Aaron Crosman on 2 Sep 2004 16:19:03 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

RE: [PLUG] Microsoft/Active Directory

>On Thu, 2 Sep 2004 10:40:15 -0400 (EDT), Ron Mansolino
<rmsolino@netaxs.com> wrote
>> or am I missing something? and how long until someone comes up with
>> open source analogue?
>I believe that OpenLDAP is an open source analogue.
>Philadelphia Linux Users Group         --
>Announcements -
>General Discussion  --

AD is not only user/password information, it also allows near total
system control if you want it to be.  For instance the PC's in our
office can't get on the Network unless they have Symantec Antivirus
installed.  If they are members of the active directory domain, the
server installs if for them.  No prompts, no questions, no progress bar,
just a slow logon that morning.  We also control the default save path
for all MS products (and anything that reads those reg keys).  The Proxy
server setting in IE.  What software the system is allowed the run (we
ban the execution of known Trojans whenever we see them on the network
so they don't spread).  We can control if/when updates and service packs
are installed (push some fast, wait/test others).  Change local system
account usernames (but not passwords, just network account passwords).
Basically if it's an MS product, we can user AD to control all the
settings if we are so inclined.  

The learning process can be kind of rough if you're doing more the
replacing just login permissions.  Since IT are the guinea pigs around
here, we often discover things like "oh I can't install printers
today..."  (or "gee 1/3 our offices just dropped offline for no apparent
reason") when our Network admin tries something new (those are the days
I'm glad I have the token Mac and Linux systems on my desk).  I haven't
done much along the lines of administration/setup, but my understanding
is that if you are setting up a network from scratch it isn't too bad,
at least to handle basic features and all the clients XP Pro or Win 2K.
If you are trying to convert an operating network the process can be
rather painful and slow.  The really good news is client side setup is a
snap, particularly on new systems (just tell Windows to join the domain,
have a domain username/password and you're done).

I don't expect us to see a complete open source replacement anytime
soon.  My understanding is that OpenLDAP is great for login information
(can even be used to control AD if you're limiting what you do with AD),
but I haven't seen anything approaching AD's far reaching powers over
PC's.  That level control is nice around here.  We can control some
things like virus software very aggressively, but others like desktop
configuration and file storage are mostly in the control of users (we
set defaults, but they select final locations/settings).  Some of the
reason I expect it to take a while in the Open source world, is that so
many open source people don't tend to like it when their systems do
things like install software without asking. 

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug