What can you do with active directory that you can’t do with user groups in Linux? When I worked l1, active directory’s job seemed to be breaking and letting us lock out people who just got fired by one of our clients.
with ActiveDirectory ad group policies you can centrally configure the entire windows installation to the point that it isn’t possible for a local user, even with admin to leave the domain. User groups in Linux don’t really cover the use cases for installing and uninstalling applications and configuring options within all of those applications. Yes you can do some similar stuff with, e.g. FreeIPA or even binding to AD but fundamentally you have a local system with remote admin added on.
You can absolutely go as nuts or more nuts with this on linux. You can do all kinds of hardening steps, and centrally deploy the policies with push or pull. Microsoft has even moved towards dsc (desired state configuration).
There are quite a few areas on the linux desktop that show obvious signs of too many choices and loose integration making it an unpolished experience.
Outside of niches like online forums, people seem to think GUIs and marketing are what make something professional.
In reality outside of individual use you really want to avoid GUIs in configuration so that you can be consistent. You shouldnt have to dig down into menus and click through lots of screens to do comparisons or set something up. Thats really where Microsoft’s ecosystem is weakest right now. WinRM and powershell remoting lack polish in the same way wifi or bluetooth management in the linux desktop does
You cant fully setup winrm with gpo, for example listener addresses get bound the first time its enabled with gpo and then its just stuck at that. If the system has it’s ip changed you have to disable the gpo to make any changes and when you get it fixed it reverts when the policy is applied again
Microsoft only seems to care about how things will be managed in their cloud now and all products for managing things locally are showing some rot. Sccm -> mecm -> mem is terrible, theyve even ending all training for tools for on premises management. All they do is azure training and certs now.
Avoiding snark and concentrating on first party features:
You can do these things to an extent bit not as comprehensively and robustly
What can you do with active directory that you can’t do with user groups in Linux? When I worked l1, active directory’s job seemed to be breaking and letting us lock out people who just got fired by one of our clients.
with ActiveDirectory ad group policies you can centrally configure the entire windows installation to the point that it isn’t possible for a local user, even with admin to leave the domain. User groups in Linux don’t really cover the use cases for installing and uninstalling applications and configuring options within all of those applications. Yes you can do some similar stuff with, e.g. FreeIPA or even binding to AD but fundamentally you have a local system with remote admin added on.
Ok that’s fair enough I guess. I’d like to have something I can point at as an alternative but I don’t know enough.
You can absolutely go as nuts or more nuts with this on linux. You can do all kinds of hardening steps, and centrally deploy the policies with push or pull. Microsoft has even moved towards dsc (desired state configuration).
Sure. And then boot the client single user, and go even more nuts.
P.s. I’m not a windows fan
I get it.
There are quite a few areas on the linux desktop that show obvious signs of too many choices and loose integration making it an unpolished experience.
Outside of niches like online forums, people seem to think GUIs and marketing are what make something professional.
In reality outside of individual use you really want to avoid GUIs in configuration so that you can be consistent. You shouldnt have to dig down into menus and click through lots of screens to do comparisons or set something up. Thats really where Microsoft’s ecosystem is weakest right now. WinRM and powershell remoting lack polish in the same way wifi or bluetooth management in the linux desktop does
You cant fully setup winrm with gpo, for example listener addresses get bound the first time its enabled with gpo and then its just stuck at that. If the system has it’s ip changed you have to disable the gpo to make any changes and when you get it fixed it reverts when the policy is applied again
Microsoft only seems to care about how things will be managed in their cloud now and all products for managing things locally are showing some rot. Sccm -> mecm -> mem is terrible, theyve even ending all training for tools for on premises management. All they do is azure training and certs now.
FreeIPA and OpenLDAP are PITA compared to AD.
I hate windows but AD works pretty well and integrates with a lot of SSO functionality easily.
Modern IAM tools should fix any of the locked out / just fired users issues you speak of… by using AD.
SSO for Linux desktops is lacking IMHO