Question: How to force staff laptops to be connected to the network once every X-Time

Actually that's a good point, dave. Even if you can't find the GPO, a script could easily alter the registry entry to tell Windows not to cache the credentials [setting the key to 0 would wipe out any previously held logons].

Setting it for a suitably short period of time - say a few days to a week - would mean people should get into the habit of bringing their laptops in.
 
In our circumstance we'd probably have a week off network be fine, the following week setting their background to a message telling them to bring them to work in X days or it'll stop working.

Surely after the credentials expire due to the registry key being set to 0 they would be able to log back in once connected to the network. BUT without a restart the GPO wouldn't be re-applied (thereby resetting the key to allow cached) AND then re-scheduling the task to disable it in X days


The same with "re-setting" the count down before the key being set to 0 (ie in the 2nd week after warning background)
 
well yes. BUT again. how do you run gpupdate unless you attempt to run it at every login?
Do you see what I mean?
As far as i know there's no way to force gpupdate to run each time it connects to any network (which is what you'd have to do to get it to reset the counter if they connect Prior to the lock out. (ie preventative)




(in general we're almost there and given the idea's so far as solution should be possible)
 
Just a thought, you can schedule a script to call the command slmgr -upk which will uninstall the current product key and return Windows to its trial state... Whether or not KMS will reactivate them again is something I've not tried. By the time the key has been uninstalled, it'll probably allow them another x more days to reactivate before Windows is limited but I'm just brainstorming...
 
Switch, unfortunately I can't find any GPO that limits how long cached credentials last, so it looks like you would have to change the registry to disabled cached logons. Though this means the use of a script. Which you have already said no to - unless you can convince the higher ups.

Assuming you do go the script route then as before, simply have it record the date of the last successful domain logon and check it against the current date every time the user logs on. If it goes over the specified time period, disable caching.

The same script can just gpupdate /force on a successful domain logon to reset the cached credentials reg entry.
 
Definately think a script is the way to go, one running on the local computer, but make sure it's in the same location on all laptops so you can update it easily with another script!
 
SirusB I think you've got it there.
A Comprehensive script might be the way forward.

When you set the reg to disable cached logons, what happens to locally stored data (desktop items/my docs) for the user(s) in question? would it stay there, and be accessible once re-logged on. or would it wipe it out? If you know that saves a testing phase...


Nanobot - KMS will not automatically activate windows UNLESS a new key is installed.

You have to install a KMS Client Key, which is more of a pointer key to tell windows to look at dns records for a local KMS server (as the kms client key is the same for EVERY ONE (your kms server holds your actual KMS key))
In theory a script could be writen to do this but then we just start racking up activations on the kms server
 
Nothing should happen to locally stored data. All that will happen is the user wont be able to logon to their machine until it can talk to the Domain Controller. Any new files/changes/settings that are normally saved to the server [folder redirect etc] will be synced the next time they logoff while on the Domain.

Though to be frank, you should test this to be absolutely certain. All you need is a couple of VMs and some test files/folders.
 
well obviously you'd do testing, its just nice to know it can do it before having to test if it can at all!

Would anyone be interested in seeing the final product?
If/When it happens
 
I have given some thought to writing something myself. I don't have any laptops to worry about with my clients - at least none that go AWOL for more than a weekend - but as a learning exercise it has piqued my interest.

Anything you knock up I would be interested to see. I intend to write mine in PowerShell. :)
 
Mmmmm, Powershell...
If you knock something up in PS i'd be very interested in getting a peek at it.

We've got laptops that we've not seen on the network for over a year (13 outstanding laptops from the Win7 upgrade)
 
Do you have any record of who those laptops were assigned to? An email stating they will be charged the full cost of the laptop ought to make them bring it back in! :p
 
Hah. Of course we do!
We're not utterly incompetant...;)

Machines are named by SITE-SURNAME-TYPE

ie

SS-Smith-LP would be a SS Site Laptop belonging to Mr Smith


And again, its an independent academic environment. Which comes with its own brand of things which just don't happen.

Senior management don't/won't do anything to aggravate staff. They're all "old boys" if you catch my drift.

And don't get me started on Student facing hardware.........

Can't touch the little ******* even when presented with blatant criminal damage....
 
Christ. I am surprised you even got a Windows 7 rollout at that place. Sounds like installing a bloody update would take a month of meetings and secret handshakes.
 
Tell you what I would do.... warn your boss that this could be an issue where the laptops need to be returned/audited and updated..... don't make it an IT solution and let them do what they want.

They are wasting your time... just remember the words 'told you so'. That will teach them. As I said before I hate it when they think IT can solve everything! They just expect as much as possible from you when really it's not your problem! meh.
 
It took a while to swing that one I'll tell you! And we're still battling the deluge of "Well it worked on the old system".

We have WSUS which handles all the connected machines (500~ desktops) for updates and such. So that's not an issue. But things like Renewing AV Licence (Kaspersky, On a side note, NEVER USE IT!) is a massive pain in the arse.

On the up side it turns out the Kaspersky Licence needs updating on all the staff laptops so we'll have to recall them all anyway as that has to be done in person.

And as soon as their AV is 7 days out of date they can no longer access our "portal" to download/upload files from home.
woop woop
 
Switch` said:
It took a while to swing that one I'll tell you! And we're still battling the deluge of "Well it worked on the old system".

We have WSUS which handles all the connected machines (500~ desktops) for updates and such. So that's not an issue. But things like Renewing AV Licence (Kaspersky, On a side note, NEVER USE IT!) is a massive pain in the arse.

On the up side it turns out the Kaspersky Licence needs updating on all the staff laptops so we'll have to recall them all anyway as that has to be done in person.

And as soon as their AV is 7 days out of date they can no longer access our "portal" to download/upload files from home.
woop woop
Click to expand...

We have 4000 + desktops, 400+ laptops...... and just had a 50% staff cut.
 
Our portal system has endpoint detection which includes Polling windows for AV (which means any decent AV software that informs windows of its presence will also inform windows of when it was last updated) There for the portal knows when it was updated last.

Without AV updated in the last 7 days AND a form of firewall (Windows Firewall or other that windows recognises) you can only download from the portal, No uploading allowed without up to date AV and FW
 
You must log in or register to reply here.
Back
Top Bottom