The granularity and scale of active directory is a major thing that is keeping linux out of offices, etc…I know you can do a lot with certain tools but nothing comes close as far as I have seen.
I have looked after a few instances of Active Directory and basic user management involved multiple steps through GUI’s clearly written at different times (you would go from a Windows 8 to Windows 95 to Windows XP styled windows, etc…)
I much prefer FreeIPA, if I wanted to modify a user account it was two button clicks. Adding a group and bulk applying was the work of moments. You can setup replicas and for a couple hundred users it uses no resources.
The only advantage I could see related to Exchange Integration as it makes it really easy to setup Sharepoint, Skype & Email.
Sharepoint never gets setup properly and you find people switching to alternatives like Confluence, Github/Gitlab Pages or Media Wiki. So that isn’t an advantage.
Everybody loathes Skype and your asked to setup an alternative (Mattermost, Slack, Zoom, etc…). I am not sure how integrated Teams is.
Which really only leaves Email and I just can see the one off pain of setting up Dovecot as worth the ongoing usability pain of AD’s user control.
The granularity of AD doesn’t scale though. I work for a huge bank and trying to get something changed in Group Policy is basically impossible. Making it even the tiniest bit bigger (e.g. adding a single new rule) will slow down every goddamned PC and VM in the entire organization. It adds up to real money lost real fast.
Not only that but some changes to GPOs can break things that you didn’t foresee so the general wisdom is, “don’t ever change it.” Rendering that whole “granularity” argument moot. What good is granularity if you can’t even use it?
Also, getting AD to scale to the size required the help of Microsoft. They had to change AD for us many times because the way it replicated certain things just does not scale past around 20,000 desktops (if memory serves). They gave us custom DLLs that run on our DCs to keep things operating reasonably smoothly but their lack of support on non-Windows platforms is a perpetual problem.
If literally every single computer in your company is Windows you’ll be fine. However, as soon as you start trying to connect your Linux servers to AD everything starts getting really fucking complicated and troublesome real fast.
Microsoft made a lot of mistakes when they were designing AD but the biggest one was making it intentionally proprietary in so many ways. It prevents us from adopting it more. If AD actually worked with everything we’d be paying Microsoft a lot more in licenses every year.
Aside: Their second biggest mistake with AD was allowing groups to be placed in other groups. This made it so that “simple” administration of your policies and access controls goes from a single lookup to a lookup to the power of n groups. It doesn’t scale at all and exponentially increases network traffic and load on domain controllers.
LDAP + Kerberos running on Linux servers doesn’t have this problem because it doesn’t allow it (intentionally, because it’s stupid).
Oh man, I’m thinking about it now and AD just makes me so upset, haha. It’s such a poorly engineered product. Don’t give it more credit than it’s due. It works fine for small organizations but that does not mean it’s a good product.
The granularity and scale of active directory is a major thing that is keeping linux out of offices, etc…I know you can do a lot with certain tools but nothing comes close as far as I have seen.
Can you elaborate…
I have looked after a few instances of Active Directory and basic user management involved multiple steps through GUI’s clearly written at different times (you would go from a Windows 8 to Windows 95 to Windows XP styled windows, etc…)
I much prefer FreeIPA, if I wanted to modify a user account it was two button clicks. Adding a group and bulk applying was the work of moments. You can setup replicas and for a couple hundred users it uses no resources.
The only advantage I could see related to Exchange Integration as it makes it really easy to setup Sharepoint, Skype & Email.
Sharepoint never gets setup properly and you find people switching to alternatives like Confluence, Github/Gitlab Pages or Media Wiki. So that isn’t an advantage.
Everybody loathes Skype and your asked to setup an alternative (Mattermost, Slack, Zoom, etc…). I am not sure how integrated Teams is.
Which really only leaves Email and I just can see the one off pain of setting up Dovecot as worth the ongoing usability pain of AD’s user control.
The granularity of AD doesn’t scale though. I work for a huge bank and trying to get something changed in Group Policy is basically impossible. Making it even the tiniest bit bigger (e.g. adding a single new rule) will slow down every goddamned PC and VM in the entire organization. It adds up to real money lost real fast.
Not only that but some changes to GPOs can break things that you didn’t foresee so the general wisdom is, “don’t ever change it.” Rendering that whole “granularity” argument moot. What good is granularity if you can’t even use it?
Also, getting AD to scale to the size required the help of Microsoft. They had to change AD for us many times because the way it replicated certain things just does not scale past around 20,000 desktops (if memory serves). They gave us custom DLLs that run on our DCs to keep things operating reasonably smoothly but their lack of support on non-Windows platforms is a perpetual problem.
If literally every single computer in your company is Windows you’ll be fine. However, as soon as you start trying to connect your Linux servers to AD everything starts getting really fucking complicated and troublesome real fast.
Microsoft made a lot of mistakes when they were designing AD but the biggest one was making it intentionally proprietary in so many ways. It prevents us from adopting it more. If AD actually worked with everything we’d be paying Microsoft a lot more in licenses every year.
Aside: Their second biggest mistake with AD was allowing groups to be placed in other groups. This made it so that “simple” administration of your policies and access controls goes from a single lookup to a lookup to the power of n groups. It doesn’t scale at all and exponentially increases network traffic and load on domain controllers.
LDAP + Kerberos running on Linux servers doesn’t have this problem because it doesn’t allow it (intentionally, because it’s stupid).
Oh man, I’m thinking about it now and AD just makes me so upset, haha. It’s such a poorly engineered product. Don’t give it more credit than it’s due. It works fine for small organizations but that does not mean it’s a good product.