Looking to disable remote computers
This could be a fun topic.
Outside of the obvious answers "Get someone to remove them", "Get someone to turn them off", "Tell them to...." etc.
We have a percentage of Windows XP and Windows 2003 machines that are on our remote network that we want to actively disable their access remotely and prevent local IT from re-enabling and re-using them.
We've manually disabled some through RDP, but want to remotely stop these sites from using them.
Something like - remove all members from local admins and local users, set a 30s shutdown to run in the registry and kill all NICs.
It can't be as dramatic as a format c:, but can be fairly brutal.
We have AD 2012R2 GPO, and SCCM 2012 R2 at our disposal - I'm looking for some real world tips and tricks people have used to disable machines like this. Thanks
Outside of the obvious answers "Get someone to remove them", "Get someone to turn them off", "Tell them to...." etc.
We have a percentage of Windows XP and Windows 2003 machines that are on our remote network that we want to actively disable their access remotely and prevent local IT from re-enabling and re-using them.
We've manually disabled some through RDP, but want to remotely stop these sites from using them.
Something like - remove all members from local admins and local users, set a 30s shutdown to run in the registry and kill all NICs.
It can't be as dramatic as a format c:, but can be fairly brutal.
We have AD 2012R2 GPO, and SCCM 2012 R2 at our disposal - I'm looking for some real world tips and tricks people have used to disable machines like this. Thanks
ASKER
Nice but I believe we'd need to deploy the older client out to XP first to do this
Hi Stuart,
For the sake of playing along : The only way I could possibly see you doing this is to disable the devices you want to restrict in the BIOS, and then protect the BIOS with a password. You could still undo this though, by popping the battery, and setting the reset jumper.
With that being said, and with all due respect, if your going to the trouble of completely blocking, disabling core services, or trying to make the system completely unusable, why spend as much time trying to do this, while maintaining the integrity of the machine?
Just execute a dod wipe on the machines, and be done with it? Do you honestly think you'll come back and re-use these machines as-is in the future? Is there super-secret-scarey-data on them? Do you have some type of hardcore business requirement, restricting you from disposing of EoL machines?
At some point, you really have to make a decision/ have a conversation with management, on if your just making more work for yourself to have more work to do.
The fact of the matter is: If you don't have hands-on, physical access to restrict these machines from use, there is really NO way you can keep someone who has physical access to the machines from using them, or undoing what you set..
For the sake of playing along : The only way I could possibly see you doing this is to disable the devices you want to restrict in the BIOS, and then protect the BIOS with a password. You could still undo this though, by popping the battery, and setting the reset jumper.
With that being said, and with all due respect, if your going to the trouble of completely blocking, disabling core services, or trying to make the system completely unusable, why spend as much time trying to do this, while maintaining the integrity of the machine?
Just execute a dod wipe on the machines, and be done with it? Do you honestly think you'll come back and re-use these machines as-is in the future? Is there super-secret-scarey-data on them? Do you have some type of hardcore business requirement, restricting you from disposing of EoL machines?
At some point, you really have to make a decision/ have a conversation with management, on if your just making more work for yourself to have more work to do.
The fact of the matter is: If you don't have hands-on, physical access to restrict these machines from use, there is really NO way you can keep someone who has physical access to the machines from using them, or undoing what you set..
To easier manage all this I would suggest 3 things in addition to the earlier suggestions from others such as NAP and Wiping systems.
1] Restrict joining domain to trusted admins only.
2] Auto move XP/2003 machines to a specific OU
3] Enable Auditing of AD
-1] By default authenticated users can created up to 10 computer accounts. You can restrict this with GPO. Computer Configuration > Policies > Windows Settings > Local Policies > User Rights Assignment > Add Workstation to domain.
Restrict this to trusted users aka domain admins for example only.
-2] Once you have done this I would setup a script which moves XP & 2003 machines to a particular OU which Technet has a script and article on here.
-3] Once that has been done any future systems added to the domain against IT policies can be traced down to the user who joined this. (Hopeful that users are not using generic accounts which makes tracing harder) I would double check that you are auditing changes like this already.
There is a Technet article on this too here.
Alternatively you could check the computer object ownership to trace down and tell off the person in question.
As there is an event ID for adding objects to the domain there will likely be a Technet Script somewhere which will allow you to log those events to a share, and trigger an email notifying of a Object Join to the domain. This could be a potential 4th step to take.
1] Restrict joining domain to trusted admins only.
2] Auto move XP/2003 machines to a specific OU
3] Enable Auditing of AD
-1] By default authenticated users can created up to 10 computer accounts. You can restrict this with GPO. Computer Configuration > Policies > Windows Settings > Local Policies > User Rights Assignment > Add Workstation to domain.
Restrict this to trusted users aka domain admins for example only.
-2] Once you have done this I would setup a script which moves XP & 2003 machines to a particular OU which Technet has a script and article on here.
-3] Once that has been done any future systems added to the domain against IT policies can be traced down to the user who joined this. (Hopeful that users are not using generic accounts which makes tracing harder) I would double check that you are auditing changes like this already.
There is a Technet article on this too here.
Alternatively you could check the computer object ownership to trace down and tell off the person in question.
As there is an event ID for adding objects to the domain there will likely be a Technet Script somewhere which will allow you to log those events to a share, and trigger an email notifying of a Object Join to the domain. This could be a potential 4th step to take.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is pretty much what we concluded in the end, with the addition of services being locked and stopped as well. Cheers
Even if they re-enable the machines, if they're blocked from the network they are of no use to anyone.