Force Teachers to update laptops

[eejit]

Ok, here's an odd one, but maybe a sensible one. I've been asked to stop laptops being able to log on if they haven't connected to the domain for a week.
Is it possible?

[ITWombat]

My understanding is that by default computers on a Windows domain have to log in every 30 days or the account is suspended.

I wonder if it is possible to reduce the time window.

[tosca925]

My understanding is that by default computers on a Windows domain have to log in every 30 days or the account is suspended.

if that was the case msot of the machines in our school would be suspened after the 6 weeks hols, and we've never had this. I aint changed any setting to do this either

[Ric_]

AFAIK the accounts don't suspend. In Longhorn serer there will be a quarantine function that suspends all network activity until AV and Windows updates are performed... until then I think you are out of luck.

WSUS will show you which machines haven't been connected recently. You could use this to clamp down on people. Combined with a School policy and some scare mongering it might help.

[ITWombat]

Well I suppose it would be possible to write a script to suspend the accounts in AD.

The main problem is checking that the machines are updated or not, unless the idea is to get a human to visually inspect the lapotp.

[ChrisC]

If this is a move motivated by out of date AV software, surely just setting up AV auto updating and locking that down in AD would be enough?

Chris

[eejit]

It's motivated by our LEA's SIMS people who have found that laptops don't update SIMS properly if they've been away for a considerable period. The next time that they launch SIMS on the network there may have been 4 or 5 upgrades that they've missed so the updater doesn't work properly.

I'll have a look for something in the registry today to see if it timestamps the last group policy replication or similar and see if I can do something with that.

[Geoff]

You can implement the 'network quarantine' function in W2k3 server too. Your sims people will have to supply some scripts that actually check what they want though.

http://www.microsoft.com/technet/its...uarantine.mspx

[psydii]

I'd endorse a solution whereby staff using their laptops in school on a daily basis negated the need for an elaborate technical cludge.

[_Bob_]

The real solution would be to have a decent update system for SIMs, or better still Capita could try a little harder to get right the first time, so we wouldn't need an update every two and a half minutes.

/rant

[psydii]

No, that would just solve the SIMS problem.

<cynic>and it ain't going to happen.</cynic>

[bossman]

Through the dhcp you could. Create another scope which the only the laptops can connect to and set the ip lease to 5 days this would then stop the laptops from connnecting to the network after 5 days. I think this would just be a short term fix for you at the mo as Geoff mentioned in his reply:

"You can implement the 'network quarantine' function in W2k3 server too. Your sims people will have to supply some scripts that actually check what they want though"

[psydii]

It's been mentioned already but..... school holidays?

[ZeroHour]

I created a MSI with a script that ran on login. It would have a expired date and once the script detected it was past this people had to come back and have the machine reset as it would auto log them off otherwise. It is a little limited but it was all we needed.

[_Bob_]

There's obviously a few different ways to do this but another one that just occurred to me:
DSQuery computer -inactive 1
Would give you a list of inactive machines from the server end. You could pipe then the output to dsmod and disable the account. You just need to be a lttle careful if you have servers that you use RDP to control as it won't pick up logon events for these.