Comment by ChocolateGod
1 day ago
> It's nuts Windows is still the go-to for anything these days despite everyone knowing what a parasitic
Linux still doesn't have anywhere near as nice and cohesive as Group Policy, Active Directory etc.
Plus you can pay Microsoft to host it all for you on Azure.
Imagine what can happen if the French and other governments would start pouring all the money into developing that further in the open, rather than just giving it all to Microsoft instead?
Most of the cost (to the government) for Windows is "support" (in a very general sense) and that cost isn't disappearing with Linux.
Especially since it is easier to find badly underpaid (and not particularly competent) Windows sysadmins than it is to find badly underpaid Linux admins.
Ok but the license fees are, what, 50 quid? times say, 3k or 30k people? A 150k or 1.5m injection into the linux ecosystem to develop those would pay for a _lot_ of developers and a _lot_ of developer time.
3 replies →
I don't think that cost is what is mostly driving the move from Windows nowadays.
Are you implying that need for support would go away?
If anything the demand would be artificially high at the start of a mass migration, and then presumably level out to something similar to what we see today with Windows.
This is basically RHEL's entire business model.
1 reply →
> Imagine what can happen if the French and other governments would start pouring all the money into developing that further in the open
You'd get a clusterfuck of a consensus spec, then they'd all get pissed off and develop their own incompatible versions anyway?
Have you seen international projects without strong, centralized leadership?
I have worked on things like PSD2, a well oiled government-led machine that just works. There are some dysfunctional things, then there are things working perfectly fine.
You need to update your notes its not 90s.
1 reply →
They'll start pulling Linux in a direction that suites them, which will potentially be at odds with the preferences of open source software enthusiasts.
They might have an effect in the development of an office suite, possibly of a desktop environment or one specialized Linux distribution. Nobody will be forced to use those specific ones if they don't like them. There are plenty of options in the Linux world.
Why haven’t they done it yet? I just think they’re incentivized enough for it.
Because until literally a year ago, the country that hosted Microsoft was one of France's most trusted allies.
It takes time to find a suitable replacement to a global monopoly.
12 replies →
> yet
Best time to start doing it was yesterday. Second best time to start doing it now. They are at "now" step.
If governments, especially France, get involved in software development the likely outcome is that people will soon regret the days of Microsoft...
The so called free market really did a bang up job didn't it? The proprietary buggy mess of Windows and the walled garden of MacOS which given its *nix underpinnings could have been really fantastically awesome but instead is a proprietary buggy mess.
> Linux still doesn't have anywhere near as nice and cohesive as Group Policy, Active Directory etc.
Enterprise environments use a number of tools like Powerbroker, UCS, Centrify/Delinea etc to bind linux machines to active directory and manage identity and access through active directory. This is for mixed environments with both Windows and Linux machines.
For pure linux environments, there are a number of tools like FreeIPA/IdM, Samba AD/DC (for A/D like management), and OpenText's eDirectory for the current version of Novell's eDirectory counterpart to A/D. They all provide centralized user/host/policy/access management.
Since Entra+Intune are the recent MS products, cloud-based equivalents are Jumpcloud+Fleet, Okta PAM, FreeIPA/IdM.
I don't know any of these tools but I believe your comment answers most questions in this thread.
I really hope some of these answers are ergonomic enough for windows sysadmins to accomodate this transition.
> Linux still doesn't have anywhere near as nice and cohesive as Group Policy, Active Directory etc.
Isn't it about time someone developed one?
The foundations are there; you can imagine an organization deploying laptops with, say, Ansible, and not giving users root on them. LDAP sort of matches the old capabilities of AD, but not completely. There's even a "SAMBA as fake domain controller" mode.
Ironically what it needs is a product or service which organizations can pay to take the problem off their hands. But then people get stuck in never paying for anything in the open source world.
> Isn't it about time someone developed one?
Honest question: Why? If you want a Windows-like environment, run Windows.
I get this all the time when people ask about a Linux equivalent for something, and aren't really satistied when it doesn't work or look the same. Linux isn't a clone of Windows. Linux comes from an older heritage, and has a unique culture. You are in for a hard time if you want to use Linux like you would use Windows. That's a suboptimal experience, at best.
That said, of course Linux should be easy to manage. But Windows is from a single corporate entity, of course their management tools will be different. It used to be unix admins that laughed about people using Windows as servers. The culture around Linux is one of scriptabiliy where even the user interface, the basic shell, is one where every command is inherently a script. That's why management on Linux looks like Ansible and OpenSSH, not like Remote Desktop and Group Policies.
You could write something like Group Policies for Linux of course, but it wouldn't be a complete solution so people would just continue using Ansible, OpenSSH, and the respective package managers.
> If you want a Windows-like environment, run Windows.
One of these questions where we, those doing the discourse, need to pick apart what the word "you" refers to here.
In this context, it is national governments, who have started to fear that there may come a day when they are not allowed to or able to or safe to run Windows. That gives rise to the question, "how can we get a system that minimizes the disruption of migrating away to Windows?"
Ultimately it's not about specifically wanting AD or GP as technologies, either, but the things they enable: seamless single-sign-on across an organization, and management of software security and updates across a fleet of desktops.
(possibly the thing that fills this hole is simply a fleet of consultants which go around explaining things to CIOs!)
1 reply →
> Honest question: Why?
Because it works really well for a corporate environment where you require central management for your devices. Yes, the environments of Linux and Windows are different as you said, and unfortunately that means one will generally be better than the other within certain contexts. The corporate workstation use case is a gigantic one that Windows is currently dominating in, and this is terrible for Linux adoption because it means to get a job at a place that uses Windows you are incentivized to use it yourself so you can learn it. It also means that schools (which are often run like businesses internally) are way more likely to use it, so new students that are just learning how to use a computer are coming up on Windows.
Linux is indeed very different from Windows and that's fine, that isn't a problem at all and it has plenty of upsides. What should be clear is that this particular use case is a remarkable downside for Linux, and the mass adoption of Windows in the majority of businesses should make that self evident. Realistically Linux can and absolutely is used in business contexts in the same way as Windows (hence why France is going ahead with it), but it isn't as optimized for it as Windows is, when it totally could be. Macs have had some robust management platforms made for them that I've found pretty similar to AD for example. If someone developed a straight out AD clone for Linux that functioned more or less the same on the front-end it would be huge for Linux adoption in my opinion. Hopefully that answers your question.
3 replies →
What's the Linux version of AD and group policies? (honestly curious; linux sysadmin at scale not my day job)
15 replies →
Well AD is just a really opinionated LDAP/Kerberos setup, so you’d think that there would be something that Linux could do.
But when you’re talking about enterprise management of thousands of devices, you need some kind of consistent security policy management. That requires running OS software that accepts remote policy management, which is a very specialized configuration and not just “vanilla Linux”.
You can get really far with LDAP, but I’ve only used it for remote accounts, file shares, and sudoer config. I’m sure there are more policy configurations that would be possible with a more advanced tool.
I suspect the RHEL world has something to offer here, but I’d love to see a more general and commonly supported solution developed. It would make Linux more of an option for enterprise managed endpoints.
But, I agree with you - for an enterprise customer, this really needs to be some kind of paid/supported product. I wouldn’t want the French government to rely on some scripts that worked on my small cluster.
Windows uses Group Policy (which isn't particularly secure for many reasons) while Linux uses configuration files (e.g. udev, AppArmor, stuff in /etc like fstab) in conjunction with file permissions. However, you can go way farther by compiling your own kernel that has certain functionality removed (e.g. USB mass storage).
Managing lots of configuration files/scripts across many thousands of servers, desktops, devices, etc is a long-solved problem. Most enterprises use Ansible or similar.
In almost every way, managing many thousands of Linux desktops is much simpler and more straightforward than Windows. If you're using Ansible playbooks, you can keep everything nice and tidy in a single place and everything you'd ever want to customize is managed via a plaintext file you can modify with your editor of choice.
You can organize them however you want or even use a GUI to change stuff (if you pay for Ansible Enterprise or whatever it's called... Or use one of the FOSS alternatives).
Managing Linux desktops at scale really isn't much different than managing Linux servers at scale.
> That requires running OS software that accepts remote policy management
Every Linux system that supports SSH potentially "accepts" remote management! The challenge is just putting it into a framework.
1 reply →
Group policy is an annoying pain. Yes, there aren't many better options out there, but it's not as if group policy is _good_.
Yes, liberty comes at a cost. It seems that convenience is no longer the main motivator for many people.
Convenience comes as a result of mass market adoption, for products for which convenience was not already the main selling factor. Look at cars; they were kind of difficult to drive and maintain 60 years ago, now they're super convenient to drive and maintain as you essentially just press buttons and look at screens to get all needed information about the car and drive it.
It's probably something like "inception -> adoption -> convenience". For Windows it was the same, was it not? It wasn't absolutely convenient to use, it was just better (in terms of usability and features for the average consumer), and convenience came after (Windows XP, Windows 7). Sadly the functionality degraded, and now all that is left is convenience.
lol "liberty" as if you are fighting to free slaves or something.
Europe doesn't want to depend on US infrastructure, that's the only reason to do this.
Nobody cares about Linux "freedom" or open source.
Freedom from suddenly being cut off is potentially important.
If you don’t depend on someone that’s freedom.
If your email was forcefully terminated would you call that an infringement on your freedoms.
It does, it's called FreeIPA (or RedHat IdM). The only GPO parts it doesn't do are those that are not related to policy in the IAM sense (i.e. configuring some application related thing). There's other systems for that, just like on Windows you practically never run GPO without anything else. On top of that, you can pay RedHat or Canonical to host it all for you on any cloud or non-cloud.
The primitives are there and they're solid, beyond that it's "just" architecture and integration work. Hopefully the French government will be rational with this (I believe the time and financial constraints will for it to be, we're broke and we lack time) and they won't fall into the trap of trying to internalize every bit of the platform.
A good example of that would be what happened with Docker. Off the top of my head cgroups, namespaces, seccomp, overlays and capabilities had been around for a while before it got rolled up in a nice utility in 2013 and opensourced in 2015. Hence the containerization movement. Solaris zones and FreeBSD jails were nice but they always were let's say a bit too bearded.
Personal computers were used in office environments long before the technologies to make them administer-able as if they were a mainframe. Before blindly jumping in and reproducing those technologies, better to ask why they emerged in the first place.
Most workplaces don't have strict bans on personal mobile devices, and some of the ones that do, don't have the kind of physical perimeter defense that can detect people getting lazy about whether or not they carry their personal mobile devices into the workplace. That makes perimeter defense into security theater anyway. We need a rethink about what we are guarding against and how we're doing it.
> Most workplaces don't have strict bans on personal mobile devices
If you're talking about select work apps on your mobile device, sure, but that's limited attack surface.
If you're talking about employers who let unmanaged mobile devices hop on their internal network... I've never seen that. Maybe at a hypothetically perfect zero-trust shop?
I've seen a lot of un-seriousness about security. One that's easy to spot is old unpatched IP phones that aren't segregated on the network. I've given demos at companies that are serious, where a device I accidentally left behind caused an urgent search of every room I had been in. Security didn't have to be told which rooms those were.
1 reply →
> Linux still doesn't have anywhere near as nice and cohesive as Group Policy, Active Directory etc.
I take your word for it (I know of Kerberos and LDAP and Netscape and Sun trying to make such palatable, but clearly haven't followed that in the last quarter-century).
That assumes however the server to be currently MS Windows. For government agencies, I'd rather expect some Mainframe to be (and remain) in place. Surely IBM (or here rather Groupe Bull) has user authentication/authorization figured out (more than half a century ago, methinks).
I've never understood the management thing. People manage fleets of Linux machines all the time. What does group policy do that e.g. nix or ansible don't?
Fuse membership and inheritance-based object (in the sense of 'any computing thing or person') ontology with configurability?
The insight in AD+GPO wasn't in either thing, but in the +. Each would be far less useful without the other.
Group policy just sets registry keys. That's nothing you can't do any other way. The important bit is the inertia of 30 years of Windows subsystems and integration with Active Directory and 3rd party Windows ecosystem software all being written to expose internal config and look to registry keys for the settings.
For the first part, Group Policy (GPO) can set the screen to lock after 2 minutes of inactivity, say, which works because there are Windows subsystems built to look for a reg key for their config, and policy templates exposing that config in the GUI management tools. Or group policy configures which security group can "logon as a service" which works because Windows has system-wide and domain-wide pervasive Access Control Lists (ACLs). GPO configures that Background Intelligent Transfer Service (BITS) should limit its bandwidth use, which works because Windows Updates use BITS. Or sets the machine-wide SSL cipher order, because Windows software uses system-wide schannel not OpenSSL. Or GPO sets what your default printer will be and that's only useful because decades of 3rd party Windows software was written to use the standard Windows printer dialog, or User Documents path, or whatever.
For the second part, Active Directory is a tree-shaped organization tool; in screenshot[5] that I quickly Googled, the tree on the left has a folder named "Sydney" and below that "Sydney Users"; this lets sysadmins organise the company computer accounts, user accounts, and security groups by whatever hierarchy makes sense for that company - e.g. by country, office, team, department, building floor, etc. Then Group Policy overlays on that structure, and the policies are composable.
e.g. in this basic screenshot of the group policy manamement GUI[6] it's showing at the bottom a list of all group policy configurations that have been made in a domain such as "Block PowerShell", and higher up it shows the policy "PsExec Allow" has been linked inside the "ADPRO Computers" folder. So users and computers in that folder in AD, will get those policies applied. In screenshot[7] you can see a basic example showing corporate computers getting machine-wide settings, corporate users getting user-level MS Office config, and Executives get settings that nobody else gets. (This echoes the registry having separate HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER subtrees). Screenshot[8] shows the relatively tidy GUI on the right for seeing which settings have been configured in a policy.
If you apply more than one GPO to a folder, the users/computers will get the all the policy settings combined. This is often what people complain about when logging on to a corporate Windows machine takes ages, btw. You can filter GPOs on a case-by-case basis to build patterns like "apply this machine-wide policy to all computers in the Sydney folder which are members of the WarehouseComputer security group" or "apply these logon-settings to employees in New York who are members of Finance and logging onto a laptop". So companies which have been around for years can have really (messy) big and intricate designs which would be a lot of work to migrate.
3rd party programs can release XML files which plug into the GPO management, and the programs were written to expect to be configured by registry keys so they can pick up those settings; there are templates for configuring FireFox[1], Chrome[2] Adobe Acrobat[3], Word, Excel, Office[4], VMWare Horizon, Lenovo Dock Manager, Zoom, RealVNC, LibreOffice, Citrix, FoxIT Reader, and so on. The more enterprisey a tool is, the more likely it will plug into that ecosystem. Then all kinds of 3rd party reporting and auditing tools look there to see if your company is compliant with this or that; the whole thing is integrated with Windows' domain-wide ACLs so you can give some admins permissions to view or edit just their regional subset of this.
As usual the lockin is not that they do something amazing that nothing else can do, the lockin is that Windows domains have been around in this format for 30 years since NT4 and Windows 2000, and it has huge inertia, familiarity, is deeply embedded in a lot of companies, you can easily and cheaply hire lots of people who know how to use and manage it, you can send screenshots of it to auditors and they understand it, if you don't know how but you have a bit of (oldschool) Windows experience then clicking around will get you the basics, you can buy 3rd party auditing software that will send you a management friendly report with green ticks saying almost everything is fine but you should change this setting for security...
[Yes of course you can build your own custom replacement for every single thing, just like you can build your own custom replacement for any software; it's "just" ldap and kerberos and dns and some scripts and site-to-site policy replication and management tools und und und].
[1] https://support.mozilla.org/en-US/kb/customizing-firefox-usi...
[2] https://support.google.com/chrome/a/answer/187202?hl=en
[3] https://www.adobe.com/devnet-docs/acrobatetk/tools/DesktopDe...
[4] https://www.microsoft.com/en-us/download/details.aspx?id=490...
[5] https://www.windows-active-directory.com/wp-content/uploads/...
[6] https://activedirectorypro.com/wp-content/uploads/2022/09/gp...
[7] https://www.varonis.com/hs-fs/hubfs/blog%20posts/Group%20Pol...
[8] https://redmondmag.com/articles/2016/01/12/~/media/ecg/redmo...
> Linux still doesn't have anywhere near as nice and cohesive as Group Policy, Active Directory etc.
I am sure that's something the Gnome Foundation could figure out if they had a grant to do so.
Putting it in the hands on the GNOME foundation will just result in a lot of new soon-to-be-mandatory APIs and numerous configuration variables with only one allowed value.
Must be the only nice and cohesive parts left. Perhaps they have not figured out how to put ads on AI on it because it doesn't have many users.
No non-US government should host anything on azure, or any other US-owned cloud. Thats security and sovereignity 101, or more like 100. Reality with hostile US being as it is.
What you list are no showstoppers, and since its a well known topic I cant imagine why some EU-funded effort in say 2 billions over next 3-5 years shouldnt reaolve it once and for all, for entire world. Well invested money.
This is actually a good time to disrupt that, as Microsoft’s attention is not on windows and Active Directory is slowly moving to Entra, although big enterprises are mostly hybrid.
Some places are using Okta for many of those functions too. Trump’s instinctive parasitic slumlord behavior may be enough for the sleepy Europeans to get their shit together.
that's the catch with gp/ad. for a lot of orgs the hard part is intune/entra now. swapping the desktop is easy. replacing identity and device management is the real migration
Doesn't the Azure team own Intune/Entra now? Read: less inclined to give a fuck about artificially protecting Windows desktop.
I've no idea what current internal Microsoft org divisions are.
Group Policy and Active Directory are dead, for all intents and purposes.
It's now Intune (via OMA-DM), and Entra. Both of those products are about as bad as you might imagine the "cloud" versions of GP & AD might be.
They are better, in ways -- no longer having to care and feed for domain controllers is nice, and there's no longer an overhead for additive policy processing, so endpoints only get a single set of policy and log on much quicker -- but for the most part, enterprise management of Windows devices is in a worse place than it was ten years ago.
Try to figure out how long it will take an online Intune device to discover a new policy: As far as I can tell the answer is "eventually". There are bandaids for this, because of how infuriating it is, of course, but all time guarantees are basically gone.
Ask me a decade ago what an enterprise should do, and my answer would be straightforward: AD, GPO, Exchange.
The answer now is not simple.
> Ask me a decade ago what an enterprise should do, and my answer would be straightforward: AD, GPO, Exchange.
That was also the answer two decades ago. But if AD and GPO are now dead, what killed them and what are the options? Is the problem mobile and BYOD?
I’ve been primarily on Macs since that time where endpoint management isn’t much, so there are fewer knobs to fiddle with. In some ways it’s nice in that admins can’t screw around too much with my system. In other ways, I’m sure Macs feel limiting for those in charge of enterprise security. However, most endpoint management feels like it’s written for Windows with Macs as an afterthought for checklist security. Knowing that, I’m happy there are fewer places for dodgy software to be able to interface with the OS.
(Edit: added quote to top)
> "if AD and GPO are now dead, what killed them and what are the options?"
The changing world. AD and GPO come from the mid 1990s before pervasive internet, before WiFi, before Cloud computing, before people had multiple computers, before iPhones, before AWS cloud infrastructure, before Kubernetes, before cheap fast hardware for virtualization, before cheap bulk storage, before BYOD and WFH and everything-as-web-app. Before that was the world of isolated 8-bit machines, expensive Solaris workstations and Unix mainframes with expensive admins, and after say 1998 the world was cheap Compaq/HP/IBM hardware running Windows server and Windows 9x desktop, and after about 2003 it was Windows Small Business Server (AD, GPO, SQL, Exchange, SharePoint) and XP Pro desktops.
Cracks started showing when people wanted to logon to a laptop away from the office when it couldn't refresh policies, run logon scripts, talk to domain controllers; when people wanted 'offline files' from a company file share while away from the office, but wanted their corporate email to work when their laptop was online but not pull down company settings over a dialup modem. More cracks when they got a Blackberry or iPhone, more when AppStores appeared and people expect to be able to install whatever they like, more with the rise of Apple Macbooks, with the growth of website based services people can use from anywhere, more with Amazon AWS where company infrastructure is on someone else's premises, more with BYOD and WFH, more with people expecting software to be cost-free, being trivially able to spin up Linux web and database servers because there was plenty of CPU/RAM/Disk and no worries about licensing costs.
> "it’s nice in that admins can’t screw around too much with my system"
If it's a company device, it isn't your system. The company has legal oblications and practical concerns that conflict with your desires as an individual. That might be pushing full-disk encryption or updates, or auto-locking, or restricting use of USB or websites to block potential customer information leak points, or trying to stop you saving work locally that might be lost if the device fails, or trying to stop your device being an entry point for malware or ransomware, or trying to stop you screwing around with their system which costs them employee time to fix and your downtime while it's broken.
It was absolutely not the case two decades ago. There were no other options for an enterprise fleet, 20 years ago, if the question was asked. If you weren't Google (who never asked the question anyway), the answer for managing 25,000 endpoints was to use Windows devices with Active Directory as the management plane. Anyone doing anything else was in for a world of hurt... and that's why every enterprise ended up on Windows, and why everyone targeting enterprise management targeted Windows -- because that's what the endpoints were already running.
What killed AD & GPO was Microsoft, in their bullheaded push toward Azure everything. Instead of listening to what it was that the enterprise customers actually wanted, they designed a system that made sense to them, but to no one else. The original UI was written in Silverlight. It was horrific.
2 replies →
No alternative, you can't realistically fully control everything everyone does on every device in their possession. It was job security for useless control freaks, the products never should have existed.
1 reply →
What about offline, to my knowledge Entra and Intune do not work without actual internet connection?
Even the old companies have moved away from that nonsense. Huge waste of resources.
I'm sorry, but how hard is that? Seriously.
Honestly as wide spread as it is, managing group policy sanely is still a challenge I've found - it's very resistant to configuration as code.
Linux has a lot of the pieces but is principally lacking a solid distribution system - in particular a big missing component is the network-based SELinux policy distribution system which you can see some hooks in for the concept of a "policy server" which never eventuated.
SELinux would be a lot more viable if it had a solid way to federate and distribute policy and has some nice features in that regard (i.e. the notion that networked systems can exchange policy tags to preserve tagging across network connections).
> managing group policy sanely is still a challenge I've found - it's very resistant to configuration as code
Imho, this was historically (and continues to be) Microsoft's Achilles heel.
Large parts of the company reflexively wrote features / tooling as manual-first, code-second (or never).
In hindsight, what was missing was a Gates-level memo circa 2000 similar to Amazon's API one: all teams are required to build their configurators to be programmatically exposed.
Unfortunately, I don't think Ballmer was enough of a technologist (and was likely too distracted) to intuit that path not taken.