this post was submitted on 06 Jan 2024
241 points (93.2% liked)

Asklemmy

43945 readers
554 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy ๐Ÿ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[โ€“] Mango@lemmy.world 7 points 10 months ago (2 children)

What can you do with active directory that you can't do with user groups in Linux? When I worked l1, active directory's job seemed to be breaking and letting us lock out people who just got fired by one of our clients.

[โ€“] SquiffSquiff@lemmy.world 20 points 10 months ago (2 children)

with ActiveDirectory ad group policies you can centrally configure the entire windows installation to the point that it isn't possible for a local user, even with admin to leave the domain. User groups in Linux don't really cover the use cases for installing and uninstalling applications and configuring options within all of those applications. Yes you can do some similar stuff with, e.g. FreeIPA or even binding to AD but fundamentally you have a local system with remote admin added on.

[โ€“] Mango@lemmy.world 7 points 10 months ago

Ok that's fair enough I guess. I'd like to have something I can point at as an alternative but I don't know enough.

[โ€“] thews@lemmy.world 2 points 10 months ago (1 children)

You can absolutely go as nuts or more nuts with this on linux. You can do all kinds of hardening steps, and centrally deploy the policies with push or pull. Microsoft has even moved towards dsc (desired state configuration).

[โ€“] SquiffSquiff@lemmy.world 4 points 10 months ago (1 children)

Sure. And then boot the client single user, and go even more nuts.

P.s. I'm not a windows fan

[โ€“] thews@lemmy.world 3 points 10 months ago

I get it.

There are quite a few areas on the linux desktop that show obvious signs of too many choices and loose integration making it an unpolished experience.

Outside of niches like online forums, people seem to think GUIs and marketing are what make something professional.

In reality outside of individual use you really want to avoid GUIs in configuration so that you can be consistent. You shouldnt have to dig down into menus and click through lots of screens to do comparisons or set something up. Thats really where Microsoft's ecosystem is weakest right now. WinRM and powershell remoting lack polish in the same way wifi or bluetooth management in the linux desktop does

You cant fully setup winrm with gpo, for example listener addresses get bound the first time its enabled with gpo and then its just stuck at that. If the system has it's ip changed you have to disable the gpo to make any changes and when you get it fixed it reverts when the policy is applied again

Microsoft only seems to care about how things will be managed in their cloud now and all products for managing things locally are showing some rot. Sccm -> mecm -> mem is terrible, theyve even ending all training for tools for on premises management. All they do is azure training and certs now.

[โ€“] psmgx@lemmy.world 13 points 10 months ago (1 children)

FreeIPA and OpenLDAP are PITA compared to AD.

I hate windows but AD works pretty well and integrates with a lot of SSO functionality easily.

Modern IAM tools should fix any of the locked out / just fired users issues you speak of... by using AD.

[โ€“] fruitycoder@sh.itjust.works 1 points 10 months ago

SSO for Linux desktops is lacking IMHO