, accounting records, compliance records, etc.

I suppose renting literally goes back to kings and queens - cause they owned everything, the peasants had to pay the kingdom..

@scottalanmiller said in Is Real Estate Actually a Good Investment on Average?:

@Dashrender said in Is Real Estate Actually a Good Investment on Average?:

How do rentals come into being?
....
I know that was a big part of the 2008 crash. .....
is that where most rentals have come from?

This is what was being answered. Dash was thinking that rentals were a rare thing historically and came about potentially as recently as 2008. Not that they were invented then, but that the rental market arose after 2008.

I never - not for one millisecond thought that.

@Pete-S said in Is Real Estate Actually a Good Investment on Average?:

@Dashrender said in Is Real Estate Actually a Good Investment on Average?:

@scottalanmiller said in Is Real Estate Actually a Good Investment on Average?:

@Dashrender said in Is Real Estate Actually a Good Investment on Average?:

is that where most rentals have come from?

Most rentals existed long before 2008. The rental market has always been very large.

Oh, I'm sure it's been longer than 2008 - but when? When did mass rentals enter the scene?
I guess they really started in the beginning when companies built factory based towns. The company built the houses for their employees so they would have some place to live. etc.

A really long time ago (in the US). Most people used to be renters but after WW2 the majority have been homeowners.

Right now (2022) it's sits at around 65%.

Data is from U.S. Department of Housing and Urban Development.
https://www.huduser.gov/portal/Publications/pdf/HUD-7775.pdf

lol - it was almost the majority for the first half of the chart... the increase is way under 50% increase after the war.

@scottalanmiller said in How Do You Replace Active Directory?:

@JasGot said in How Do You Replace Active Directory?:

How do you handle passwords for the local machine and sync them to the passwords required for the server?

Not really something that comes up for us that often. Because we push hard to modernize and secure networks and to lower cost, things like mapped drives tend to fall by the wayside quickly. Customers often have that stuff when they come to us and I'm not saying it has no place or never stays. But it is anything but the norm.

The idea that workstation user accounts need to sync to server user accounts because they are sharing LAN resources is something I deal with literally with months of time in between seeing it. It's super rare. Even with hundreds of customers, we don't see it as normal anymore.

What are you normally deploying for file storage? Sure it would be great to get companies away from them, but I can't imagine you've managed to do that for most of your clients. I'm assuming you have some combination of box/dropbox/Nextcloud/zoho files/google drive/OD, etc?

@scottalanmiller said in How Do You Replace Active Directory?:

@Dashrender said in How Do You Replace Active Directory?:

@scottalanmiller said in How Do You Replace Active Directory?:

@Dashrender said in How Do You Replace Active Directory?:

@scottalanmiller said in How Do You Replace Active Directory?:

@Dashrender said in How Do You Replace Active Directory?:

@scottalanmiller said in How Do You Replace Active Directory?:

@siringo said in How Do You Replace Active Directory?:

I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.

Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends.

Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO.

Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days...

Reliability. Hoping that the operating system will successfully pull GPO without an agent is a flaky process. You can make a lot of billable hours getting paid to troubleshoot GPO failures because Windows doesn't have a good way to get the data, process the data, and report on that processing. It's the agents that do all the things that make this type of process reliable.

I guess I don't follow. Something in Windows Pro is what tells the PC to pull and process the GPO - there are logs for that process in Windows. of course I've had issues before - are you saying you've never had issues with something that has a third party agent before?

I'm saying that the GPO system is flaky and useless. It's pathetically complex and unreliable. Those that use it tend to either have to keep it very, very basic or do a ton of work to make it work and rarely can you find a shop that's really confident that it is working.

The very idea that you have to go onto the endpoints to look at logs shows how big the problem is. There's no warning, no alerting that something has failed. No central repository. You have to build out some kind of log monitoring solution with an AGENT and deploy it to the end points to bandaid the kind of centralized data into GPO that you'd just expect with any modern solution (or competent solution.)

Everything "has" problems. But how often they have problems, how the agent handles problems, and how you have to deal with problems are what matters. And obviously nothing you'd actually deploy should have the kinds of unreliability or difficulty in monitoring as GPO. If it even comes close, it's not something you'd trust.

You are asking "GPO is bad, so you are saying other solutions are perfect?" Do you see why that is a bad question? Nothing is perfect, why do you ask if other solutions are perfect but don't expect GPO to be?

The way that you ask these questions makes you sound crazy. Don't ask if GPO is perfect. What you should be asking is something like "Oh, so you've found that the good third party agents are reasonably more reliable than the native GPO?" It's logical, it's rational, and it doesn't imply that perfect is a requirement, because obviously it is not.

I guess I've just had good luck. I haven't had to poor huge amounts of time into my GPOs not working.
not zero - but no RMM type solution would I expect zero issues with when setting up.

No, not zero for sure. GPOs tend to be better when you have a very LAN-centric, very homogenous environment. The more variation you add, especially in terms of latency and connection, the harder it gets. GPOs start to get flaky, especially over the WAN, and you start getting a lot of time spent just trying to get them to process.

yeah - that definitely makes sense.

I'm curious - haven't dug in enough yet - how much Intune notifies you of non compliant machines?

@scottalanmiller said in How Do You Replace Active Directory?:

@Dashrender said in How Do You Replace Active Directory?:

of course I've had issues before

And did your central monitoring report that to you? This is where GPO is difficult. The first thing most people without GPO experience expect when they are told about it is that they will be able to log into a central console and see the status of what has been applied and where that application has succeeded (and where it has failed.) They expect that the central AD system will somehow have monitoring and alerting as that is what would make this process valuable.

But there isn't. With Salt, for example, or an RMM or an MDM, we'd never accept this kind of management without a central system that tells us that status of the endpoints. If an agent fails, we get a notification. We might still have to fix it manually (or maybe not, because with alerting comes the opportunity for automation) but at least we are told to fix it rather than either dedicated absurd amounts of manpower to seek out problems that we don't know are out there, or waiting for machines to not behave as desired and then try to track down the failed GPO as a cause.

yeah, makes sense.

@scottalanmiller said in How Do You Replace Active Directory?:

@Dashrender said in How Do You Replace Active Directory?:

@scottalanmiller said in How Do You Replace Active Directory?:

@Dashrender said in How Do You Replace Active Directory?:

@scottalanmiller said in How Do You Replace Active Directory?:

@siringo said in How Do You Replace Active Directory?:

I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.

Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends.

Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO.

Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days...

Reliability. Hoping that the operating system will successfully pull GPO without an agent is a flaky process. You can make a lot of billable hours getting paid to troubleshoot GPO failures because Windows doesn't have a good way to get the data, process the data, and report on that processing. It's the agents that do all the things that make this type of process reliable.

I guess I don't follow. Something in Windows Pro is what tells the PC to pull and process the GPO - there are logs for that process in Windows. of course I've had issues before - are you saying you've never had issues with something that has a third party agent before?

I'm saying that the GPO system is flaky and useless. It's pathetically complex and unreliable. Those that use it tend to either have to keep it very, very basic or do a ton of work to make it work and rarely can you find a shop that's really confident that it is working.

The very idea that you have to go onto the endpoints to look at logs shows how big the problem is. There's no warning, no alerting that something has failed. No central repository. You have to build out some kind of log monitoring solution with an AGENT and deploy it to the end points to bandaid the kind of centralized data into GPO that you'd just expect with any modern solution (or competent solution.)

Everything "has" problems. But how often they have problems, how the agent handles problems, and how you have to deal with problems are what matters. And obviously nothing you'd actually deploy should have the kinds of unreliability or difficulty in monitoring as GPO. If it even comes close, it's not something you'd trust.

You are asking "GPO is bad, so you are saying other solutions are perfect?" Do you see why that is a bad question? Nothing is perfect, why do you ask if other solutions are perfect but don't expect GPO to be?

The way that you ask these questions makes you sound crazy. Don't ask if GPO is perfect. What you should be asking is something like "Oh, so you've found that the good third party agents are reasonably more reliable than the native GPO?" It's logical, it's rational, and it doesn't imply that perfect is a requirement, because obviously it is not.

I guess I've just had good luck. I haven't had to poor huge amounts of time into my GPOs not working.
not zero - but no RMM type solution would I expect zero issues with when setting up.

@scottalanmiller said in How Do You Replace Active Directory?:

@Dashrender said in How Do You Replace Active Directory?:

@scottalanmiller said in How Do You Replace Active Directory?:

@siringo said in How Do You Replace Active Directory?:

I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.

Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends.

Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO.

Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days...

Reliability. Hoping that the operating system will successfully pull GPO without an agent is a flaky process. You can make a lot of billable hours getting paid to troubleshoot GPO failures because Windows doesn't have a good way to get the data, process the data, and report on that processing. It's the agents that do all the things that make this type of process reliable.

I guess I don't follow. Something in Windows Pro is what tells the PC to pull and process the GPO - there are logs for that process in Windows. of course I've had issues before - are you saying you've never had issues with something that has a third party agent before?

@scottalanmiller said in How Do You Replace Active Directory?:

@siringo said in How Do You Replace Active Directory?:

I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.

Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends.

Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO.

Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days...

@scottalanmiller said in What Are You Doing Right Now:

We had an exciting night. 6.8 magnitude earthquake hit in the Pacific just off shore. That's the fifth largest in Nicaragua history. It shook Honduras and Salvadore, too. We are in Leon, which is really close to the epicenter (about as close as western Managua) and wow did we feel it!

How many earthquakes is that now since you moved? 2-3?

My current plan is:

All users have M365 Business Premium license (centralized user accounts)
All PCs join AAD
Migrate fileshare data to SharePoint/Teams/ODfB (file storage)
Migrate Documents folders to ODfB (file storage)
Chocolatey for most application installs/updates
PC's from image including business applications
Screenconnect/MC (remote troubleshooting)

Investigate Intune and solutions like Salt/Ansible to deploy settings

Printers (several possibilities)
Deploy via Salt/Ansible
Deploy via Intune
Manually deploy for single person machines
MS Universal Print
3rd party universal print

I figured I'd start a slightly more generic business migration thread that will likely still primarily focus on Windows based devices.

@jt1001001 and I are both looking to migrate away from Microsoft Active Directory.

Here are my current known needs:
any user can log into any business owned PC
file storage available to nearly any device from anywhere on the internet
deployment of apps to PC
deployment of settings to PC
print from company PC to company printers
remote troubleshooting of PC

@scottalanmiller said in Is Real Estate Actually a Good Investment on Average?:

@Dashrender said in Is Real Estate Actually a Good Investment on Average?:

is that where most rentals have come from?

Most rentals existed long before 2008. The rental market has always been very large.

Oh, I'm sure it's been longer than 2008 - but when? When did mass rentals enter the scene?
I guess they really started in the beginning when companies built factory based towns. The company built the houses for their employees so they would have some place to live. etc.

@DustinB3403 said in How Do You Replace Active Directory?:

@siringo said in How Do You Replace Active Directory?:

I cannot see any corp running 1000's of Windows devices without AD. However I could see a small business not using AD.

Scott seems to only deal in little Windows environments, hence he always questions the practical use cases of AD and central user administration.

Agreed.
From this discussion - centralized user admin is not something Scott seems to ever need, I guess a person at his customers never want to utilize more than one computer.

Even @jt1001001 appears to want centralized user administration because he's stated he adds the machines to AAD.

@jt1001001 said in How Do You Replace Active Directory?:

@scottalanmiller as I found in our case, AD here was adding absolutes 0% while actually creating more of an administrative headache. 99% of our applications here are "in the cloud" (unlike my old company) and all the DC was doing was print, some file shares, and 1 or 2 group policies (that weren't even working right!). So moving to Teams (see post in other discussion) will alleviate the file share; may build a linux file server for 1 or 2 use cases where Teams/Sharepoint won't work. Group policies are unnecessary and worst case we can upgrade our licenses and go Azure AD/Intune if we need to. Printing, well its printing and it sucks but we'll figure it out. Best is the CTO and President are on board without so much as a blink.

Scott mentioned privately to me that NYC has tons of empty or near empty building where they can have apts - so there is no need to build houses/apt buildings.

Is that a national norm?

How do rentals come into being?

You build a house/apt building and it has these huge costs - we've already talked about how frequently rent is often not high enough to cover the mortgage on place... so how did rentals become a thing?

Was it to many bad investors making/building houses that for whatever reason couldn't afford their mortgages, and forced people to sell - and sometimes the seller was required to sell a noticeably lower than cost prices (say sold for just enough to cover the remaining mortgages, if even)?

I know that was a big part of the 2008 crash. People way over paid for house, tons of people lost their jobs - couldn't afford their houses, tossed the keys inside and walked away - the banks were then left holding the bag (the house) and they needed to get these off the books, so they sold them for whatever they could get in a short period of time, etc...

is that where most rentals have come from?

@scottalanmiller said in Is Real Estate Actually a Good Investment on Average?:

@Dashrender said in Is Real Estate Actually a Good Investment on Average?:

@scottalanmiller said in Is Real Estate Actually a Good Investment on Average?:

Keep in mind that this chart only takes into account the value of the real estate. It does not account for real world factors like taxes, maintenance, and transfer fees / titles / insurance and so forth that make owning a home far more expensive than the mortgage rates would suggest.

Exactly, those things are a HUGE key factor.

Yeah, for me I think it was like 25% or more of the monthly costs.

yeah with my current house payment $1600 total $500/m - taxes $125/m - insurance $975 to interest and principal.

41.6% and that still doesn't take into account interest, which I think is around $100/m

@scottalanmiller said in How Do You Replace Active Directory?:

So let's start asking the questions that really matter...

Why do you @Dashrender care about AD? What value do you see in what it does?

I don't care about AD - I care about centralized authentication of all devices. I'd likely be just as happy with JumpCloud/AAD/SAMBA/etc.

Why do you care about tightly managing a device that is designed to be self sufficient? And why would you want to introduce AD which often disables critical security features (like updates.)

AD doesn't disable update any more than AD provides GPO.

Why do you care about the tight control of non-local user accounts? And how are you managing local user accounts today?

Local user accounts are disabled.

I use GPOs a lot today. Learning other options like Salt or Ansible, etc, i.e. state machines would allow me to potentially move away from GPOs.