Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
hug 2 hours ago

Group Policy and Active Directory are dead, for all intents and purposes.

It's now Intune (via OMA-DM), and Entra. Both of those products are about as bad as you might imagine the "cloud" versions of GP & AD might be.

They are better, in ways -- no longer having to care and feed for domain controllers is nice, and there's no longer an overhead for additive policy processing, so endpoints only get a single set of policy and log on much quicker -- but for the most part, enterprise management of Windows devices is in a worse place than it was ten years ago.

Try to figure out how long it will take an online Intune device to discover a new policy: As far as I can tell the answer is "eventually". There are bandaids for this, because of how infuriating it is, of course, but all time guarantees are basically gone.

Ask me a decade ago what an enterprise should do, and my answer would be straightforward: AD, GPO, Exchange.

The answer now is not simple.

mbreese an hour ago | parent | next [-]

> Ask me a decade ago what an enterprise should do, and my answer would be straightforward: AD, GPO, Exchange.

That was also the answer two decades ago. But if AD and GPO are now dead, what killed them and what are the options? Is the problem mobile and BYOD?

I’ve been primarily on Macs since that time where endpoint management isn’t much, so there are fewer knobs to fiddle with. In some ways it’s nice in that admins can’t screw around too much with my system. In other ways, I’m sure Macs feel limiting for those in charge of enterprise security. However, most endpoint management feels like it’s written for Windows with Macs as an afterthought for checklist security. Knowing that, I’m happy there are fewer places for dodgy software to be able to interface with the OS.

(Edit: added quote to top)

hug an hour ago | parent | next [-]

It was absolutely not the case two decades ago. There were no other options for an enterprise fleet, 20 years ago, if the question was asked. If you weren't Google (who never asked the question anyway), the answer for managing 25,000 endpoints was to use Windows devices with Active Directory as the management plane. Anyone doing anything else was in for a world of hurt... and that's why every enterprise ended up on Windows, and why everyone targeting enterprise management targeted Windows -- because that's what the endpoints were already running.

What killed AD & GPO was Microsoft, in their bullheaded push toward Azure everything. Instead of listening to what it was that the enterprise customers actually wanted, they designed a system that made sense to them, but to no one else. The original UI was written in Silverlight. It was horrific.

mbreese an hour ago | parent [-]

No, I meant that Windows AD was still the answer two decades ago. I can see how that may not have been clear - I edited my post to include the quote I was replying to. (You said one decade and I was just extending that timeline back another 10 years.)

There was LDAP and Kerberos support for *nix management, but nothing you’d deploy over a thousand end devices.

And you’re right, it wasn’t a question that got asked, because there wasn’t ever a second choice - AD was the only option.

ethbr1 41 minutes ago | parent [-]

> Kerberos

I remember it almost being a trope at the time that every Kerberos question thread eventually landed on some subtle / niche incompatibility or edge case.

kgwxd an hour ago | parent | prev [-]

No alternative, you can't realistically fully control everything everyone does on every device in their possession. It was job security for useless control freaks, the products never should have existed.

ethbr1 40 minutes ago | parent [-]

Spoken like someone who has never provided computers to non-technical, minimum-wage users.

Tarmo362 an hour ago | parent | prev [-]

What about offline, to my knowledge Entra and Intune do not work without actual internet connection?