Group policy setting to disable computers removed from the domain
Is there a GP setting that can automatically lock down a computer (laptop) if it hasn't contacted a domain controller within 15 days? I effectively want to render the machine unusable if it is taken out of the domain for a specific period of time - disabling both us machine account and the user accounts cached on that machine. This is a 2003 native domain with XP clients.
ASKER
If a laptop is taken home and not brought back, i can disable the account in AD till the cows come home - if the machine isn't brought back into the domain, it'll never know it's been disabled.
ASKER
I want to prevent a user from being able to continue to use a computer that's been removed from the office for an extended period without authorization (and hence not able to contact a domain controller)
If the computer account is disabled it won't be able to log into the domain. Let's say a computer is stolen or taken without authorization if that is your concern then encryption is going to be what you will have to use to guarantee privacy/protection.
If someone that knows what they are doing has physical acess to the PC then they can get in.
You can also limit cached credentials.
Thanks
Mike
If someone that knows what they are doing has physical acess to the PC then they can get in.
You can also limit cached credentials.
Thanks
Mike
ASKER
I'm not worried about encryption or data theft. I just want to have the machine disable itself (either the user accounts or the machine account) if it is taken out of the office and has not contacted a domain controller for 15 days.
I'm concerned about a potential situation in my company, and want to make life difficult for a group of people who might just remove a PC from the office and continue to use it in another environment. If they get the machine out of the office, it won't be coming back, so if i disable the the machine account on the domain it won't matter. I'm not sure if i'm being clear enopugh about what i want to accomplish.
I'm concerned about a potential situation in my company, and want to make life difficult for a group of people who might just remove a PC from the office and continue to use it in another environment. If they get the machine out of the office, it won't be coming back, so if i disable the the machine account on the domain it won't matter. I'm not sure if i'm being clear enopugh about what i want to accomplish.
so you want to change the server2003 policy to auto-disable the non-connective accounts after some period ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here is a few links that you may be interested in.
http://www.gadgettrak.com/
http://www.digisteps.com/tools/secure-information-in-missing-or-stolen-laptop/294
http://www.gadgettrak.com/
http://www.digisteps.com/tools/secure-information-in-missing-or-stolen-laptop/294
ASKER
giltjr: if the domain account password expires and the machine cannot contact a DC the account will be locked out?
It is supposed to. You can always test it if you have a spare PC.
Setup a test user-id whose password expires in 1 day. Logon to the computer once, logoff, disconnect from the network and after 2 days try logging on to it.
Setup a test user-id whose password expires in 1 day. Logon to the computer once, logoff, disconnect from the network and after 2 days try logging on to it.
>Setup a test user-id whose password expires in 1 day. Logon to the computer once, logoff, disconnect from the network and after 2 days try logging on to it.
Password policy is applied at the domain level. Not individual accounts.
Password policy is applied at the domain level. Not individual accounts.
ASKER
Sometimes the best answer is the simplest one. A combination of these two will work well.
>if the domain account password expires and the machine cannot contact a DC the account will be locked out?
The user will be unable to change their password and will be prevented from logging into the PC. The account will not be disabled. And your users will HATE you for implementing a 15 day password policy.
The user will be unable to change their password and will be prevented from logging into the PC. The account will not be disabled. And your users will HATE you for implementing a 15 day password policy.
Actually I think this could be done with a fairly easy script, the questions I have though are will this "policy" only be applied to certain laptops or all laptops? Do the users have VPN access? If they VPN in does that reset the 15 day countdown? Are these laptops ONLY supposed to be used within the confines of your office building where they will always have access to a DC?
I will be happy to provide a script for this if you can validate first that my planned method is an acceptable solution.
1. We create a custom registry key that will hold a time stamp to indicate the last time the PC was able to contact a DC
2. VBScript will use a WMI ping to determine it can contact a DC.
3. If no DC can be contacted we get the datediff from when we last contacted one, if more than 15 days we delete all cached passwords and force loggoff on the machine. If the DC can be contacted we update the time stamp to reset the 15 day countdown.
It might also be beneficial to run a scan for local accounts and disable them all. You would want to do that before the laptops disappear from your control though. You will also need to make sure that the users are not local administrators. If they can create user accounts or enable existing accounts then they can get around this. You will also need to disable REGEDIT access.
I will be happy to provide a script for this if you can validate first that my planned method is an acceptable solution.
1. We create a custom registry key that will hold a time stamp to indicate the last time the PC was able to contact a DC
2. VBScript will use a WMI ping to determine it can contact a DC.
3. If no DC can be contacted we get the datediff from when we last contacted one, if more than 15 days we delete all cached passwords and force loggoff on the machine. If the DC can be contacted we update the time stamp to reset the 15 day countdown.
It might also be beneficial to run a scan for local accounts and disable them all. You would want to do that before the laptops disappear from your control though. You will also need to make sure that the users are not local administrators. If they can create user accounts or enable existing accounts then they can get around this. You will also need to disable REGEDIT access.
Well... If you are into stealing business you just remove CR2016, reinstall XP with key found on back sticker and go to market...
Also - there are GPS (like sticker on the back of laptop covering screws) and other call-home solutions that might be of interest to you.
Also - there are GPS (like sticker on the back of laptop covering screws) and other call-home solutions that might be of interest to you.
You may want to look into a tool like old computer by Joe Richards
http://www.joeware.net/freetools/tools/oldcmp/index.htm
As you can see there by default computers update their passwords every 30 days so that is what old computer uses to define "old".
We disable after 90 and delete after 180.
Thanks
Mike