this post was submitted on 06 Jan 2024
253 points (93.5% liked)
Asklemmy
44148 readers
1447 users here now
A loosely moderated place to ask open-ended questions
Search asklemmy ๐
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- [email protected]: a community for finding communities
~Icon~ ~by~ ~@Double_[email protected]~
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
What can you do with active directory that you can't do with user groups in Linux? When I worked l1, active directory's job seemed to be breaking and letting us lock out people who just got fired by one of our clients.
with ActiveDirectory ad group policies you can centrally configure the entire windows installation to the point that it isn't possible for a local user, even with admin to leave the domain. User groups in Linux don't really cover the use cases for installing and uninstalling applications and configuring options within all of those applications. Yes you can do some similar stuff with, e.g. FreeIPA or even binding to AD but fundamentally you have a local system with remote admin added on.
Ok that's fair enough I guess. I'd like to have something I can point at as an alternative but I don't know enough.
You can absolutely go as nuts or more nuts with this on linux. You can do all kinds of hardening steps, and centrally deploy the policies with push or pull. Microsoft has even moved towards dsc (desired state configuration).
Sure. And then boot the client single user, and go even more nuts.
P.s. I'm not a windows fan
I get it.
There are quite a few areas on the linux desktop that show obvious signs of too many choices and loose integration making it an unpolished experience.
Outside of niches like online forums, people seem to think GUIs and marketing are what make something professional.
In reality outside of individual use you really want to avoid GUIs in configuration so that you can be consistent. You shouldnt have to dig down into menus and click through lots of screens to do comparisons or set something up. Thats really where Microsoft's ecosystem is weakest right now. WinRM and powershell remoting lack polish in the same way wifi or bluetooth management in the linux desktop does
You cant fully setup winrm with gpo, for example listener addresses get bound the first time its enabled with gpo and then its just stuck at that. If the system has it's ip changed you have to disable the gpo to make any changes and when you get it fixed it reverts when the policy is applied again
Microsoft only seems to care about how things will be managed in their cloud now and all products for managing things locally are showing some rot. Sccm -> mecm -> mem is terrible, theyve even ending all training for tools for on premises management. All they do is azure training and certs now.
FreeIPA and OpenLDAP are PITA compared to AD.
I hate windows but AD works pretty well and integrates with a lot of SSO functionality easily.
Modern IAM tools should fix any of the locked out / just fired users issues you speak of... by using AD.
SSO for Linux desktops is lacking IMHO