@Dashrender said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@Dashrender said in How Do You Replace Active Directory?:
@scottalanmiller said in How Do You Replace Active Directory?:
@siringo said in How Do You Replace Active Directory?:
I saw @jt1001001 mention they could upgrade so they can use Intune &/or Azure AD. Azure AD is AD, but Intune is an MDM.
Azure AD is not AD. It's a directory service, but in no way is it AD. It's no more AD than JumpCloud or Okta is AD. They are all directory services, but that's where the similarity ends.
Intune is MDM, that is true. And MDM is a vastly better way to do system management than GPO. GPO is horrible. One of the biggest problems with GPO is the lack of an agent, which is really what is needed. So something that is MDM or MDM-like in that way is exactly what you want as an alternative to GPO.
Why do you dislike the lack of a client? Sure it's LAN-centric, and we should be looking for LANless options these days...
Reliability. Hoping that the operating system will successfully pull GPO without an agent is a flaky process. You can make a lot of billable hours getting paid to troubleshoot GPO failures because Windows doesn't have a good way to get the data, process the data, and report on that processing. It's the agents that do all the things that make this type of process reliable.
I guess I don't follow. Something in Windows Pro is what tells the PC to pull and process the GPO - there are logs for that process in Windows. of course I've had issues before - are you saying you've never had issues with something that has a third party agent before?
I'm saying that the GPO system is flaky and useless. It's pathetically complex and unreliable. Those that use it tend to either have to keep it very, very basic or do a ton of work to make it work and rarely can you find a shop that's really confident that it is working.
The very idea that you have to go onto the endpoints to look at logs shows how big the problem is. There's no warning, no alerting that something has failed. No central repository. You have to build out some kind of log monitoring solution with an AGENT and deploy it to the end points to bandaid the kind of centralized data into GPO that you'd just expect with any modern solution (or competent solution.)
Everything "has" problems. But how often they have problems, how the agent handles problems, and how you have to deal with problems are what matters. And obviously nothing you'd actually deploy should have the kinds of unreliability or difficulty in monitoring as GPO. If it even comes close, it's not something you'd trust.
You are asking "GPO is bad, so you are saying other solutions are perfect?" Do you see why that is a bad question? Nothing is perfect, why do you ask if other solutions are perfect but don't expect GPO to be?
The way that you ask these questions makes you sound crazy. Don't ask if GPO is perfect. What you should be asking is something like "Oh, so you've found that the good third party agents are reasonably more reliable than the native GPO?" It's logical, it's rational, and it doesn't imply that perfect is a requirement, because obviously it is not.
I guess I've just had good luck. I haven't had to poor huge amounts of time into my GPOs not working.
not zero - but no RMM type solution would I expect zero issues with when setting up.No, not zero for sure. GPOs tend to be better when you have a very LAN-centric, very homogenous environment. The more variation you add, especially in terms of latency and connection, the harder it gets. GPOs start to get flaky, especially over the WAN, and you start getting a lot of time spent just trying to get them to process.
yeah - that definitely makes sense.
I'm curious - haven't dug in enough yet - how much Intune notifies you of non compliant machines?
You can get total sight and notification of any kind of compliance you want. The default no-setup-needed compliance policies are a great start, and now you can use your own custom compliance scripts. Additionally, through automation, the possibilities are endless.
