(no title)
drankula3 | 6 years ago
Primarily authentication, authorization, and accounting[0]. Setting up a new user account on every single computer that an employee may at some point sit at gets very expensive. Many businesses (if not immediately then eventually) have security concerns that require Administrators have the ability to immediately lock users out of the system or be able to audit recent activity. AD/LDAP facilitates this. It can also automate standard settings like network drives, screen lockout settings, homepages, and all sorts of other settings.
> You either figure out how to use the computer they give you, or you don't
Standardization of processes and training can reduce training time considerably. For industries with high turnover, this can make a difference. You've gotta remember, not everyone is a knowledge worker. Tons of people are more like cogs in the machine of the company, which isn't necessarily a bad thing.
[0] https://www.techopedia.com/definition/24130/authentication-a...
ninkendo|6 years ago
Why are people using more than one machine?
> Many businesses (if not immediately then eventually) have security concerns that require Administrators have the ability to immediately lock users out of the system or be able to audit recent activity.
Why are the network services tied to login sessions on my machine? I mean, login token invalidation is an interesting problem in general, but every place I’ve worked in the past 10 years, my desktop is not the place where secure things are stored, the services I access are. (And those services are increasingly SaaS and use something like SAML with the directory server for the company.) None of which needs a login token associated in any way with my desktop login.
Perhaps a better phrasing of the question is, why is the demarcation line between the untrusted world and the things you’re protecting on the desktop? And not at the services themselves?
> It can also automate standard settings like network drives, screen lockout settings, homepages, and all sorts of other settings.
Sounds like a bunch of solutions to problems you’re creating for yourselves. Why even do any of these things?
Perhaps an analogy would be helpful:
Say you required all your employees to have smart phones so they could (for instance) get email, log into the timecard/accounting service, etc. You’d need a pretty huge justification to require all of the phones to be managed centrally by your company. Why are desktops different?
(Or perhaps you’d defend even the central management of my iPhone too, in which case I think our perspectives are so far off, I don’t think there’s much convincing either of us can do at this point.)
I used to be an AD administrator for a university and had to manage hundreds of lab machines (maintaining a central hardware-independent image, group policy, tons of settings), so I’m aware of what tools are available for Administration, I’m just saying 9 times out of 10, the best way to administer lots of systems is to not administer them at all.
kyriakos|6 years ago
Ever been in a meeting room? Most companies have shared PCs for meeting rooms. Logging in gives you access to your documents so you can hold your meeting and take your notes back to your workstation.
I'm really surprised you worked in a large business and haven't experienced any of this or the need for standardisation. We use a bunch of systems that all work with AD, it's really a solved problem in a Windows based environment.
samdixon|6 years ago
edit: I mean are you really asking why not have network shares or screen saver timeouts for your environment? It's a bit hard to take you seriously saying things like that.