Question: How to force staff laptops to be connected to the network once every X-Time

Switch`

Switch`

Switch`

Associate
Joined
1 Jul 2010
Posts
32
We're looking for a solution at work to ensure that staff with laptops issued to them bring them to work and connect them to the network every X days so that they get updates from our systems which they don't at home.

We want a solution where a laptop would become disabled (locked/unable to login) if a "token" expired. Logging onto the network evert X time will renew the token.

I am sure there are already solutions but googling has been uphelpful as yet.

Thanks in advance.
 
There is probably some products out there, but if I was to do my own i'd write a little VBS that pings at start-up a device/server that is only accessible at work, then then pipe that to a log file. The VBS when run will check the date from that log, and if its older than 30 days, when they login, put a message box appear that tells them the laptop needs taking to work, and then auto logs them off, rendering the laptop useless.

Obviously a user who has their wits about them could end wscript.exe from task manager and get around it, depends how clever your users are. I know 95% of our users would just obey lol
 
Our users are (L)users. No chance of them knowing what wscript.exe is :D

Nice idea. with the script but ideally we'd like a centalised system with reporting. Ie the script wouldn't be able to tell us that its not been connected.
Also we'd like to be able to force them to bring the laptop to the IT dept once it has expired (for a customary knuckle rap) to be re-enabled. of course the script could do it as well.
 
You could have the script attempt to contact a server on your network each time it runs. If I were to write this, it would probably be something like below (using structured English):

Code: 
IF SERVER is available
    Assume laptop connected to LAN
    Write last logon time to log file on SERVER
    Update token
    Do other stuff
ELSE
    Get last LAN logon from file/token
    Compare last LAN logon date with current date
    IF time since last LAN logon > 30 days
    #code to shutdown/logoff laptop

How to test whether a server is online depends on which scripting language you use. :)
 
We like the script idea.
BUT due to the nature of our environment (academic) laptops are frequently used disconnected from the network and only connect at a point of need. So a Server/Agent based system would be the ideal solution where an agent is constantly running trying to poll a server. and the Server keeps track of when an agent last connected, the agent has the time out features installed and en-acts them when a set time out is reached.

Again a script could be set to run every X Mins to try and poll a server.
Again of course I could write a client and server to do all of this without much hassle.

But a pre-existing solution would be preferable. More features and better Fit-and-finish.
Let's be honest, IT engineer's arn't renowned for our designs being very "usable". they are however very functional.

(Google vs apple being a prime example, Google's stuff "WORKS" where as Apple's stuff is Easy to use...Google designed by engineers....)
 
Do you have an SQL server on site? Just have the VBS pipe an entry to an SQL database when it was last connected if you really want to manage it from your end.

Also, you could get the SQL to alert you when a laptop is due to expire in 1-2 days and be proactive and tell the users it's going to expire. Could all be automated by e-mail etc

Plenty of options to play with
 
Having a scheduled task running a tiny script is, in my opinion, a better fit and finish. It will take you probably only a few hours to write and test. You can deploy it via group policy and then you're done.

No point using an off the shelf solution for something so simple, especially as you have just admitted you could write a server/client agent yourself.
 
I agree, Scripting is by far the easiest solution.

But my managers don't like using scripts (don't ask) for anything, and much prefer a solution from an external provider. My contract here is up in 6 months and then they'll be left with no-one who can properly script so any support later on will be lost (probably half the reason they don't like scripts)

So for the sake of the argument we'll inevitably have (me and managers) are there/do you know of any off the shelf solutions?
 
Unfortunately not.

If you aren't allowed to use the tools provided - and assuming a third-party product does not exist - you may have to go down the route of making it one of the conditions of using the laptop to connect to the network at least once every 30 days, or whatever.
 
250+ Laptops

We can make it a condition of use of course. but academics don't listen. to anyone. least of all "support staff"

We would be allowed to use scripts if it was a last resort. But it would propperly be a last possible solution.

I appreciate your help, and hopefully it'll be useful.
It would be easier if there was a pre-existing solution as that would save me having to justify why scripts are the best solution and convince them that I HAVE looked and there are NO existing solutions.
 
Switch` said:
250+ Laptops

We can make it a condition of use of course. but academics don't listen. to anyone. least of all "support staff"

We would be allowed to use scripts if it was a last resort. But it would propperly be a last possible solution.

I appreciate your help, and hopefully it'll be useful.
It would be easier if there was a pre-existing solution as that would save me having to justify why scripts are the best solution and convince them that I HAVE looked and there are NO existing solutions.
Click to expand...

We have 400+ at work and they are really hard to manage. I agree, academics don't listen and never will unless above force it as policy.

What I would be tempted to do is instead of resulting in IT to give an answer, ask your boss to talk to a higher up boss to send an email (You do use email don't you?) to ensure all laptops are returned to be checked and audited. I hate it when people think everything is an IT solution.
 
iDroid84 said:
I hate it when people think everything is an IT solution.
Click to expand...

Same here! This is clearly a management/policy issue. HR wouldn't have a problem with enforcing policy over other company equipment, why many think PCs/Laptops are any different I will never know!
 
hahaha.... Yeh.... HR Aint going to do sh!t.....

We tell them not to eat on their laptops and they still come back with food in them...


We DO run win 7 and a KMS.
BUT the KMS has only been in place for 3 weeks as we've just moved from MAK to KMS

AND due to the infrequency and unpredictable nature of laptops being (or not as the case may be) connected its virtually impossible to use VAMT to roll out the KMS keys as you've got to do it when the machine is on the network.

And yes we've already considered it. It's part of the reason we're switching to KMS at all.

On the side we've not worked out how to change the time out on KMS activations yet. but I get the feeling its quite easy.



Due to the independent nature my employer there are certain deeply engrained attitudes that will not be changed any time soon, Over time for server relocation on a saturday was denied. It's that bad.

There must be a system ultra paranoid big corporations use to force staff laptops to connect to the staff network for security updates and so on....
 
Personally I'd keep it simple..
AT10 is a scheduled task, which in 30 days from creation will cause the laptop to shutdown after 5 minutes and display a request asking them to take it back to the school (windows logon for all users). This scheduled task is created by a batch file in the all users startup folder.

Logon script deletes the batch script and removes the scheduled task from the local computer and and also copies a new copy at network logon in the "all users startup folder", this batch script is updated daily to be 30 days in the future.

Most of this scripting would be pretty easy to do, the only problem I see is making the batch script refresh, but again I can't see that being too hard.


Logon to network > batch script removed/AT10 removed if present > new batch file uploaded.

logon at home > batch file runs, 30 days starts.

log back in at work > batch script removed> scheduled task removed > new batch file copied.

Clearly it'll be easy to circumvent for anyone with the common sense to do it.
 
Switch` said:
There must be a system ultra paranoid big corporations use to force staff laptops to connect to the staff network for security updates and so on....
Click to expand...

You'd be surprised, but in general many have Information Governance departments which enforce it, they lock out USB devices and ensure laptops can't be attached to home network by locking out user admin rights etc. I'm guessing your company won't be into doing that though, as it'd annoy people too much.

I work in IT, I'm a senior member of IT staff yet I can't even burn an ISO at work - if we want to we have to use a PC that isn't on any domain as it's considered a security risk. There are no exceptions, if it's good enough for our users, it's good enough for the IT department and I have to say - I like it.

I think the big difference is that my managers are ALL ex-IT techs, having worked until non-IT knowledgable managers it really does make a world of difference.

We don't enforce laptops being on the network every X number of days, but if we did you can bet that IT staff would be expected to lead the way with Information Governance hanging over our shoulders to ensure it's done fairly and that all staff, in every department do it or face a disciplinary panel.
 
Halfmad said:
Personally I'd keep it simple..
AT10 is a scheduled task, which in 30 days from creation will cause the laptop to shutdown after 5 minutes and display a request asking them to take it back to the school (windows logon for all users). This scheduled task is created by a batch file in the all users startup folder.

Logon script deletes the batch script and removes the scheduled task from the local computer and and also copies a new copy at network logon in the "all users startup folder", this batch script is updated daily to be 30 days in the future.

Most of this scripting would be pretty easy to do, the only problem I see is making the batch script refresh, but again I can't see that being too hard.


Logon to network > batch script removed/AT10 removed if present > new batch file uploaded.

logon at home > batch file runs, 30 days starts.

log back in at work > batch script removed> scheduled task removed > new batch file copied.

Clearly it'll be easy to circumvent for anyone with the common sense to do it.
Click to expand...

Great idea. But with lots of things could be an issue.
Example, due to Laptops retaining AD login information (so they can log onto their machines when not at work) means frequently they do not plug into the network while at work until they actually need to access something (network drives).
Thus a teachers perceived connecting to the network will in fact not reset the counter. Same with setting a delay (of say 5mins for example).

You've got no guarantee of hitting the time frame when they're connected.

This summer we rolled out windows 7 to all staff laptops and desktop so what ever solution we come up with we have to pull all laptops back in under the guise of "updates" to install what ever solution we come up with (we'll also be installing a remote software deployment suit with remote connection suit so that'll help later on)
 
Change your GPO so that AD credentials are cached only for a week or so?

Your policy will make it clear that staff need to logon every x number of days, or they may see a message along the lines of 'unable to contact domain controller' (i forget the exact format for the message)
 
"There are Currently No Logon Servers Available"
If there's an option to do that in AD.
Then that's the best option, Like it!

I assume that would require gpupdate on each client as it wouldn't be sent down if they weren't connected at startup..

But good option
 
You must log in or register to reply here.
Back
Top Bottom