Most active commenters
  • firesteelrain(5)
  • AnonymousPlanet(3)

←back to thread

Microsoft Dependency Has Risks

(blog.miloslavhomer.cz)
152 points ArcHound | 12 comments | 25 Jun 25 20:08 UTC | HN request time: 0.58s | source | bottom
Show context
firesteelrain ◴[25 Jun 25 21:16 UTC] No.44381913[source]
For most businesses, the cost and difficulty of shifting away from Microsoft outweigh the benefits
replies(4): >>44381959 #>>44381985 #>>44382500 #>>44384846 #
smaudet ◴[25 Jun 25 21:27 UTC] No.44381985[source]
Maybe.

Some things go deep, true. However most businesses don't use most of Microsoft products - even the ones that do, the usage of the more complicated products is far more minuscule than imagined by e.g. CFOs, etc.

The real thing keeping many "in the fold" as it were would be authentication services.

Which are overcomplicated and probably easier to manage without...

replies(2): >>44381991 #>>44382259 #
1. firesteelrain ◴[25 Jun 25 21:29 UTC] No.44381991[source]
Right, it’s stuff like Active Directory and how everything’s tied together. Once you’re using that for auth, it’s really tough to back out without a lot of effort.

We’ve looked into FreeIPA and similar options, but honestly, nothing really holds a candle to Active Directory yet.

replies(2): >>44382060 #>>44382529 #
2. AnonymousPlanet ◴[25 Jun 25 21:40 UTC] No.44382060[source]
AD and Domain Servers are like a cancer that will grow metastases around your org, costing user and client cals all over the place, even for every desk phone if you're not careful. The only winning move is never to play their game in the first place.
replies(2): >>44382090 #>>44382279 #
3. firesteelrain ◴[25 Jun 25 21:44 UTC] No.44382090[source]
I'm in a situation where due to staff skillsets and ease of management then GPOs are required. Local GPOs would be insane to manage across thousands of PCs
replies(2): >>44382146 #>>44385335 #
4. thewebguyd ◴[25 Jun 25 21:53 UTC] No.44382146{3}[source]
InTune/MDMs are finally eating away at the need for GPOs for most use cases. Someone already familiar with AD & Group Policy should be able to easily transition to InTune Configuration Policies. MS even has a tool now to import your GPOs.

There's still a few that don't have direct equivalents, but the list is growing smaller and smaller.

replies(1): >>44385466 #
5. mnadkvlb ◴[25 Jun 25 22:13 UTC] No.44382279[source]
genuinely interested, what are the alternatives ? i know ping/forgerock and some old ibm stuff.

what is state of the art today that compares to ActiveDirectory (not talking azureAd - or whatever they call it these days) ?

replies(1): >>44382613 #
6. cyberax ◴[25 Jun 25 22:52 UTC] No.44382529[source]
AD is one of the few good MS projects. But you can use it with Macs and Linux just fine!

Just keep a couple of Windows servers running AD, and migrate everything else.

replies(1): >>44383076 #
7. firesteelrain ◴[25 Jun 25 23:03 UTC] No.44382613{3}[source]
Samba4 is the closest you can get. It is not as nice as ActiveDirectory.
replies(1): >>44387319 #
8. p_ing ◴[26 Jun 25 00:22 UTC] No.44383076[source]
Apple doesn't recommend joining Macs to AD -- their implementation is awful, along with their SMB implementation.

But it is technically possible.

9. AnonymousPlanet ◴[26 Jun 25 08:22 UTC] No.44385335{3}[source]
Yes and that is a very common case. Windows is designed so that you barely have a chance to deal with your case without Microsoft components all the way. You would need a company with enormous resources to play catch up with the highly integrated and proprietary connections between each component.

It's a rigged monopoly and has nothing to do with a market economy. Once you have been forced to use Windows, you are doomed.

10. AnonymousPlanet ◴[26 Jun 25 08:46 UTC] No.44385466{4}[source]
InTune is part of Microsoft's strategy to make everyone dependent on their cloud. It's like switching from Heroin to Fentanyl because you want to get off of your addiction.
11. smaudet ◴[26 Jun 25 13:41 UTC] No.44387319{4}[source]
> Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function either as an Active Directory Domain Controller or as a member server.

What's something that AD provides that this does not?

It certainly sounds like an (almost) drop-in replacement.

replies(1): >>44387808 #
12. firesteelrain ◴[26 Jun 25 14:30 UTC] No.44387808{5}[source]
Samba4 covers core AD features like Kerberos, LDAP, and can act as a DC, but it’s not a full drop-in. GPO support is limited, management tools aren’t as robust (no full RSAT equivalent), and some advanced AD features (like DAC or ADCS) aren’t supported. Fine for smaller setups, but not 1:1 with enterprise AD.