> And why do you need to control people’s laptop login? That can be local.
Some organizations might want to ensure that your account follows certain policies in regards to the password expiry dates or how "secure" they are.
Furthermore, if you leave an organization, they might want to remove all of your access credentials to all of the linked platforms/devices in one fell swoop.
While you are in the organization, they might want to allow you to use certain pieces of software (say, GitLab, Nextcloud, Mattermost, anything that talks LDAP) by giving you a particular group membership, such as everything for PROJECT_X/CLASS_X and so on.
Similarly, when a certain platform requires user credentials, they might also want to explicitly allow this platform to integrate with their account management software, by giving it certain credentials to talk to the AD server, which can later be revoked.
Oh, and password resets are also nice to centralize, in case you ever screw up.
Sometimes their hand might also be forced due to compliance reasons: imagine Google basically owning your company and information about all of the accounts/devices due to them having the actual data.
The argument is that because so much is now cloud services in the browser, it makes centralised AD far less holistic hence better assess the cloud services settings for compliance.
There is some truth and risk in that, go reset the password of those 3 services not supporting SSO. Reality about security is to deal with the admin trouble, MS isn't removing processes, education, trust, and their costs, it likes to give the impression that it does hence asking you money for removing the difficult invonvenience of actual security needs
Group Policy is low key the most powerful thing in tech. Secure all the clients? Yes. Personalize all the clients? Yes. Install software? Sure. Disable unsafe browser features in third party browsers? Also yes!
Group policy is such an insanely convenient configure-once-apply-everywhere system, I'm still not sure why anyone would run a corporate network without it. Modern MDM solutions don't even come close to the extensive level of customization you can do with a GPO.
For locking down the machines so the kids don't mess them up. For pushing policy down when they need to change something. All of the stuff that's routine for an AD administrator.
Don’t know why we just don’t give people a laptop and a login for the web services they need. If they can run a laptop at home just fine why does it need to be any more locked down than that for school work? And what policies do you need to just run a web browser? It’s not the NSA.
So, your entire tech support will be inundated with undoing scams and ransomware perpetrated by malicious search ads, for one.
Chrome is outright terrifying to have on a computer if you don't push down about four pages of enterprise policies to lock it down.
The idea of letting employees have administrative access to PCs that sensitive corporate data or childrens' personal info is on is downright terrifying.
But letting them access that same data on their personal computers and laptops is fine?
If banks can let you access your account information on non-bank owned machines and parents can access their kids personal info from their phones I think we can manage a fleet of untrusted endpoints.
Yes, because the school district is not legally liable for parents doing stupid things outside of school grounds, but it is legally liable for its employees' conduct.
The number of times I have seen people being okay with computer slowdown due to adware or viruses is insane. Some folks I know go with policy of computer format over every year because it is "natural" for computer to get slow over time according to them. Really most people are fine with downloading any software they see from web. There is a reason that fake software are highest paid ad category and only porn sites shows it.
> Linux still doesn't have anything remotely as capable as Active Directory.
I legitimately want more people to talk about this and to share their experiences. Do people run OpenLDAP? Something like FreeIPA? Maybe 389 Server?
What's the most popular or maybe easiest to use *nix solution for managing lots of accounts and devices, policy etc.? What about solutions for just managing accounts/login information or integrating with self-hosted software of all sorts?
Honestly, the best domain server for Linux is active directory and if you have but a single Windows machine in your school it’s mandatory anyway so unless you’re managing massive fleets to warrant the FreeIPA bridge sssd-ad is more than good enough.
Every edu ive worked with using Linux rolls an ubuntu derivative which has for six LTS versions supported easy AD integration. Smaller subsets just use Ansible + AWX but they are typically just manging the basics.
The AD integration on Linux is just getting you login. It doesn't support much local configuration of the endpoints, which is the killer feature of AD. I have also found the AD PAM modules to be a bit fragile. I keep having machines that work for awhile, then suddenly need 5 minutes to log in or simply can't log in at all after some time. It has been kind of frustrating for me. I want to tell people "just use your domain login, it will work", but its a lie too often.
> Spoken like someone who has never in their lives tried to do any of the things AD does in Linux.
Spoken like someone with identifiable personality disorder. Get evaluated and stop pathetically trying to hurt others when it is clear the deep anxieties are yours.
AD is only miraculous in that it is the one thing, the one and only thing among a vast many, that Microsoft got right. And the reason they got it right is that AD is LDAP and Kerberos. IOW, AD is a Microsoft-esque gui for LDAP and Kerberos. Really. It does not slice and dice, it does not blend; it is merely authentication and authorization. If you'd like, AD will auth Linux boxen users all day long. Anything else AD does is only germane to Windows.
FreeIPA is a Redhat upstream thing (389 Server or something?) so yea I’d imagine Redhat would probably work with a school district for wicked good pricing.
No, but you can throw a rock and find cheap good enough managed service providers that can do it — ie Microsoft partners. MS has been building out the network for decades.