Group policy setting to disable computers removed from the domain

Is there a GP setting that can automatically lock down a computer (laptop) if it hasn't contacted a domain controller within 15 days? I effectively want to render the machine unusable if it is taken out of the domain for a specific period of time - disabling both us machine account and the user accounts cached on that machine.  This is a 2003 native domain with XP clients.
jdecariaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
No group policy setting that I know of to do that.

You may want to look into a tool like old computer by Joe Richards

http://www.joeware.net/freetools/tools/oldcmp/index.htm

As you can see there by default computers update their passwords every 30 days so that is what old computer uses to define "old".  

We disable after 90 and delete after 180.

Thanks
Mike
0
DonNetwork AdministratorCommented:

Try.....
How to detect and remove inactive machine accounts
 
http://support.microsoft.com/kb/197478 
0
jdecariaAuthor Commented:
If a laptop is taken home and not brought back, i can disable the account in AD till the cows come home - if the machine isn't brought back into the domain, it'll never know it's been disabled.
0
Make Network Traffic Fast and Furious with SD-WAN

Software-defined WAN (SD-WAN) is a technology that determines the most effective way to route traffic to and from datacenter sites. Register for the webinar today to learn how your business can benefit from SD-WAN!

jdecariaAuthor Commented:
I want to prevent a user from being able to continue to use a computer that's been removed from the office for an extended period without authorization  (and hence not able to contact a domain controller)
0
Mike KlineCommented:
If the computer account is disabled it won't be able to log into the domain.  Let's say a computer is stolen or taken without authorization if that is your concern then encryption is going to be what you will have to use to guarantee privacy/protection.

If someone that knows what they are doing has physical acess to the PC then they can get in.

You can also limit cached credentials.

Thanks

Mike
0
jdecariaAuthor Commented:
I'm not worried about encryption or data theft. I just want to have the machine disable itself (either the user accounts or the machine account) if it is taken out of the office and has not contacted a domain controller for 15 days.
I'm concerned about a potential situation in my company, and want to make life difficult for a group of people who might just remove a PC from the office and continue to use it  in another environment.  If they get the machine out of the office, it won't be coming back, so if i disable the the machine account on the domain it won't matter.  I'm not sure if i'm being clear enopugh about what i want to accomplish.
0
Lukasz ChmielewskiCommented:
so you want to change the server2003 policy to auto-disable the non-connective accounts after some period ?
0
RPPreacherCommented:
(1)  No group policy is going to do this.

If I understand your question, you want to treat the laptop like it's stolen.  If employee takes it home for X days, then it ceases to work.

There are a few options, again, by looking at this as a theft issue.  A couple commercial products --
http://blogs.techrepublic.com.com/security/?p=685

The hacked up solution would be to delete the cached domain credentials after X days.  You would probably need to do this with some combination of scheduled task and script.

If you launch Windows registry with SYSTEM level privilege and browse to “HKEY_LOCAL_MACHINE\SECURITY\CACHE”, you will find a total of 10 entries starting from NL$1 to NL$10. These binary entries contain users' cached credentials at the domain level.

If you delete those keys, they cannot log in with cached domain credentials.  If they don't have the local password, they can not log into the computer until a DC is present.

The scripting would need to be fairly complex but this is the right direction.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
giltjrCommented:
Well, you could make sure there are no local accounts that the user can logon with and then set the password to expire after 15 days.


Of course your users may get upset having to change their passwords every 15 days.
0
alewis9777Commented:
0
jdecariaAuthor Commented:
giltjr: if the domain account password expires and the machine cannot contact a DC the account will be locked out?
0
giltjrCommented:
It is supposed to.  You can always test it if you have a spare PC.  

Setup a test user-id whose password expires in 1 day.  Logon to the computer once, logoff, disconnect from the network and after 2 days try logging on to it.

0
RPPreacherCommented:
>Setup a test user-id whose password expires in 1 day.  Logon to the computer once, logoff, disconnect from the network and after 2 days try logging on to it.

Password policy is applied at the domain level.  Not individual accounts.
0
jdecariaAuthor Commented:
Sometimes the best answer is the simplest one. A combination of these two will work well.
0
RPPreacherCommented:
>if the domain account password expires and the machine cannot contact a DC the account will be locked out?

The user will be unable to change their password and will be prevented from logging into the PC.  The account will not be disabled.  And your users will HATE you for implementing a 15 day password policy.
0
markdmacCommented:
Actually I think this could be done with a fairly easy script, the questions I have though are will this "policy" only be applied to certain laptops or all laptops?  Do the users have VPN access?  If they VPN in does that reset the 15 day countdown?  Are these laptops ONLY supposed to be used within the confines of your office building where they will always have access to a DC?

I will be happy to provide a script for this if you can validate first that my planned method is an acceptable solution.

1. We create a custom registry key that will hold a time stamp to indicate the last time the PC was able to contact a DC
2. VBScript will use a WMI ping to determine it can contact a DC.
3. If no DC can be contacted we get the datediff from when we last contacted one, if more than 15 days we delete all cached passwords and force loggoff on the machine.  If the DC can be contacted we update the time stamp to reset the 15 day countdown.

It might also be beneficial to run a scan for local accounts and disable them all.  You would want to do that before the laptops disappear from your control though.  You will also need to make sure that the users are not local administrators.  If they can create user accounts or enable existing accounts then they can get around this.  You will also need to disable REGEDIT access.
0
gheistCommented:
Well... If you are into stealing business you just remove CR2016, reinstall XP with key found on back sticker and go to market...
Also - there are GPS (like sticker on the back of laptop covering screws) and other call-home solutions that might be of interest to you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.