Linux conversion for a corporate Windows enviornment

R

repitah

Well-Known Member
Joined
Jul 4, 2005
Messages
431
Reaction score
87
Been running a theoretical how do I replace my MS products should things go awry in the next months/years and sanctions severely reduce traditional products.

My challenge came to the end users and while I have loved Linux for years (don't bother doing network work on Windows anymore) and daily a MacBook at home (SBCs running the house and mini server in the study are all flavours of Debian), but I've never given much thought as to how do I get corporate style setup -- an Active Directory / Co-Pilot type experience of a machine joining the directory and policies and scripts lock down systems and automate a lot of the setup for the IT support team (box to end user desk in 2 hours or less is the goal).

When I took over as the major grump, I set about making group policies and scripts that are/should be considered norm in a corporate. Great, but now how do I do the same in Linux? All the DevOps things seem scary and everything seems to start having a price tag in currencies/countries that we could be excluded from. I remember when I was a young sprite, Suse had some nice YaST things that looked policy like.

ZorinOS/Mint/Deepin (skeptical) would be my go to for the end user OS. All of the IT support team have taken a crash course on Mint to do network diagnostics/switch programming and they seem to have taken to the interface with minimal shock and resistance.
 
As much as I love Linux and use it daily and recommend it for backend stuff. Switching out a corporate to Linux? We did try it a long time ago and it failed miserably. People have gotten used to how MS does things.
 

Linux and Active Directory Integration: A Comprehensive Guide

In modern enterprise environments, Active Directory (AD) is a widely used directory service provided by Microsoft. It offers centralized management of users, groups, and resources, which simplifies administrative tasks. On the other hand, Linux is a popular open-source operating system known for...
linuxvox.com linuxvox.com

thesoloadmin.com

Active Directory Authentication on Linux - A Simple Guide

Authenticating via Active Directory on your Linux servers doesn't have to be difficult. This article provides a roadmap.
thesoloadmin.com thesoloadmin.com
 
Nod said:

Linux and Active Directory Integration: A Comprehensive Guide

In modern enterprise environments, Active Directory (AD) is a widely used directory service provided by Microsoft. It offers centralized management of users, groups, and resources, which simplifies administrative tasks. On the other hand, Linux is a popular open-source operating system known for...
linuxvox.com linuxvox.com
Click to expand...
Still requires maintaining underpinning AD infrastructure

May as well suggest Entra ID, ARC and azure policy tooling.
 
rustypup said:
Still requires maintaining underpinning AD infrastrucure

May as well suggest Entra ID, ARC and azure policy tooling.
Click to expand...
There are solution to also replace AD with an opensource solution.

Linux Active Directory Replacement: A Comprehensive Guide

In enterprise environments, Active Directory (AD) has long been the go-to solution for identity management, authentication, and authorization. However, Linux offers compelling alternatives to AD for various reasons, such as better cost-efficiency, flexibility, and integration with open-source...
linuxvox.com linuxvox.com
 
Nod said:
replace AD with an opensource solution.
Click to expand...
Only 2 or 3 in that list could be argued as replacement. The rest are absolutely not a replacement.

LDAP is neither the entirety of AD nor remotely acceptable in this day and age.

If you're going to talk AD replacement, you need to replace :

Kerberos with token rotation
Continual access audits
Monitoring, detection and response
Propagation
Load balancing
Granular policy application with hierarchy support
Hardware token support
Device authentication and rotation
LAPS
Domains, Forests, Trees
Trusts
etc
etc
etc

The list is more than just "Oh, we need to manage accounts poorly".
 
  • Like
Reactions: OCP
Herr der Verboten said:
Also OP has no usecase specified making it sound like dump windows for linux hysteria.
Click to expand...
End user Desktop/Notebook.
The corporate's industry isn't banking/insurance, so it isn't excessively retentive, but certainly not a mom-and-pop corner store.

Windows will remain Windows where needed in the backend and the ERP demands it (users can access via RDS farm; until the .Net issues on non-Windows gets figured out for client-side; server side will always be Windows :rolleyes:)
Linux has things for Own/NextCloud and there are general replacement apps for mail/browser/etc.

What I'm looking for is some form of policy tool that can apply settings and deploy apps and scripts (IE sudo group is restricted only to a local admin [LAPS] and domain/desktop admins; allow network settings changes if user belongs to a group -- eg techies -- or deny it [IE NetworkManager]). Not allowing the notebooks/desktops to "share internet" (IE share the corporate network) is just one of the horror shows to protect against (ip_forward* = 0 at all times; masquerade rules goodbye). Auto disk encryption, because theft is an issue and thy shalt not allow data to be unencrypted -- decryption key backup mechanism a bonus.

I haven't done much training in the Apple world for enterprise, but they have forms of policy tools and the MDMs also apply restrictions and do app deployment. Linux???

Then also consider that the low/mid end Intel/AMD chips are having supply chain issues, that will likely bite in the coming months. Windows on ARM isn't bad, but not quite Apple M series. I wouldn't mind some RPi5+NVMe (or similar) in call centre/factory type operational areas.
 
Last edited:
repitah said:
End user Desktop/Notebook.
The corporate's industry isn't banking/insurance, so it isn't excessively retentive, but certainly not a mom-and-pop corner store.

Windows will remain Windows where needed in the backend and the ERP demands it (users can access via RDS farm; until the .Net issues on non-Windows gets figured out for client-side; server side will always be Windows :rolleyes:)
Linux has things for Own/NextCloud and there are general replacement apps for mail/browser/etc.

What I'm looking for is some form of policy tool that can apply settings and deploy apps and scripts (IE sudo group is restricted only to a local admin [LAPS] and domain/desktop admins; allow network settings changes if user belongs to a group -- eg techies -- or deny it [IE NetworkManager]). Not allowing the notebooks/desktops to "share internet" (IE share the corporate network) is just one of the horror shows to protect against (ip_forward* = 0 at all times; masquerade rules goodbye)

I haven't done much training in the Apple world for enterprise, but it does seem they have forms of policy tools and the MDMs also apply restrictions and do app deployment. Linux???

Then also consider that the low/mid end Intel/AMD chips are having supply chain issues, that will likely bite in the coming months. Windows on ARM isn't bad, but not quite Apple M series. I wouldn't mind some RPi5+NVMe (or similar) in call centre/factory type operational areas.
Click to expand...

Jamf for Apple or intune.Either way , why you trying to reinvent the wheel ? There is a reason why microsoft will always be king of the corporate desktop .Linux has its place but not in the desktop.
 
Hypothetically, if I were managing a corporate Linux environment and in the absence of AD/Intune, I would probably look at Ansible Pull as a sort of replacement for Group Policy
 
InvisibleJim said:
Hypothetically, if I were managing a corporate Linux environment and in the absence of AD/Intune, I would probably look at Ansible Pull as a sort of replacement for Group Policy
Click to expand...
Thanks. That's a lot more helpful.

Already running an internal GIT for config/change tracking and a few other things, so not a stretch to do the same for Ansible.
 
ubercal said:
Jamf for Apple or intune.Either way , why you trying to reinvent the wheel ? There is a reason why microsoft will always be king of the corporate desktop .Linux has its place but not in the desktop.
Click to expand...
It is hypothetical planning. Something the executive committees may ask as risk identifaction and mitigate/avoid/transfer/accept.

Scale is always a thing and something that works for a 20 person company may not work for a 200/2000/20000+ person company.

We've become so dependant on others doing the heavy lifting and cry when they go down (*cough* Amazon/Microsoft/etc), and then there are the prices to pay. Sure, save R1mil+ not hiring "engineers", but when the sistem-is-down and you can't do business/loosing customers/not providing services, the transfer of responsibility suddenly becomes painful.
 
PCWARITM said:
No PowerBI desktop users?
Click to expand...
Oh gosh, yes, those also exist. A few middle managers and senior managers.
I remember, now, that replacing a department manager's notebook with an iMac had to be undone just because the SQL queries in Excel and PowerBI didn't work, and the data analyst wasn't very helpful with explaining their "app"
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X