Laptops on Domain

[brainchylde]

How do people deal with this?

We have never had a formal process for dealing with it and despite my attempts to try and keep some sort of organisation with regards to laptops, my cries are falling on deaf ears!

We loan laptops to those with particular needs (this decision is taken by staff elsewhere) and there are also a number of people who are given laptops on a more permanent basis. We cannot guarantee that these people will use the laptops on site and therefore log on to the domain.

We also have a more general problem of active directory 'clutter'. If machines fail they don't get removed before re-imaging etc. At the moment I perform a cleanup - I disable machines that have not been logged on in ~60 days and move them to a 'Recycle Bin' OU. This works quite well with PC's which we control on site but with laptops it isn't really possible - I've only managed to remove laptops that have not logged on to the domain in 500 days as I can say with some certainty these no longer exist.

Ideally I would like those with laptops to be forced to return them periodically - so we can perform the WSUS updates and do any other work required. Is there any way I can achieve this? Can I write a small application to log off a user if the laptop has not been logged onto the domain for x days?

How does everyone else cope with this?

 

[brainchylde]

Are you asking if they are thin client? If so - the answer is no.

If you are suggesting thin client, the answer would be the same - we just want to manage the existing infrastructure efficiently. Throwing a lot more money at it is not an option.

 

[brainchylde]

Would I not need some server infrastructure to support that though?

 

[brainchylde]

instead of removing the accounts, just disable them. That'd force them to bring the machine back in. Also, you can cache domain credentials on laptops and just make them use those instead of local account which it sounds as though you may be doing.

Yea but unfortunately they aren't actually logging onto the domain.

Think I'm going to have to write a small application which will check when the domain was last logged on to. If it's not within a certain number of days it will auto-log off that user and ask them to bring the laptop in. I can't see other ways around it.

 

[brainchylde]

so no remote access? Surely you need domain access to access mail/apps etc?

We use OWA. They don't necessarily use apps on the network.

Whats the issue with them logging back into the domain and why are you disabling them if they haven't logged in?

We have people who work in the community - these laptops rarely come near our office space.

And whats with it not logging in with 500 days!!! You should be asking yourself where has it gone as someone has clealy stole it!

There shouldn't be any clutter in AD if you need to reimage, just give it the same name as before.

Unfortunately not - some of these laptops are decommissioned and no-one has ever taken the time to take a proper inventory (I'm new!). There is plenty AD clutter (again I'm new - I'm the only person who has ever attempted to clean it up!). People 'move' so a machine which previously may be called 'ROOM123-JBLOG' becomes 'ROOM234-JBLOG' after a re-image. No-one ever drops ROOM123-JBLOG off the domain (therefore disabling it) before re-imaging. It's a complete nightmare.

Plus I've been told they don't want to rename machines - they drop them off and then give them a new name as re-naming while on the domain gives (and I quote...) "funny issues". Anyway - that is part of my wider problem. My question really is - how the hell do I deal with these laptops.. I want to force them back to our main site periodically.

Can you not make a list of who currently has the laptops and if you want to ask them a question about it just call them. Surely if they belong to work this should be fine.

If only!

This place works on a 'take the route of least hassle'... except now it's beginning to bite them in the rear and I'm trying my best to get on top of it.

 

[brainchylde]

Make sure you get the green light from up top (assuming you're not them). Chances are if you don't, this will happen to the MD he is in an important meeting making a presentation.

Yes - good point. I'll ensure it doesn't make it on to senior management laptops.

 

[brainchylde]

On a wider note - how does everyone else cope with asset management? We have NOTHING at the moment. Someone kept an access database of machines a while ago but it's useless. I have set up Systems Center Config Manager which helps - but only if active directory is free of clutter and the machine sits on the network periodically!

 

[brainchylde]

Naming machines by a room name is silly

Stick with a name that can stay the same. That way when its formatted the same name can be given.


For example

AD-LAP-01
AD-LAP-02
And so on

Again - I didn't come up with the naming convention. But I understand why they have used rooms in the names - there are approx 1500 machines - spread across 6 sites and about 150-200 rooms. No-one has ever kept any asset data - no one knows where each asset is or indeed what it is so as I understand it they use the room name in themachine name to locate the machine - of course this falls apart when the machine is moved!

Before I tackle that though, I'm going to have to get this laptop thing sorted. It's beginning to annoy me inside!!!!

 

[brainchylde]

This.

Keeps your arse covered re AV and updates - do you uses WSUS?

Yes we do.

Part of the thing that concerns me is that these machines are not getting their updates. I want to try and standardise versions of software etc and get licensing sorted because seriously - no-one knows what is where.

 

[brainchylde]

I was being quite sad and actually thinking about this and I'm a little shocked really.

You're obviously not some tin pot organisation with 1500 machines.

Say an average cost of £500 per machine, that's £750,000 worth of assets alone that you don't know what they are, where they are, or who has them???

You're not wrong - although obv some machines have depreciated in value - but also think about the other kit - printers, networks etc. It's a complete joke. We obviously know where the majority of kit is, but laptops - in general, we have no idea!

This isn't even my job, but I'm so fed up of things as they are that I want to make a stand. My official title is Software Dev. Myself and a colleague who joined at the same time as me both feel the same way. The way things are just makes it very very difficult to work and make progress. There is a great resistance to any change.

And - to whoever said Govt - no. Public money - yes. We are not subject to audit controls in IT per se. Finance audits tend to cover larger items of expenditure like our servers but desktops - nothing.

Thanks all for the suggestions - it's certainly given me some good ideas. Hasn't really told me anything I don't know but I'll definitely push for some of the changes recommended.