@nixCraft been mostly using AD integration with sssd for user accounts, SSH Keys (authorized_keys) for functional accounts (Ansible). No local user/password accounts on any machine. Access to the machines is being managed by moving users in/out of AD groups