> And why do you need to control people’s laptop login? That can be local.
Some organizations might want to ensure that your account follows certain policies in regards to the password expiry dates or how "secure" they are.
Furthermore, if you leave an organization, they might want to remove all of your access credentials to all of the linked platforms/devices in one fell swoop.
While you are in the organization, they might want to allow you to use certain pieces of software (say, GitLab, Nextcloud, Mattermost, anything that talks LDAP) by giving you a particular group membership, such as everything for PROJECT_X/CLASS_X and so on.
Similarly, when a certain platform requires user credentials, they might also want to explicitly allow this platform to integrate with their account management software, by giving it certain credentials to talk to the AD server, which can later be revoked.
Oh, and password resets are also nice to centralize, in case you ever screw up.
Sometimes their hand might also be forced due to compliance reasons: imagine Google basically owning your company and information about all of the accounts/devices due to them having the actual data.
The argument is that because so much is now cloud services in the browser, it makes centralised AD far less holistic hence better assess the cloud services settings for compliance.
There is some truth and risk in that, go reset the password of those 3 services not supporting SSO. Reality about security is to deal with the admin trouble, MS isn't removing processes, education, trust, and their costs, it likes to give the impression that it does hence asking you money for removing the difficult invonvenience of actual security needs
Group Policy is low key the most powerful thing in tech. Secure all the clients? Yes. Personalize all the clients? Yes. Install software? Sure. Disable unsafe browser features in third party browsers? Also yes!
Group policy is such an insanely convenient configure-once-apply-everywhere system, I'm still not sure why anyone would run a corporate network without it. Modern MDM solutions don't even come close to the extensive level of customization you can do with a GPO.
For locking down the machines so the kids don't mess them up. For pushing policy down when they need to change something. All of the stuff that's routine for an AD administrator.
Don’t know why we just don’t give people a laptop and a login for the web services they need. If they can run a laptop at home just fine why does it need to be any more locked down than that for school work? And what policies do you need to just run a web browser? It’s not the NSA.
So, your entire tech support will be inundated with undoing scams and ransomware perpetrated by malicious search ads, for one.
Chrome is outright terrifying to have on a computer if you don't push down about four pages of enterprise policies to lock it down.
The idea of letting employees have administrative access to PCs that sensitive corporate data or childrens' personal info is on is downright terrifying.
But letting them access that same data on their personal computers and laptops is fine?
If banks can let you access your account information on non-bank owned machines and parents can access their kids personal info from their phones I think we can manage a fleet of untrusted endpoints.
Yes, because the school district is not legally liable for parents doing stupid things outside of school grounds, but it is legally liable for its employees' conduct.
The number of times I have seen people being okay with computer slowdown due to adware or viruses is insane. Some folks I know go with policy of computer format over every year because it is "natural" for computer to get slow over time according to them. Really most people are fine with downloading any software they see from web. There is a reason that fake software are highest paid ad category and only porn sites shows it.
What about signing in with your firstname.lastname account, with the particular web app talking with the AD server through something like LDAP?
Thus, your credentials for all of the integrated software should be managed centrally, in the particular AD server or a similar solution.
Or maybe even SSO with something like Kerberos or an alternative?