Comment by esskay
1 day ago
Yeah good on them, everyone needs to do this. It's nuts Windows is still the go-to for anything these days despite everyone knowing what a parasitic, buggy mess it is. "Easy" shouldn't be the excuse in this day and age. Big orgs and especially government entities should be hiring the people that know what they're doing and get off that crummy platform.
> It's nuts Windows is still the go-to for anything these days despite everyone knowing what a parasitic
Linux still doesn't have anywhere near as nice and cohesive as Group Policy, Active Directory etc.
Plus you can pay Microsoft to host it all for you on Azure.
Imagine what can happen if the French and other governments would start pouring all the money into developing that further in the open, rather than just giving it all to Microsoft instead?
Most of the cost (to the government) for Windows is "support" (in a very general sense) and that cost isn't disappearing with Linux.
Especially since it is easier to find badly underpaid (and not particularly competent) Windows sysadmins than it is to find badly underpaid Linux admins.
7 replies →
> Imagine what can happen if the French and other governments would start pouring all the money into developing that further in the open
You'd get a clusterfuck of a consensus spec, then they'd all get pissed off and develop their own incompatible versions anyway?
Have you seen international projects without strong, centralized leadership?
2 replies →
They'll start pulling Linux in a direction that suites them, which will potentially be at odds with the preferences of open source software enthusiasts.
1 reply →
Why haven’t they done it yet? I just think they’re incentivized enough for it.
14 replies →
If governments, especially France, get involved in software development the likely outcome is that people will soon regret the days of Microsoft...
1 reply →
> Linux still doesn't have anywhere near as nice and cohesive as Group Policy, Active Directory etc.
Enterprise environments use a number of tools like Powerbroker, UCS, Centrify/Delinea etc to bind linux machines to active directory and manage identity and access through active directory. This is for mixed environments with both Windows and Linux machines.
For pure linux environments, there are a number of tools like FreeIPA/IdM, Samba AD/DC (for A/D like management), and OpenText's eDirectory for the current version of Novell's eDirectory counterpart to A/D. They all provide centralized user/host/policy/access management.
Since Entra+Intune are the recent MS products, cloud-based equivalents are Jumpcloud+Fleet, Okta PAM, FreeIPA/IdM.
I don't know any of these tools but I believe your comment answers most questions in this thread.
I really hope some of these answers are ergonomic enough for windows sysadmins to accomodate this transition.
> Linux still doesn't have anywhere near as nice and cohesive as Group Policy, Active Directory etc.
Isn't it about time someone developed one?
The foundations are there; you can imagine an organization deploying laptops with, say, Ansible, and not giving users root on them. LDAP sort of matches the old capabilities of AD, but not completely. There's even a "SAMBA as fake domain controller" mode.
Ironically what it needs is a product or service which organizations can pay to take the problem off their hands. But then people get stuck in never paying for anything in the open source world.
> Isn't it about time someone developed one?
Honest question: Why? If you want a Windows-like environment, run Windows.
I get this all the time when people ask about a Linux equivalent for something, and aren't really satistied when it doesn't work or look the same. Linux isn't a clone of Windows. Linux comes from an older heritage, and has a unique culture. You are in for a hard time if you want to use Linux like you would use Windows. That's a suboptimal experience, at best.
That said, of course Linux should be easy to manage. But Windows is from a single corporate entity, of course their management tools will be different. It used to be unix admins that laughed about people using Windows as servers. The culture around Linux is one of scriptabiliy where even the user interface, the basic shell, is one where every command is inherently a script. That's why management on Linux looks like Ansible and OpenSSH, not like Remote Desktop and Group Policies.
You could write something like Group Policies for Linux of course, but it wouldn't be a complete solution so people would just continue using Ansible, OpenSSH, and the respective package managers.
22 replies →
Well AD is just a really opinionated LDAP/Kerberos setup, so you’d think that there would be something that Linux could do.
But when you’re talking about enterprise management of thousands of devices, you need some kind of consistent security policy management. That requires running OS software that accepts remote policy management, which is a very specialized configuration and not just “vanilla Linux”.
You can get really far with LDAP, but I’ve only used it for remote accounts, file shares, and sudoer config. I’m sure there are more policy configurations that would be possible with a more advanced tool.
I suspect the RHEL world has something to offer here, but I’d love to see a more general and commonly supported solution developed. It would make Linux more of an option for enterprise managed endpoints.
But, I agree with you - for an enterprise customer, this really needs to be some kind of paid/supported product. I wouldn’t want the French government to rely on some scripts that worked on my small cluster.
3 replies →
Group policy is an annoying pain. Yes, there aren't many better options out there, but it's not as if group policy is _good_.
Yes, liberty comes at a cost. It seems that convenience is no longer the main motivator for many people.
Convenience comes as a result of mass market adoption, for products for which convenience was not already the main selling factor. Look at cars; they were kind of difficult to drive and maintain 60 years ago, now they're super convenient to drive and maintain as you essentially just press buttons and look at screens to get all needed information about the car and drive it.
It's probably something like "inception -> adoption -> convenience". For Windows it was the same, was it not? It wasn't absolutely convenient to use, it was just better (in terms of usability and features for the average consumer), and convenience came after (Windows XP, Windows 7). Sadly the functionality degraded, and now all that is left is convenience.
lol "liberty" as if you are fighting to free slaves or something.
Europe doesn't want to depend on US infrastructure, that's the only reason to do this.
Nobody cares about Linux "freedom" or open source.
3 replies →
It does, it's called FreeIPA (or RedHat IdM). The only GPO parts it doesn't do are those that are not related to policy in the IAM sense (i.e. configuring some application related thing). There's other systems for that, just like on Windows you practically never run GPO without anything else. On top of that, you can pay RedHat or Canonical to host it all for you on any cloud or non-cloud.
The primitives are there and they're solid, beyond that it's "just" architecture and integration work. Hopefully the French government will be rational with this (I believe the time and financial constraints will for it to be, we're broke and we lack time) and they won't fall into the trap of trying to internalize every bit of the platform.
A good example of that would be what happened with Docker. Off the top of my head cgroups, namespaces, seccomp, overlays and capabilities had been around for a while before it got rolled up in a nice utility in 2013 and opensourced in 2015. Hence the containerization movement. Solaris zones and FreeBSD jails were nice but they always were let's say a bit too bearded.
Personal computers were used in office environments long before the technologies to make them administer-able as if they were a mainframe. Before blindly jumping in and reproducing those technologies, better to ask why they emerged in the first place.
Most workplaces don't have strict bans on personal mobile devices, and some of the ones that do, don't have the kind of physical perimeter defense that can detect people getting lazy about whether or not they carry their personal mobile devices into the workplace. That makes perimeter defense into security theater anyway. We need a rethink about what we are guarding against and how we're doing it.
> Most workplaces don't have strict bans on personal mobile devices
If you're talking about select work apps on your mobile device, sure, but that's limited attack surface.
If you're talking about employers who let unmanaged mobile devices hop on their internal network... I've never seen that. Maybe at a hypothetically perfect zero-trust shop?
2 replies →
> Linux still doesn't have anywhere near as nice and cohesive as Group Policy, Active Directory etc.
I take your word for it (I know of Kerberos and LDAP and Netscape and Sun trying to make such palatable, but clearly haven't followed that in the last quarter-century).
That assumes however the server to be currently MS Windows. For government agencies, I'd rather expect some Mainframe to be (and remain) in place. Surely IBM (or here rather Groupe Bull) has user authentication/authorization figured out (more than half a century ago, methinks).
I've never understood the management thing. People manage fleets of Linux machines all the time. What does group policy do that e.g. nix or ansible don't?
Fuse membership and inheritance-based object (in the sense of 'any computing thing or person') ontology with configurability?
The insight in AD+GPO wasn't in either thing, but in the +. Each would be far less useful without the other.
Group policy just sets registry keys. That's nothing you can't do any other way. The important bit is the inertia of 30 years of Windows subsystems and integration with Active Directory and 3rd party Windows ecosystem software all being written to expose internal config and look to registry keys for the settings.
For the first part, Group Policy (GPO) can set the screen to lock after 2 minutes of inactivity, say, which works because there are Windows subsystems built to look for a reg key for their config, and policy templates exposing that config in the GUI management tools. Or group policy configures which security group can "logon as a service" which works because Windows has system-wide and domain-wide pervasive Access Control Lists (ACLs). GPO configures that Background Intelligent Transfer Service (BITS) should limit its bandwidth use, which works because Windows Updates use BITS. Or sets the machine-wide SSL cipher order, because Windows software uses system-wide schannel not OpenSSL. Or GPO sets what your default printer will be and that's only useful because decades of 3rd party Windows software was written to use the standard Windows printer dialog, or User Documents path, or whatever.
For the second part, Active Directory is a tree-shaped organization tool; in screenshot[5] that I quickly Googled, the tree on the left has a folder named "Sydney" and below that "Sydney Users"; this lets sysadmins organise the company computer accounts, user accounts, and security groups by whatever hierarchy makes sense for that company - e.g. by country, office, team, department, building floor, etc. Then Group Policy overlays on that structure, and the policies are composable.
e.g. in this basic screenshot of the group policy manamement GUI[6] it's showing at the bottom a list of all group policy configurations that have been made in a domain such as "Block PowerShell", and higher up it shows the policy "PsExec Allow" has been linked inside the "ADPRO Computers" folder. So users and computers in that folder in AD, will get those policies applied. In screenshot[7] you can see a basic example showing corporate computers getting machine-wide settings, corporate users getting user-level MS Office config, and Executives get settings that nobody else gets. (This echoes the registry having separate HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER subtrees). Screenshot[8] shows the relatively tidy GUI on the right for seeing which settings have been configured in a policy.
If you apply more than one GPO to a folder, the users/computers will get the all the policy settings combined. This is often what people complain about when logging on to a corporate Windows machine takes ages, btw. You can filter GPOs on a case-by-case basis to build patterns like "apply this machine-wide policy to all computers in the Sydney folder which are members of the WarehouseComputer security group" or "apply these logon-settings to employees in New York who are members of Finance and logging onto a laptop". So companies which have been around for years can have really (messy) big and intricate designs which would be a lot of work to migrate.
3rd party programs can release XML files which plug into the GPO management, and the programs were written to expect to be configured by registry keys so they can pick up those settings; there are templates for configuring FireFox[1], Chrome[2] Adobe Acrobat[3], Word, Excel, Office[4], VMWare Horizon, Lenovo Dock Manager, Zoom, RealVNC, LibreOffice, Citrix, FoxIT Reader, and so on. The more enterprisey a tool is, the more likely it will plug into that ecosystem. Then all kinds of 3rd party reporting and auditing tools look there to see if your company is compliant with this or that; the whole thing is integrated with Windows' domain-wide ACLs so you can give some admins permissions to view or edit just their regional subset of this.
As usual the lockin is not that they do something amazing that nothing else can do, the lockin is that Windows domains have been around in this format for 30 years since NT4 and Windows 2000, and it has huge inertia, familiarity, is deeply embedded in a lot of companies, you can easily and cheaply hire lots of people who know how to use and manage it, you can send screenshots of it to auditors and they understand it, if you don't know how but you have a bit of (oldschool) Windows experience then clicking around will get you the basics, you can buy 3rd party auditing software that will send you a management friendly report with green ticks saying almost everything is fine but you should change this setting for security...
[Yes of course you can build your own custom replacement for every single thing, just like you can build your own custom replacement for any software; it's "just" ldap and kerberos and dns and some scripts and site-to-site policy replication and management tools und und und].
[1] https://support.mozilla.org/en-US/kb/customizing-firefox-usi...
[2] https://support.google.com/chrome/a/answer/187202?hl=en
[3] https://www.adobe.com/devnet-docs/acrobatetk/tools/DesktopDe...
[4] https://www.microsoft.com/en-us/download/details.aspx?id=490...
[5] https://www.windows-active-directory.com/wp-content/uploads/...
[6] https://activedirectorypro.com/wp-content/uploads/2022/09/gp...
[7] https://www.varonis.com/hs-fs/hubfs/blog%20posts/Group%20Pol...
[8] https://redmondmag.com/articles/2016/01/12/~/media/ecg/redmo...
> Linux still doesn't have anywhere near as nice and cohesive as Group Policy, Active Directory etc.
I am sure that's something the Gnome Foundation could figure out if they had a grant to do so.
Putting it in the hands on the GNOME foundation will just result in a lot of new soon-to-be-mandatory APIs and numerous configuration variables with only one allowed value.
Must be the only nice and cohesive parts left. Perhaps they have not figured out how to put ads on AI on it because it doesn't have many users.
No non-US government should host anything on azure, or any other US-owned cloud. Thats security and sovereignity 101, or more like 100. Reality with hostile US being as it is.
What you list are no showstoppers, and since its a well known topic I cant imagine why some EU-funded effort in say 2 billions over next 3-5 years shouldnt reaolve it once and for all, for entire world. Well invested money.
This is actually a good time to disrupt that, as Microsoft’s attention is not on windows and Active Directory is slowly moving to Entra, although big enterprises are mostly hybrid.
Some places are using Okta for many of those functions too. Trump’s instinctive parasitic slumlord behavior may be enough for the sleepy Europeans to get their shit together.
that's the catch with gp/ad. for a lot of orgs the hard part is intune/entra now. swapping the desktop is easy. replacing identity and device management is the real migration
Doesn't the Azure team own Intune/Entra now? Read: less inclined to give a fuck about artificially protecting Windows desktop.
I've no idea what current internal Microsoft org divisions are.
Group Policy and Active Directory are dead, for all intents and purposes.
It's now Intune (via OMA-DM), and Entra. Both of those products are about as bad as you might imagine the "cloud" versions of GP & AD might be.
They are better, in ways -- no longer having to care and feed for domain controllers is nice, and there's no longer an overhead for additive policy processing, so endpoints only get a single set of policy and log on much quicker -- but for the most part, enterprise management of Windows devices is in a worse place than it was ten years ago.
Try to figure out how long it will take an online Intune device to discover a new policy: As far as I can tell the answer is "eventually". There are bandaids for this, because of how infuriating it is, of course, but all time guarantees are basically gone.
Ask me a decade ago what an enterprise should do, and my answer would be straightforward: AD, GPO, Exchange.
The answer now is not simple.
> Ask me a decade ago what an enterprise should do, and my answer would be straightforward: AD, GPO, Exchange.
That was also the answer two decades ago. But if AD and GPO are now dead, what killed them and what are the options? Is the problem mobile and BYOD?
I’ve been primarily on Macs since that time where endpoint management isn’t much, so there are fewer knobs to fiddle with. In some ways it’s nice in that admins can’t screw around too much with my system. In other ways, I’m sure Macs feel limiting for those in charge of enterprise security. However, most endpoint management feels like it’s written for Windows with Macs as an afterthought for checklist security. Knowing that, I’m happy there are fewer places for dodgy software to be able to interface with the OS.
(Edit: added quote to top)
6 replies →
What about offline, to my knowledge Entra and Intune do not work without actual internet connection?
Even the old companies have moved away from that nonsense. Huge waste of resources.
I'm sorry, but how hard is that? Seriously.
Honestly as wide spread as it is, managing group policy sanely is still a challenge I've found - it's very resistant to configuration as code.
Linux has a lot of the pieces but is principally lacking a solid distribution system - in particular a big missing component is the network-based SELinux policy distribution system which you can see some hooks in for the concept of a "policy server" which never eventuated.
SELinux would be a lot more viable if it had a solid way to federate and distribute policy and has some nice features in that regard (i.e. the notion that networked systems can exchange policy tags to preserve tagging across network connections).
> managing group policy sanely is still a challenge I've found - it's very resistant to configuration as code
Imho, this was historically (and continues to be) Microsoft's Achilles heel.
Large parts of the company reflexively wrote features / tooling as manual-first, code-second (or never).
In hindsight, what was missing was a Gates-level memo circa 2000 similar to Amazon's API one: all teams are required to build their configurators to be programmatically exposed.
Unfortunately, I don't think Ballmer was enough of a technologist (and was likely too distracted) to intuit that path not taken.
I am skeptical about there is such "people that know what they are doing", nor would I trust such a claims. But with little twist I think I could onboard the idea with, "people who aim for analytical and open approach and reports". Thus opening the decision making under post analysis and future improvements so research body of knowledge would eventually turn the tide.
I haven't installed or used windows much for last decade, but still I'm bit a shamed that each time I install Linux on some computer I live existing windows drive untouched and available for backup in case I need it for some reason.
Problem is that people like having a similar interface for both work and non-work things, and Linux doesn’t have enough penetration into the consumer market to influence stakeholders. The first step is making Linux the default choice for hardware providers. Framework was one of those pioneering this but was underfunded imo
The first step is making Linux the default choice for schools, the rest will take care of itself in 10-20 years
I don’t think a lot of people still go home and use their computer for stuff. Most of my family will either rely on a phone or tablet to get anything done at home.
I doubt they’d care about which OS they’re on. Corporate tightens their laptops beyond belief, so all they’re really running is Teams and Excel. This seems to be the case for a lot of friends I talk to, no one gives a damn about Windows anymore. Heck, my sister-in-law moved to Ubuntu of her own choices, despite having low tech literacy.
"Easy" shouldn't be the excuse in this day and age.
I think "Easy" has been the excuse for everything humans do in every day and age.
The money governments sink into Microsoft could have funded a sovereign OSS ecosystem many times over.
It makes sense that everyone uses Windows for gaming, because you can't run games in your browser.
It makes zero sense for businesses to use Windows if they're only doing PowerPoint and video conferences.
This comment was wildly invalid even years ago.
See proton, heroic launcher, etc, etc.
Cyberpunks own benchmarking suite runs 30% faster (for whatever reason; my wintendo install is stock and nothing but nvidia drivers) on the ntfs windows partition on Arch.
No it makes no sense at all. I do my gaming on Arch.
Windows sucks and I hope to see the demise of Microsoft during my lifetime(crosses fingers).
Most of their revenue is tied to other stuff though
1. Productivity / Business (~43%)
Includes:
Microsoft 365 (Office, Teams) - these can be likely ported to Linux if they're not already since they also work on MacOS? LinkedIn Dynamics (ERP/CRM)
~$120.8B
2. Cloud (~38%)
Includes:
Azure (runs on mostly linux, and moving cloud provider as a big corp is expensive, I don't see massive companies stuck in azure infra moving from it) Server products (Windows Server, SQL Server, etc.)
~$106.3B
I fully support the demise of Windows as an OS
But microsoft as a company has shifted away from Windows as their source of revenue, and will probably not be impacted too badly if it were to die completely.
4 replies →
I was under the impression anticheat is the only thing stopping linux gaming from taking over
3 replies →
Actually, it's the exact opposite. There is really no alternative to PowerPoint on Linux, unfortunately. I'm saying this as someone who's used Linux for 20 years now.
I haven’t seen power point used professionally for over a decade. All google (though I’ve made the odd prezi)
11 replies →
Probably just a matter of time, it’s possible the friction will create opportunities. Something in the spirit of iaPresenter, md first would be awesome.
At the moment i have long html page with key event for next and previous, tiny script to check on specif markup for autoscroll.
Huh? There's a ton of PowerPoint alternatives that work on Linux. LibreOffice, OnlyOffice, Collabora Office, Calligra Stage, Google Slides, the online version of PowerPoint, more techy things like LaTeX Beamer or Reveal.js. Maybe these don't have perfect PowerPoint compatibility, or some niche PowerPoint feature you need but there's plenty of slide deck making options that work on Linux.
5 replies →
Libre Office Impress does all the things that PowerPoint is used for at my workplace.
I'm guessing it's not compatible with Teams and that MS make sure it doesn't work properly with LO produced PPT files.
If there’s no alternative to PowerPoint, that should be treated as a plus, not as a problem.
There are decent alternatives on all operating systems, including Linux.
Run your Windows games on Linux: https://www.tomshardware.com/software/linux/nearly-90-percen...
My Linux computer now is my main gaming machine. I purged my Windows partition a couple of years ago and haven't had the need to look back yet.
1. total abandonment of desktop as a platform, and the massive hurdles to distribute desktop software
2. move to Cloud and use electron wrappers because not even MS can bother making native apps on their shitty platform
3. Make Windows so shit that even hardcore power users can’t debloat it.
The moat of Windows is gone. Games, office work, all the classic arguments, have basically vanished in the last 5-10 years. The only surprise is why more people don’t get in the life rafts, when the ship is listing at 45 degrees. Is it because there’s still an army of workers and institutional inertia trained in Active Directory?
4. putting Mac users in charge of the UI who are genuinely incapable of understanding how they are breaking continuity.
That's like staffing a neurosurgery department with dentists. Or a dental clinic with neurosurgeons, it does not matter, you can have decades of experience working with a drill in the head area and still be the wrong person for the job.
1 reply →
> Is it because there’s still an army of workers and institutional inertia trained in Active Directory?
Yes, that is a huge driver of inertia. I've had to battle that in so many different companies now, and it is absolutely aggravating. That on top of comments about how Linux sucks from someone who either has never used it, or has only used it on a server and thinks that is all Linux has to offer, are absolutely soul destroying.
Most consumers are primarily on mobile devices.
Windows persists in the workplace where the cost to replace it is significantly higher than keeping it, and keeping it doesn't cost much to begin with. Part of that cost would be training, yes.
The other part is finding compliant equivalents for the rest of the software they use. If the MFA, VPN, chat, email, etc. are all already vetted and designed to be compatible, there's no way they'd want to switch. Many policies regarding proprietary information disclosure are also built off this ecosystem and the certifications Microsoft's cloud already has.
Except today games all work and invariably markedly better on Linux. Even the games that stopped working on Windows for me work great, like https://www.protondb.com/app/2008510
It's almost like Microsoft might be offering something on top of businesses using Windows, that isn't as commonly available for other platforms.
Or businesses are just clueless face-less entities who have no idea what they're doing. Probably the truth is a little bit of both.
What Microsoftoffer is having only one contact / contract for a huge fraction of the IT needs of a company so I can understand it solves some headache vs building stuff from many bricks with as many contracts.
Microsoft offers ease of integration, in exchange for your company to be locked in forever in their domain.
They offer a full ecosystem where everything integrates with everything else, especially the central pillar of identity. But you will pay for that in more ways than just money or lockin. If you work with their solutions, the more you dig into them with the help of MS people, the scarier it gets. So many "holy cow" moments.
Businesses choose it because it works with what they already have, the existing tools, processes, skills and because Microsoft was always a safe choice by virtue of being almost implicit. They choose Microsoft because they're already deep into Microsoft, it's the option carrying the lowest risk and lowest short term cost.
Switching to Linux is complex, expensive and risky. The transition is long and expensive, plagued with teething issues, your MS focused knowledge is redundant, the patience of your sponsor can run out before the move delivers anything of impact. Who wants to take such risks when they can just not rock the boat and call it a day?
The vast majority of my Steam library runs on Mint without issues (and some older games run actually smoother on Linux than they did on Windows).
Not to mention my very large emulation library.
I have no idea what you are talking about.