how to block windows xp PCs from logging into the corporate network

We have a number of XP machines out there, and want to block them from accessing the corporate network.

We need to push a script or policy to the XP machines to deny them access to the corporate network, and force them to call into the Service Desk for replacement.
Alice SchummSenior Technical ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joshua GrantomSenior Systems AdministratorCommented:
are these machines on your domain or just connecting to the network?
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Do they log in to a domain? In that case, push a login script per GPO to all clients, which checks for the OS version and then acts as required.
0
Joshua GrantomSenior Systems AdministratorCommented:
Qlemo, thats exactly what I was thinking.

Or you can combine a LegalNotice Warning Text and deny logon locally using a wmi filter for windows xp
0
Joshua GrantomSenior Systems AdministratorCommented:
Create a GPO that has these entries in "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

LegalNoticeCaption    REG_SZ      Please contact Service Desk
LegalNoticeText          REG_SZ      This computer has been disabled from logging on to our network because it is running an outdated OS Please call 1-800-HEL-PDSK


In the same GPO set this policy "Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment > Deny log on locally" to Domain Users

then create a WMI filter for the GPO

select * from Win32_OperatingSystem where (Version like "5.1") and ProductType="1"


Then apply the GPO to Authenticated Users and you can link it to your domain root. Because of the WMI filter, it will only apply to Windows XP machines.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alice SchummSenior Technical ConsultantAuthor Commented:
Sounds great.  Thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.