Remotely log off a fired staff member and delete their access from a work laptop at their home.
Fired Staff - Their work labtop is at home and offline. I'm lookin for a mechanism to log off the user and delete their local account permissions as soon as their labtop comes online..
I have access to Labtech device management tools, and a server 2008 r2 active directory synced with Office 365.
I have access to Labtech device management tools, and a server 2008 r2 active directory synced with Office 365.
ASKER
Any thoughts ideas on a script that I could send from labtech once it sees laptop online and tell it to log off the user and lock the account?
My client feels confident they will get the laptop back but want to lock out the user if they attempt to log back in. I don't think the user is smart enough to make sure they are offline when / if they attempt to log into the machine before they return it.
My client feels confident they will get the laptop back but want to lock out the user if they attempt to log back in. I don't think the user is smart enough to make sure they are offline when / if they attempt to log into the machine before they return it.
Is the machine domain joined and does the user log in with a domain account or local account?
ASKER
They log in with a domain account.
Am I correct that if they log in at their home, they will still be successful because the laptop will use its cached domain credentials and not be able to communicate with the server to know the password has changed?
Am I correct that if they log in at their home, they will still be successful because the laptop will use its cached domain credentials and not be able to communicate with the server to know the password has changed?
Correct. And windows doesn't offer an API to clear cached credentials. Assuming no group policy overrides it, you could set the local security policy (via registry) to not cache credentials, and that'd effectively clear existing credentials. BUT it requires a reboot to kick in. And the user can log in...and chances are they won't be rebooting if they are up to no good. They may not be smart enough to disconnect from the network, but they probably won't intentionally do things like turn on a laptop and reboot without logging in either.
Issues like this are really tough "after the fact." Without a tool already in place, I don't have a good solution for you.
Issues like this are really tough "after the fact." Without a tool already in place, I don't have a good solution for you.
ASKER
Thank you for the insight. Do you have any recommendations on how to put this type of precaution in place?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Appreciate the advice, i will investigate further.
If you don't already have a tool in place you probably won't be able to accomplish this. This has been the realm of MDM solutions for years, but you have to already have it in place to initiate a remote wipe.