I dunno, I found it easier to move my family to JF.

I made them a bunch of accounts and sent them via signal.

For my mum I logged in as her and configured everything how she would want.

I didnt have to explain to anybody that remote stream needs to be unlimited bandwidth for better performance.

If mum forgets her password I can reset it.

To log her TV in we used quick connect where I had her enter the 6 digit code on the tv.

We used SyncPlay to watch a movie together.

Its kinda useful for devices where userland is also protected against exfil, like a kiosk or windows lock screen.

If the bios is hardened, secure boot on, bitlocker on, and windows is locked with a password, you can’t simply take the disk out and manipulate it cause bitlocker with TPM means only that specific hardware profile will decrypt the disk automatically.

You can’t get to explorer cause the system is locked with windows auth, and you can’t reset the PW cause bitlocker is on, and you cant remove the disk cause the TPM protects against that with bitlocker.

Its really not perfect, and I’m not advocating for it, but its a decent protection in systems where adding another pin/password isn’t practical.

Even Microsoft recommends at least also using a pin with bitlocker.

Thankfully editing logs isn’t really a valid use case

It tends to break when you force power off the machine in my experience, where ext4 is super resilient to that kind of stuff.

Thats my experience at least.

sorry I don’t have any real documentation but I have a snippet of powershell that explains it pretty well here this comes from a user creation script I wrote back when they removed the unix UI.

I was using Get-AdUser and discovered that the properties still existed but you have to manually shove those in, when an sssd “domain bound” linux machine has a user with these props login, they get the defined UID and GID and homefolder etc.

$otherAttributes = @{}
Write-Host -ForegroundColor Yellow "Adding Linux Attributes"

# get the next numeric uid number from AD
$uidNumber=((get-aduser -Filter * -Properties * | where-object {$_.uidNumber} | select uidNumber | sort uidNumber | select -Last 1).uidNumber)+1

$otherAttributes.Add("unixHomeDirectory","/homefolder/path/$($samAccountName)")
$otherAttributes.Add("uid","$($samAccountName)")
$otherAttributes.Add("gidNumber","$($gidNumber)")
$otherAttributes.Add("uidNumber","$($uidNumber)")
$otherAttributes.Add("loginShell","$($loginShell)")

$UserArgs = @{
    Credential = $creds
    Enabled = $true
    ChangePasswordAtLogon = $true
    Path = $usersOU
    HomeDirectory = "$homeDirPath\$samAccountName"
    HomeDrive = $homeDriveLetter
    GivenName = $firstName
    Surname = $lastName
    DisplayName = $displayName
    SamAccountName = $samAccountName
    Name = $displayName
    AccountPassword = $securePW
    UserPrincipalName = "$($aliasName)@DOMAIN.COM"
    OtherAttributes = $otherAttributes
}

$newUser = New-ADUser @UserArgs

basically the “OtherAttributes” on the ADUser object is a hashtable that holds all the special additional LDAP attributes, so in this example we use $otherAttributes to add all the fields we need, you can do the same with “Set-Aduser” if you just wanna edit an existing user and add these props

the @thing on New-ADuser is called a splat, very useful if you’re not familiar, it turns a hashtable into arguments

lemme know if you have any questions

I like ydotool, uses a systemd user service, but fulfills my needs of KB shortcuts to paste text into vnc sessions

Microsoft pulled those from the UI, but if you’re adventurous you can just shove those attributes in to user with power shell and it works the same.

Then just use sssd instead of NIS, surprised me at work when this worked.

That’s super interesting to me, any references for a software person who wants to find some overlap with philosophy? I know very little about the subject.