At work a funny question came up. Should we put an important user and their super slim executive-style laptop on the Windows Domain or just use a Local Account? There is really only one user who fits this bill, and so we’ll leave that obvious bit out because I don’t include names in any of my blog writing.
The question comes down to reliability. Can we trust that the Windows Domain account will always work? Eh, that’s the 64,000 dollar question, now isn’t it? The user cannot under any circumstances ever see “This laptop cannot form a trust relationship with the selected domain.” error that pops up rarely and irregularly around our Windows Domain.
Obviously the answer is, since it’s Microsoft, apply the KISS Principle. We keep it simple, we keep it a local account, because we simply cannot trust Microsoft at all. Maybe the domain will work, maybe it won’t. Maybe Kerberos will work, maybe it won’t. Right up there with the worthlessness of Windows Domain GPO’s, will they apply? Well, they appear to, but they do nothing in practice. In my experience GPO’s are a mixed bag at best, sometimes they work, like home drives and printers, but sometimes they just bellyflop. We don’t really do much with GPO’s because Microsoft’s technology is so hilariously poor. Roll out software through the Domain? Hah. Never works. Fiddle with settings on the Domain? Never works. Never ever ever works. GPO’s are essentially a crock of shit at best, and a waste of time at worst.
So, if you have a mission critical user on a computer, do you use a Windows Domain? Only if you like putting 2×4’s up against your legs and whacking your ankles with a sledgehammer. Yeah, that’s the level of suffering and agony that is Windows. We’ll skip it, thanks.
I will say, I did briefly consider calling Microsoft Technical Support once a long time ago when we were looking at GPO’s for something in the long ago. But you know, that’s not a serious offer either, and creates way more work and suffering than just skipping the entire thing and declaring that whatever it is simply cannot be done. Not that any requests have actually come in that way, our interest in GPO’s were purely in-department wonderings. One foray into them, they don’t work, spread gasoline on everything and light a match and let it all burn.
It’s been a long time since I wrote this bit, but it still holds true and will for the rest of time. Microsoft is the worst company on Earth and I regret every experience coming into contact with them. I only use their “technology” because I have no other choice. Microsoft rules a kingdom of shit. May they all die in a fire.
So no, we won’t be using a Domain Account.