Password management remote users

If you have no network access, you can only use a "passive" protection: if the computer does not contact your network for, let's say 4 weeks, it will change the encryption key via a scheduled task on the machine. Of course this assumes that you have disk encryption in use, which any laptop user should.

You not specify what OS are you using to deploy AD. Asumming you are using Windows Server essential, you can setup direct access: https://technet.microsoft.com/en-us/library/jj204618.aspx
This gives you ability to disable computer account, user account or even any kind of local account like computer is in local LAN as soon as computer has internet access.

Miguel, we cannot keep people from logging in to their machine that way that are offline.

Miguel, we cannot keep people from logging in to their machine that way that are offline.

Sorry but I don´t find where sais laptops has not internet access. As soon as computer has internet access, connects to AD and gets all GPO´s and other stuff, like users disabled accounts or whatever.

It is a measure against people that are fired. You cannot expect those to be nice and connect to the company network so you can delete their user profiles, can you? And they should be kept from accessing the data - therefore, encryption is the only possible way. If the laptop changes the encryption key, it cannot boot anymore - problem solved.

Miguel, that sounds like a very interesting solution. I've never heard of DirectAccess, but it looks like it syncs everything as if you were connected locally behind the LAN even though you are remote?

Yes, is like a VPN but not require user launch, is automatic. When computer detects internet access,  itself connects through VPN. This lets you keep all documents on a central server and secure this (using ntfs permissions, making backups) against lost.

DirectAccess is a good thing, but it cannot help if we would like to keep users from using their computers at some point in time.

McKnife, so i do a password lockout in AD, and they tried to log back in, would they still be able to get in?

It depends, by default, yes. By default, people may logon without a network connection to AD (offline even) and will authenticate against the cached credentials which will not care what you do at your AD, so they will get in and have access to local resources.

You can configure that it is impossible to logon to the machine if AD cannot be reached - then, they will be locked out. But: imagine their long faces if (before they are fired) they don't get in because something is wrong with their network connection. Who'll be blamed? You. They would need a stable VPN pre-Logon connection.

I hope now you understand why I wrote what I think (and I am sure) is the only way to do a lockout: use encryption, use a task that every few days checks if AD can be reached and if it cannot be reached for a certain defined time, changes the encryption password, shuts down the machine and makes it inaccessible that way.

Mcknife, what if we get a phone call and need to disable someone immediately how would that work? Assume AD is no longer in play since it doesn't seem like that would work

Your only solution, as I told you, is to make it mandatory to logon to AD. No AD connection, no logon. That would mean network access needs to be available pre-logon whenever they would like to work. It also means that you risk that people from time to time cannot log on although they would like to and would be allowed to.

It's this policy: https://technet.microsoft.com/en-us/library/cc938139.aspx set it to 0. Only then can you do a central lockout.

Is there any other way of doing witbout setting up direct access?

I am not sure if we understand what you want.
Do your workers save documents to their own laptop? If yes, would you like to be able to disallow access to these documents on their machines some day? If yes, you'll need to disable their accounts and forbid to logon against cached credentials like I described before. If in addition, their laptop is encrypted, they cannot circumvent it.
This does not need direct access setup.

So the remote users have just office software on their pcs and they will probably keep work related documents on their pc.

Now say we need to fire them immediately, I would need to be able to disable them before they can't back into the machine and potentially delete documents, erase their emails and such.

See my last comment.

So you are saying to the encryption key route then? I am not going to use AD/Direct Access.

No, what I described in my last comment was not about encryption alone. You need to forbid cached credentials.

Again, I am NOT using AD on the remote machines so the cached credentials are irrelevant

So no options outside of AD is what your saying.

Anyone else have any options that would work?

Syncronizing local documents with a central server and direct access may resolve your problem:

- All local documents are stored on local and sync with folder on premises. You can backup this documents.
- Email is stored on premises email server, you can do backups easily.

When employee is fired, simply disable AD account, Employee can not logon on email or delete any sync document.

Miguel, i dont htink we will  be going down the AD route.

Is there any other way to do this WITHOUT AD??

I've requested that this question be deleted for the following reason:

The question has either no comments or not enough useful information to be called an "answer".

Solutions have been shown and discussed. Why delete, Lee?

I see https://www.experts-exchange.com/questions/28737258/Password-management-remote-users.html?anchorAnswerId=41035789#a41035789 as a solution.

Why not about Direct access solution? LeeTutor was very interested on: https://www.experts-exchange.com/questions/28737258/Password-management-remote-users.html?anchorAnswerId=41037210#a41037210

It was emphasized that it needs to be a solution without AD.