Remotely log off a fired staff member and delete their access from a work laptop at their home.

Fired Staff - Their work labtop is at home and offline.  I'm lookin for a mechanism to log off the user and delete their local account permissions as soon as their labtop comes online..

I have access to Labtech device management tools, and a server 2008 r2 active directory synced with Office 365.
Jack MurphyOwnerAsked:
Who is Participating?
 
Cliff GaliherConnect With a Mentor Commented:
Win10 has MDM support built in.  You just need to pick an MDM provider.  Many exist.   AirWatch, Meraki, ...I think MobileIron is still around....Microsft Intune.  All have a "remote wipe" feature that basically does what it sounds like.  It triggers a reset of the device back to factory default.  Not much different than what iPhones and Androids have had for a few years.
0
 
Cliff GaliherCommented:
If the computer already has the labtech agent installed then theoretically you could create an automatic task to do this. I am not a connectwise expert though so I can't say specifically how that'd look...and it wasn't really what it was designed for.

If you don't already have a tool in place  you probably won't be able to accomplish this. This has been the realm of MDM solutions for years,  but you have to already have it in place to initiate a remote wipe.
0
 
Jack MurphyOwnerAuthor Commented:
Any thoughts ideas on a script that I could send from labtech once it sees laptop online and tell it to log off the user and lock the account?

My client feels confident they will get the laptop back but want to lock out the user if they attempt to log back in.  I don't think the user is smart enough to make sure they are offline when / if they attempt to log into the machine before they return it.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Cliff GaliherCommented:
Is the machine domain joined and does the user log in with a domain account or local account?
0
 
Jack MurphyOwnerAuthor Commented:
They log in with a domain account.  

Am I correct that if they log in at their home, they will still be successful because the laptop will use its cached domain credentials and not be able to communicate with the server to know the password has changed?
0
 
Cliff GaliherCommented:
Correct. And windows doesn't offer an API to clear cached credentials.  Assuming no group policy overrides it, you could set the local security policy (via registry) to not cache credentials, and that'd effectively clear existing credentials.  BUT it requires a reboot to kick in.  And the user can log in...and chances are they won't be rebooting if they are up to no good.  They may not be smart enough to disconnect from the network, but they probably won't intentionally do things like turn on a laptop and reboot without logging in either.

Issues like this are really tough "after the fact."  Without a tool already in place, I don't have a good solution for you.
0
 
Jack MurphyOwnerAuthor Commented:
Thank you for the insight.  Do you have any recommendations on how to put this type of precaution in place?
0
 
Jack MurphyOwnerAuthor Commented:
Appreciate the advice, i will investigate further.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.