this post was submitted on 06 Jan 2024
253 points (93.5% liked)
Asklemmy
43962 readers
2086 users here now
A loosely moderated place to ask open-ended questions
Search asklemmy ๐
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- !lemmy411@lemmy.ca: a community for finding communities
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The granularity and scale of active directory is a major thing that is keeping linux out of offices, etc...I know you can do a lot with certain tools but nothing comes close as far as I have seen.
The granularity of AD doesn't scale though. I work for a huge bank and trying to get something changed in Group Policy is basically impossible. Making it even the tiniest bit bigger (e.g. adding a single new rule) will slow down every goddamned PC and VM in the entire organization. It adds up to real money lost real fast.
Not only that but some changes to GPOs can break things that you didn't foresee so the general wisdom is, "don't ever change it." Rendering that whole "granularity" argument moot. What good is granularity if you can't even use it?
Also, getting AD to scale to the size required the help of Microsoft. They had to change AD for us many times because the way it replicated certain things just does not scale past around 20,000 desktops (if memory serves). They gave us custom DLLs that run on our DCs to keep things operating reasonably smoothly but their lack of support on non-Windows platforms is a perpetual problem.
If literally every single computer in your company is Windows you'll be fine. However, as soon as you start trying to connect your Linux servers to AD everything starts getting really fucking complicated and troublesome real fast.
Microsoft made a lot of mistakes when they were designing AD but the biggest one was making it intentionally proprietary in so many ways. It prevents us from adopting it more. If AD actually worked with everything we'd be paying Microsoft a lot more in licenses every year.
Aside: Their second biggest mistake with AD was allowing groups to be placed in other groups. This made it so that "simple" administration of your policies and access controls goes from a single lookup to a lookup to the power of n groups. It doesn't scale at all and exponentially increases network traffic and load on domain controllers.
LDAP + Kerberos running on Linux servers doesn't have this problem because it doesn't allow it (intentionally, because it's stupid).
Oh man, I'm thinking about it now and AD just makes me so upset, haha. It's such a poorly engineered product. Don't give it more credit than it's due. It works fine for small organizations but that does not mean it's a good product.
Can you elaborate..
I have looked after a few instances of Active Directory and basic user management involved multiple steps through GUI's clearly written at different times (you would go from a Windows 8 to Windows 95 to Windows XP styled windows, etc..)
I much prefer FreeIPA, if I wanted to modify a user account it was two button clicks. Adding a group and bulk applying was the work of moments. You can setup replicas and for a couple hundred users it uses no resources.
The only advantage I could see related to Exchange Integration as it makes it really easy to setup Sharepoint, Skype & Email.
Sharepoint never gets setup properly and you find people switching to alternatives like Confluence, Github/Gitlab Pages or Media Wiki. So that isn't an advantage.
Everybody loathes Skype and your asked to setup an alternative (Mattermost, Slack, Zoom, etc..). I am not sure how integrated Teams is.
Which really only leaves Email and I just can see the one off pain of setting up Dovecot as worth the ongoing usability pain of AD's user control.
I can see why you'd choose Active Directory on a Windows server over a general LDAP server running Linux. But why can't Linux Workstations interface with a Windows AD server?
I create Computer accounts for Linux servers at work. It works fine. We only have Windows workstations, though. But, I can't see how we couldn't have Linux workstations.