The granularity and scale of active directory is a major thing that is keeping linux out of offices, etc...I know you can do a lot with certain tools but nothing comes close as far as I have seen.
The granularity of AD doesn't scale though. I work for a huge bank and trying to get something changed in Group Policy is basically impossible. Making it even the tiniest bit bigger (e.g. adding a single new rule) will slow down every goddamned PC and VM in the entire organization. It adds up to real money lost real fast.
Not only that but some changes to GPOs can break things that you didn't foresee so the general wisdom is, "don't ever change it." Rendering that whole "granularity" argument moot. What good is granularity if you can't even use it?
Also, getting AD to scale to the size required the help of Microsoft. They had to change AD for us many times because the way it replicated certain things just does not scale past around 20,000 desktops (if memory serves). They gave us custom DLLs that run on our DCs to keep things operating reasonably smoothly but their lack of support on non-Windows platforms is a perpetual problem.
If literally every single computer in your company is Windows you'll be fine. However, as soon as you start trying to connect your Linux servers to AD everything starts getting really fucking complicated and troublesome real fast.
Microsoft made a lot of mistakes when they were designing AD but the biggest one was making it intentionally proprietary in so many ways. It prevents us from adopting it more. If AD actually worked with everything we'd be paying Microsoft a lot more in licenses every year.
Aside: Their second biggest mistake with AD was allowing groups to be placed in other groups. This made it so that "simple" administration of your policies and access controls goes from a single lookup to a lookup to the power of n groups. It doesn't scale at all and exponentially increases network traffic and load on domain controllers.
LDAP + Kerberos running on Linux servers doesn't have this problem because it doesn't allow it (intentionally, because it's stupid).
Oh man, I'm thinking about it now and AD just makes me so upset, haha. It's such a poorly engineered product. Don't give it more credit than it's due. It works fine for small organizations but that does not mean it's a good product.
I can see why you'd choose Active Directory on a Windows server over a general LDAP server running Linux. But why can't Linux Workstations interface with a Windows AD server?
I create Computer accounts for Linux servers at work. It works fine. We only have Windows workstations, though. But, I can't see how we couldn't have Linux workstations.
The granularity and scale of active directory is a major thing that is keeping linux out of offices, etc...I know you can do a lot with certain tools but nothing comes close as far as I have seen.
The granularity of AD doesn't scale though. I work for a huge bank and trying to get something changed in Group Policy is basically impossible. Making it even the tiniest bit bigger (e.g. adding a single new rule) will slow down every goddamned PC and VM in the entire organization. It adds up to real money lost real fast.
Not only that but some changes to GPOs can break things that you didn't foresee so the general wisdom is, "don't ever change it." Rendering that whole "granularity" argument moot. What good is granularity if you can't even use it?
Also, getting AD to scale to the size required the help of Microsoft. They had to change AD for us many times because the way it replicated certain things just does not scale past around 20,000 desktops (if memory serves). They gave us custom DLLs that run on our DCs to keep things operating reasonably smoothly but their lack of support on non-Windows platforms is a perpetual problem.
If literally every single computer in your company is Windows you'll be fine. However, as soon as you start trying to connect your Linux servers to AD everything starts getting really fucking complicated and troublesome real fast.
Microsoft made a lot of mistakes when they were designing AD but the biggest one was making it intentionally proprietary in so many ways. It prevents us from adopting it more. If AD actually worked with everything we'd be paying Microsoft a lot more in licenses every year.
Aside: Their second biggest mistake with AD was allowing groups to be placed in other groups. This made it so that "simple" administration of your policies and access controls goes from a single lookup to a lookup to the power of n groups. It doesn't scale at all and exponentially increases network traffic and load on domain controllers.
LDAP + Kerberos running on Linux servers doesn't have this problem because it doesn't allow it (intentionally, because it's stupid).
Oh man, I'm thinking about it now and AD just makes me so upset, haha. It's such a poorly engineered product. Don't give it more credit than it's due. It works fine for small organizations but that does not mean it's a good product.
I can see why you'd choose Active Directory on a Windows server over a general LDAP server running Linux. But why can't Linux Workstations interface with a Windows AD server?
I create Computer accounts for Linux servers at work. It works fine. We only have Windows workstations, though. But, I can't see how we couldn't have Linux workstations.