Laptops on Domain

brainchylde · 17 Apr 2009 at 14:37

How do people deal with this?

We have never had a formal process for dealing with it and despite my attempts to try and keep some sort of organisation with regards to laptops, my cries are falling on deaf ears!

We loan laptops to those with particular needs (this decision is taken by staff elsewhere) and there are also a number of people who are given laptops on a more permanent basis. We cannot guarantee that these people will use the laptops on site and therefore log on to the domain.

We also have a more general problem of active directory 'clutter'. If machines fail they don't get removed before re-imaging etc. At the moment I perform a cleanup - I disable machines that have not been logged on in ~60 days and move them to a 'Recycle Bin' OU. This works quite well with PC's which we control on site but with laptops it isn't really possible - I've only managed to remove laptops that have not logged on to the domain in 500 days as I can say with some certainty these no longer exist.

Ideally I would like those with laptops to be forced to return them periodically - so we can perform the WSUS updates and do any other work required. Is there any way I can achieve this? Can I write a small application to log off a user if the laptop has not been logged onto the domain for x days?

How does everyone else cope with this?

iaind · 17 Apr 2009 at 15:15

Thin client laptops?

brainchylde · 17 Apr 2009 at 15:21

Are you asking if they are thin client? If so - the answer is no.

If you are suggesting thin client, the answer would be the same - we just want to manage the existing infrastructure efficiently. Throwing a lot more money at it is not an option.

iaind · 17 Apr 2009 at 15:33

You could always turn the existing laptops into thin client machines..

brainchylde · 17 Apr 2009 at 15:49

Would I not need some server infrastructure to support that though?

Andyt_uk · 17 Apr 2009 at 15:59

instead of removing the accounts, just disable them. That'd force them to bring the machine back in. Also, you can cache domain credentials on laptops and just make them use those instead of local account which it sounds as though you may be doing.

iaind · 17 Apr 2009 at 16:01

If you disable the account when the machine is no longer connected to the domain, how will it know it's account has been disabled?

brainchylde · 17 Apr 2009 at 16:10

Andyt_uk said:
instead of removing the accounts, just disable them. That'd force them to bring the machine back in. Also, you can cache domain credentials on laptops and just make them use those instead of local account which it sounds as though you may be doing.

Yea but unfortunately they aren't actually logging onto the domain.

Think I'm going to have to write a small application which will check when the domain was last logged on to. If it's not within a certain number of days it will auto-log off that user and ask them to bring the laptop in. I can't see other ways around it.

oddjob62 · 17 Apr 2009 at 16:20

brainchylde said:
Think I'm going to have to write a small application which will check when the domain was last logged on to. If it's not within a certain number of days it will auto-log off that user and ask them to bring the laptop in. I can't see other ways around it.

Make sure you get the green light from up top (assuming you're not them). Chances are if you don't, this will happen to the MD he is in an important meeting making a presentation.

Andyt_uk · 17 Apr 2009 at 17:12

so no remote access? Surely you need domain access to access mail/apps etc?

teaboy5 · 17 Apr 2009 at 17:40

I cant understand what your trying to do?

Whats the issue with them logging back into the domain and why are you disabling them if they haven't logged in?

And whats with it not logging in with 500 days!!! You should be asking yourself where has it gone as someone has clealy stole it!

There shouldn't be any clutter in AD if you need to reimage, just give it the same name as before.

Can you not make a list of who currently has the laptops and if you want to ask them a question about it just call them. Surely if they belong to work this should be fine.

brainchylde · 17 Apr 2009 at 18:30

Andyt_uk said:
so no remote access? Surely you need domain access to access mail/apps etc?

We use OWA. They don't necessarily use apps on the network.

Whats the issue with them logging back into the domain and why are you disabling them if they haven't logged in?

We have people who work in the community - these laptops rarely come near our office space.

And whats with it not logging in with 500 days!!! You should be asking yourself where has it gone as someone has clealy stole it!

There shouldn't be any clutter in AD if you need to reimage, just give it the same name as before.

Unfortunately not - some of these laptops are decommissioned and no-one has ever taken the time to take a proper inventory (I'm new!). There is plenty AD clutter (again I'm new - I'm the only person who has ever attempted to clean it up!). People 'move' so a machine which previously may be called 'ROOM123-JBLOG' becomes 'ROOM234-JBLOG' after a re-image. No-one ever drops ROOM123-JBLOG off the domain (therefore disabling it) before re-imaging. It's a complete nightmare.

Plus I've been told they don't want to rename machines - they drop them off and then give them a new name as re-naming while on the domain gives (and I quote...) "funny issues". Anyway - that is part of my wider problem. My question really is - how the hell do I deal with these laptops.. I want to force them back to our main site periodically.

Can you not make a list of who currently has the laptops and if you want to ask them a question about it just call them. Surely if they belong to work this should be fine.

If only!

This place works on a 'take the route of least hassle'... except now it's beginning to bite them in the rear and I'm trying my best to get on top of it.

brainchylde · 17 Apr 2009 at 18:30

oddjob62 said:
Make sure you get the green light from up top (assuming you're not them). Chances are if you don't, this will happen to the MD he is in an important meeting making a presentation.

Yes - good point. I'll ensure it doesn't make it on to senior management laptops.

brainchylde · 17 Apr 2009 at 18:32

On a wider note - how does everyone else cope with asset management? We have NOTHING at the moment. Someone kept an access database of machines a while ago but it's useless. I have set up Systems Center Config Manager which helps - but only if active directory is free of clutter and the machine sits on the network periodically!

teaboy5 · 17 Apr 2009 at 18:36

Naming machines by a room name is silly

Stick with a name that can stay the same. That way when its formatted the same name can be given.

For example

AD-LAP-01
AD-LAP-02
And so on

teaboy5 · 17 Apr 2009 at 18:39

Also get a list of people who currently have laptops and ask them to come in once a month or even once every 3 months.

If thats not doable, and if the laptop is not coming near your office at all. Just dont add it to the domain at all.

Muffin` · 17 Apr 2009 at 18:46

teaboy5 said:
Also get a list of people who currently have laptops and ask them to come in once a month or even once every 3 months.

If thats not doable, and if the laptop is not coming near your office at all. Just dont add it to the domain at all.

This.

Keeps your arse covered re AV and updates - do you uses WSUS?

brainchylde · 17 Apr 2009 at 18:47

teaboy5 said:
Naming machines by a room name is silly

Stick with a name that can stay the same. That way when its formatted the same name can be given.

For example

AD-LAP-01
AD-LAP-02
And so on

Again - I didn't come up with the naming convention. But I understand why they have used rooms in the names - there are approx 1500 machines - spread across 6 sites and about 150-200 rooms. No-one has ever kept any asset data - no one knows where each asset is or indeed what it is so as I understand it they use the room name in themachine name to locate the machine - of course this falls apart when the machine is moved!

Before I tackle that though, I'm going to have to get this laptop thing sorted. It's beginning to annoy me inside!!!!

brainchylde · 17 Apr 2009 at 18:49

Muffin` said:
This.

Keeps your arse covered re AV and updates - do you uses WSUS?

Yes we do.

Part of the thing that concerns me is that these machines are not getting their updates. I want to try and standardise versions of software etc and get licensing sorted because seriously - no-one knows what is where.

Mr Plow · 17 Apr 2009 at 19:08

Does the IT equipment have unique asset tags? How does the company keep track of who has what piece of equipment? (If they don't know then I guess that explains these rogue computer accounts that are nearly 2 years old)

Our equipment all has unique asset tags that are used to name the PC/Laptop so you could have PC12345 or LTOP13579 etc. Then use these in your asset register whatever it may be, even a set of Excel spreadsheets would suffice containing Asset number, Serial No. (for people who like to remove the asset tags), Make/Model etc plus any more info you need such as location of said piece of equipment (helpful in finding out users who decide that they have the authority to move equipment around themselves without telling the IT department, you can then make them move it back).

Regarding the issue of users not bringing laptops back in to the office, perhaps enforce some sort of password reset group policy that will force people to come in the office to reset the password every 6 months or so? They'd get plenty of notice with the 'Your password will expire in 21 days' or whatever notice period you want to give them.