Someone
asked on
How to block PCs in Active Directory by operating system
hello IT people 😁
I need to block all the Windows 7 PCs in the Active Directory. is there any way to do this?
disable account doesn't work.
I need to block all the Windows 7 PCs in the Active Directory. is there any way to do this?
disable account doesn't work.
Hayes Jupe
sorry, but what exactly do you mean by block ? If you mean make it so Windows 7 PC's can no longer logon to the domain - yes, disabling the computer account will work - after the windows 7 client next reboots.
ASKER
it doesn't work.
I tried logout and restart but still the user can login
I tried logout and restart but still the user can login
Cached account probably.
if you try to logon with an account that has not previously logged onto the machine, you wont be able to.
in order to work around the cached account issue, you can use a GP with the following setting
Policies> Windows Settings >Security Settings >Local Policies >Security Options > Interactive logon: Number of previous logons to cache = 0
if you try to logon with an account that has not previously logged onto the machine, you wont be able to.
in order to work around the cached account issue, you can use a GP with the following setting
Policies> Windows Settings >Security Settings >Local Policies >Security Options > Interactive logon: Number of previous logons to cache = 0
ASKER
I'll try and see how it goes
But if their AD accounts are disabled, I don't think they will get group policy updates.
Correct. Disabling user accounts is enough. They can log in with cached credentials but that's all. They cannot use domain resources anymore (shared folders etc.)
ASKER
yeah then it doesn't work like I said in the question.
so, any solution to block the computers by operating system?
because I don't want less than Windows 8 in my domain.
so, any solution to block the computers by operating system?
because I don't want less than Windows 8 in my domain.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What I want is all the computers have Windows 8 or higher.
So, deleting them will prevent them from joining the domain again?
So, deleting them will prevent them from joining the domain again?
You do realize that windows 10 upgrades are still free right?
Besides, if these computers are domain joined, there must be a reason for them to still exist.
Maybe the boss should decide why they are still win 7 and what to do?
Users shouldn't be able to add their own machine to a domain. That right should be for a domain admin only.
Besides, if these computers are domain joined, there must be a reason for them to still exist.
Maybe the boss should decide why they are still win 7 and what to do?
Users shouldn't be able to add their own machine to a domain. That right should be for a domain admin only.
If you delete computer accounts from ADUC, the trust relationship between these computers and a domain will break and then users won't be able to access anything in a domain.
ASKER
Scott Silva
Believe me I don't care about which operating system is running in the machines but the security department requested it 😁
Believe me I don't care about which operating system is running in the machines but the security department requested it 😁
ASKER
If you delete computer accounts from ADUC, the trust relationship between these computers and a domain will break and then users won't be able to access anything in a domain.
Sounds like a solution 🤩