Group Policy and Active Directory are dead, for all intents and purposes.
It's now Intune (via OMA-DM), and Entra. Both of those products are about as bad as you might imagine the "cloud" versions of GP & AD might be.
They are better, in ways -- no longer having to care and feed for domain controllers is nice, and there's no longer an overhead for additive policy processing, so endpoints only get a single set of policy and log on much quicker -- but for the most part, enterprise management of Windows devices is in a worse place than it was ten years ago.
Try to figure out how long it will take an online Intune device to discover a new policy: As far as I can tell the answer is "eventually". There are bandaids for this, because of how infuriating it is, of course, but all time guarantees are basically gone.
Ask me a decade ago what an enterprise should do, and my answer would be straightforward: AD, GPO, Exchange.
> Ask me a decade ago what an enterprise should do, and my answer would be straightforward: AD, GPO, Exchange.
That was also the answer two decades ago. But if AD and GPO are now dead, what killed them and what are the options? Is the problem mobile and BYOD?
I’ve been primarily on Macs since that time where endpoint management isn’t much, so there are fewer knobs to fiddle with. In some ways it’s nice in that admins can’t screw around too much with my system. In other ways, I’m sure Macs feel limiting for those in charge of enterprise security. However, most endpoint management feels like it’s written for Windows with Macs as an afterthought for checklist security. Knowing that, I’m happy there are fewer places for dodgy software to be able to interface with the OS.
> "if AD and GPO are now dead, what killed them and what are the options?"
The changing world. AD and GPO come from the mid 1990s before pervasive internet, before WiFi, before Cloud computing, before people had multiple computers, before iPhones, before AWS cloud infrastructure, before Kubernetes, before cheap fast hardware for virtualization, before cheap bulk storage, before BYOD and WFH and everything-as-web-app. Before that was the world of isolated 8-bit machines, expensive Solaris workstations and Unix mainframes with expensive admins, and after say 1998 the world was cheap Compaq/HP/IBM hardware running Windows server and Windows 9x desktop, and after about 2003 it was Windows Small Business Server (AD, GPO, SQL, Exchange, SharePoint) and XP Pro desktops.
Cracks started showing when people wanted to logon to a laptop away from the office when it couldn't refresh policies, run logon scripts, talk to domain controllers; when people wanted 'offline files' from a company file share while away from the office, but wanted their corporate email to work when their laptop was online but not pull down company settings over a dialup modem. More cracks when they got a Blackberry or iPhone, more when AppStores appeared and people expect to be able to install whatever they like, more with the rise of Apple Macbooks, with the growth of website based services people can use from anywhere, more with Amazon AWS where company infrastructure is on someone else's premises, more with BYOD and WFH, more with people expecting software to be cost-free, being trivially able to spin up Linux web and database servers because there was plenty of CPU/RAM/Disk and no worries about licensing costs.
> "it’s nice in that admins can’t screw around too much with my system"
If it's a company device, it isn't your system. The company has legal oblications and practical concerns that conflict with your desires as an individual. That might be pushing full-disk encryption or updates, or auto-locking, or restricting use of USB or websites to block potential customer information leak points, or trying to stop you saving work locally that might be lost if the device fails, or trying to stop your device being an entry point for malware or ransomware, or trying to stop you screwing around with their system which costs them employee time to fix and your downtime while it's broken.
It was absolutely not the case two decades ago.
There were no other options for an enterprise fleet, 20 years ago, if the question was asked. If you weren't Google (who never asked the question anyway), the answer for managing 25,000 endpoints was to use Windows devices with Active Directory as the management plane. Anyone doing anything else was in for a world of hurt... and that's why every enterprise ended up on Windows, and why everyone targeting enterprise management targeted Windows -- because that's what the endpoints were already running.
What killed AD & GPO was Microsoft, in their bullheaded push toward Azure everything. Instead of listening to what it was that the enterprise customers actually wanted, they designed a system that made sense to them, but to no one else. The original UI was written in Silverlight. It was horrific.
No, I meant that Windows AD was still the answer two decades ago. I can see how that may not have been clear - I edited my post to include the quote I was replying to. (You said one decade and I was just extending that timeline back another 10 years.)
There was LDAP and Kerberos support for *nix management, but nothing you’d deploy over a thousand end devices.
And you’re right, it wasn’t a question that got asked, because there wasn’t ever a second choice - AD was the only option.
I remember it almost being a trope at the time that every Kerberos question thread eventually landed on some subtle / niche incompatibility or edge case.
No alternative, you can't realistically fully control everything everyone does on every device in their possession. It was job security for useless control freaks, the products never should have existed.
As someone heavily involved in the hospitality (read: beer) area, this doesn't really line up with reality in Australia: there's only one state (South Australia) that doesn't agree on the major standard sizes: Pints are 470ml, schooners are 425ml, a half pint is 285ml, and a pony is 140ml.
There's colloquialisms for a half: pot, or middy, mostly. Hobart will call a half pint a ten, because it's 10oz, but they also know what you're talking about when you ask for a pot or a half pint.
Then there's South Australia, which will serve you a pint at 425ml, a schooner at 285ml, no one there outside of specialty craft beer bars have any idea what a half pint is, and if you want a proper pint you need to ask for an imperial pint. I have never seen an 'imperial pint' advertised in Hobart - it's just called a pint there.
Source: I have pretty extensive drinking experience in pretty much all of the Australian capital cities, except Perth.
> there's only one state (South Australia) that doesn't agree on the major standard sizes: Pints are 470ml, schooners are 425ml, a half pint is 285ml, and a pony is 140ml.
> Source: I have pretty extensive drinking experience in pretty much all of the Australian capital cities, except Perth.
I don't drink as much as I used to so this might be a little outdated, but in Perth "Pints" are 570ml. It was rare, but becoming less so, for some places to serve you a 470ml schooner when you ordered a pint. We avoided those places.
...Embarrassingly, I have typo'd in my original post, and it's too late to edit. Pints are 570ml (not 470ml) everywhere on the East coast - hence why a half pint in Tassie is often called a ten - because it's 10oz, or half a 20oz/568ml pint.
Maybe not today, but in the summer of 1990 every pub I went to seemed to have a different glass and I was somehow expected to know what they were called...
I was decidedly not old enough to drink in 1990 and culture in general in Australia was much less homogeneous back then, so you're probably right for the times.
You shouldn't need a medical background to know that having something press on a spot for a couple of hours will leave a depression in your skin.
You have probably fallen asleep on something patterned or folded and have it leave an impression on your skin before: This is no different.
Other places it happens: Watches that are slightly too tight or have ridden up an arm. Glasses arms pressing against your temple or behind the ear. Tight socks after a day wearing them.
It's not a medical problem. It's just general physics.
What he's saying though is that the original poster is vastly overstating the effect the headphone had on his head. There was no dent in his skull, just skin deformation that happens with literally every headphone.
Not using the combination for one of its ambiguous purposes does not strip it of ambiguity, you've just trained yourself to avoid those circumstances.
That, of course, is one of the pain points that the article addresses: Training yourself to do so is additional cognitive load that never should have been necessary in the first place.
I flip between macOS and Linux and, occasionally, Windows. On one of my laptops, insert is also a Fn switch away, so I have to either remember that this machine needs Ctrl-Fn-F11 specifically when I'm copying from terminal.
On another keyboard I have the same problem, but insert is mapped to a different key entirely, so it is ctrl-fn-equals, and fn is on the opposite side of the keyboard from ctrl.
Contort my fingers in which way on which keyboard? Mental load and annoyance I don't need.
That’s a hardware problem. I avoid mental load and annoyance by using the same keyboard layout everywhere. Even on Windows the bottom left modifier keys on my keyboard are Ctrl Alt Win, and not Ctrl Win Alt.
The keyboard is the most important input device on a computer. It’s worthwhile to customize your key mappings to fit your muscle memory.
People will argue with you because your initial quoted sentence is chock full of fallacies.
* Caddy's complexity (especially when it comes to TLS) is not arbitrary, it's to meet the needs of auto-renewal and ... y'know, hosting sites on TLS.
* Caddy's SDLC is not, as far as I understand it, especially rapid.
* Implying that "military grade" is some level of encryption beyond the minimum level of encryption you would ever want to use is silly.
* The Manjaro website is not "the equivalent of a poster", and in fact hosts operating system downloads. Operating system integrity is kinda important.
You may have reasonable arguments for sites that are display only, do not out-link, and do not provide downloads, but this is not one of those circumstances.
About the only thing about the weather I can tell from my window is whether it is currently raining or not.
The temperature inside is not at all indicative of the temperature outside, the sun being out doesn't mean it is warm, and I don't really have any useful indicators of wind, unless the windows are rattling, but that doesn't let me know if there's a stiff breeze.
I could walk over and open up my balcony door and experience it all personally, but checking my phone or watch is faster and more accurate, and also gives me the forecast at the same time.
> Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.
I may be an idiot, but: What does this actually, y'know, achieve? It seems the answer to me is probably nothing?
It doesn't work on Firefox. It appears not to work on Chrome. The suggestion is to use Edge, which on Windows already gets 4K support in Netflix anyway.
You misread the README. Although it suggests using Edge at the very bottom, the extension doesn't require it and actually spoofs Netflix into thinking it is Edge via changing the user-agent.
I understand it spoofs all of the checks it can, but the only Chromium browser that supports Widevine L1 (a requirement for 4K) is Edge, so even if all of the check spoofing works, it still won't do 4K.
There's even a table in the README that describes this exact scenario.
The same plugin spec runs across several browsers and Edge is now chrome based. It’s likely just hard coded defaults that seem a little silly when used on the target browser it pretends to be.
I can't vouch for this extension in particular (because I haven't tested it), but I've used and written similar extensions myself and can confirm that the concept is legit.
Spoofing the user agent and decoding capabilities and [...] is a useful way to unblock things that are crippled on various browsers, indeed.
The problem here is requiring hardware-attested DRM: Widevine L1 on Edge on Windows, and Apple FairPlay on Safari on MacOS. The only way to get hardware attested DRM is via browser specific (i.e.: native code) support that interfaces with the OS & GPU drivers. You can't get there through an extension.
Right, but the point is that Netflix still refuses to play 4K on some browsers with hardware DRM support. Even getting it to work in Edge was a challenge last time I tried - iirc I got it working via https://github.com/lkmvip/netflix-4K-DDplus
It's now Intune (via OMA-DM), and Entra. Both of those products are about as bad as you might imagine the "cloud" versions of GP & AD might be.
They are better, in ways -- no longer having to care and feed for domain controllers is nice, and there's no longer an overhead for additive policy processing, so endpoints only get a single set of policy and log on much quicker -- but for the most part, enterprise management of Windows devices is in a worse place than it was ten years ago.
Try to figure out how long it will take an online Intune device to discover a new policy: As far as I can tell the answer is "eventually". There are bandaids for this, because of how infuriating it is, of course, but all time guarantees are basically gone.
Ask me a decade ago what an enterprise should do, and my answer would be straightforward: AD, GPO, Exchange.
The answer now is not simple.
reply