Is Active Directory Really Needed Today?

dafyre

Knowing of a few new tools now like the Salt Stack... is AD even really needed any more since user accounts can be provisioned in seconds as opposed to minutes now?

Edit: Trying tho think purely from a LANless design.

coliver

I think the big answer... It depends.

scottalanmiller

AD has not been needed for quite some time. And there is exactly this thread going on on another SW thread right this second. AD has a place and a lot of value, but everything that AD does is available in some other form, in many cases the same tools just with different names (anything GP can do, you can get without the GP name, as it is branding only that associates it with AD.)

scottalanmiller

Even Microsoft knows this and is moving people away, slowly, to Azure AD which is not AD at all. And that's what JumpCloud is doing as well.

scottalanmiller

Salt and Ansible and such can do user management in new and interesting ways. Are they a wonderful solution for that, not really. But can they? Yes. They certainly make really small shops able to do things that they could never do before.

coliver

If I remember correctly Microsoft is moving group policy functionality into an MDM solution. They are encouraging this move with the new Creator Update.

Obsolesce

Another thing to look out for, is that there's always the potential vendor to come in and say something like "Well, we only support our product on Windows AD...". In that case, you either have to find a different vendor for that product or service, or go back to Windows AD. (if AD is needed in the first place)

Obsolesce

Also, it's not always about user management. There's a ton other reasons for AD in an environment... even if you have zero file servers.

scottalanmiller

@coliver said in Is Active Directory Really Needed Today?:

If I remember correctly Microsoft is moving group policy functionality into an MDM solution. They are encouraging this move with the new Creator Update.

They did quite some time ago. And GP was always exposed to scripts, so anything with an agent on Windows has had access to GP functionality since the beginning.

scottalanmiller

@Tim_G said in Is Active Directory Really Needed Today?:

Another thing to look out for, is that there's always the potential vendor to come in and say something like "Well, we only support our product on Windows AD...". In that case, you either have to find a different vendor for that product or service, or go back to Windows AD. (if AD is needed in the first place)

Simple answer there...

scottalanmiller

@Tim_G said in Is Active Directory Really Needed Today?:

Also, it's not always about user management. There's a ton other reasons for AD in an environment... even if you have zero file servers.

What else is there? AD really is just a user management solution. You CAN use it for ad hoc database functionality, but that's pretty useless if you aren't using it for user management.

Obsolesce

@scottalanmiller said in Is Active Directory Really Needed Today?:

@Tim_G said in Is Active Directory Really Needed Today?:

Another thing to look out for, is that there's always the potential vendor to come in and say something like "Well, we only support our product on Windows AD...". In that case, you either have to find a different vendor for that product or service, or go back to Windows AD. (if AD is needed in the first place)

Simple answer there...

Yup, best option is to find another vendor... but everyone may not feel the same.

scottalanmiller

@Tim_G said in Is Active Directory Really Needed Today?:

@scottalanmiller said in Is Active Directory Really Needed Today?:

@Tim_G said in Is Active Directory Really Needed Today?:

Another thing to look out for, is that there's always the potential vendor to come in and say something like "Well, we only support our product on Windows AD...". In that case, you either have to find a different vendor for that product or service, or go back to Windows AD. (if AD is needed in the first place)

Simple answer there...

Yup, best option is to find another vendor... but everyone may not feel the same.

Not everyone likes doing things well, either

Obsolesce

@scottalanmiller said in Is Active Directory Really Needed Today?:

@Tim_G said in Is Active Directory Really Needed Today?:

Also, it's not always about user management. There's a ton other reasons for AD in an environment... even if you have zero file servers.

What else is there? AD really is just a user management solution. You CAN use it for ad hoc database functionality, but that's pretty useless if you aren't using it for user management.

Resource management, such centralized management of printers, servers, client computers, including group policy for devices (which can go a long way), certificates... there's a long list.

I know it can all be done with other software... and it depends on how big the company is, how many users/devices, skillset of current admins, budget, time allowed for learning, etc...

The user part of it is just one small aspect of it.

You could manage all that other stuff with AD, and control all users and passwords with a NAS device... or a CentOS file server.

dafyre

Wouldn't AzureAD or (I feel terrible for not remembering that other provider's name) still be vulnerable to things like account lockouts and brute forcing?

I am looking at this from the stand point of the original thread this one forked from... (https://www.mangolassi.it/topic/13601/active-directory-malware-defense)

scottalanmiller

@dafyre said in Is Active Directory Really Needed Today?:

Wouldn't AzureAD or (I feel terrible for not remembering that other provider's name) still be vulnerable to things like account lockouts and brute forcing?

Yes, in some cases, central authentication is going to carry on a central threat.

DustinB3403

@dafyre I wouldn't think so. The entire platform is hosted, and each account are not centrally connected like with classic AD.

scottalanmiller

In the original thread, part of the issue was tying core services to shared accounts.

dafyre

@scottalanmiller said in Is Active Directory Really Needed Today?:

In the original thread, part of the issue was tying core services to shared accounts.

I've always been a firm believer (and have been saved by this a time or two) in each service having its own account.

scottalanmiller

@dafyre said in Is Active Directory Really Needed Today?:

@scottalanmiller said in Is Active Directory Really Needed Today?:

In the original thread, part of the issue was tying core services to shared accounts.

I've always been a firm believer (and have been saved by this a time or two) in each service having its own account.

@dafyre said in Is Active Directory Really Needed Today?:

@scottalanmiller said in Is Active Directory Really Needed Today?:

In the original thread, part of the issue was tying core services to shared accounts.

I've always been a firm believer (and have been saved by this a time or two) in each service having its own account.

It carries a lot of value.