No Laptop Network Use

[rh91uk]

Hi all

Need to be careful what I say here for obvious reasons. We have some issues where some staff do not bring their laptop into work and basically use it for personal gain.

I don't know if this is possible - but could we lock the laptop down (possibly by a script) where after a certain time (e.g. a month) it locks the laptop/makes it unusable/changes the password of a certain username when it hasn't been on our network?

I don't know if this is possible so please shout if it's not!


Thanks,

rh91uk

[thedarxide]

Only thing that springs immediately to mind is to prevent profile caching so that the laptop will not logon without a connection to the network, although I'm not sure that it's fully possible. We use it in the other direction and it's been a while since I set it up.

[dwhyte85]

Hello,

With a massive shortage of laptops within the school and staff in desperate need of a laptop as they don't have the luxury of an office too... we have the very same issue.

I would play it with the AV, Spyware & Update card... if they don't bring it in, they wont be able to use it via VPN/Network as you'll remove access. If that doesn't work, you are in a difficult situation without the laptop in hand you wont be able to set a scheduled task to run a script.

You could... have a script run every so often to delete the local profile or remove cached credentials after a certain time.

[SC-UK]

The only problem is that this will stop the laptop logging on away from the network at all. I think the OP wants the laptop to work fine away from the network for a month, and then insist on being returned to base so to speak.

Disabling profile caching could also be "fooled". As long as the user doesn't log out or shutdown (i.e. keeps placing the laptop into standby or hibernate), it will not stop it being used away from the network.

Tom

[dwhyte85]

The only problem is that this will stop the laptop logging on away from the network at all. I think the OP wants the laptop to work fine away from the network for a month, and then insist on being returned to base so to speak.

Disabling profile caching could also be "fooled". As long as the user doesn't log out or shutdown (i.e. keeps placing the laptop into standby or hibernate), it will not stop it being used away from the network.

Tom

Don't tell them how to circumnavigate it, eager teachers with pen and paper writing this down as we speak :-P

Presumably deleting via a VBS script on scheduled task might work (assuming they will have to restart at some point after the script has been run on 30 days away from school).

[powdarrmonkey]

If they are logging in with a domain account and cached credentials, you could reduce the cache time to a month, then they won't be able to log in until they have shaken hands with the domain again.


Edit: you could also write, or have written, a small tray app that after a month bugs them in an annoying way to handshake bring the machine on site... if you ask nicely, I might be persuaded for some kind of return favour.

[SC-UK]

Don't tell them how to circumnavigate it, eager teachers with pen and paper writing this down as we speak :-P

Oh no, it's much worse than that. They're reading this, and then typing it up on the laptops that they have been keeping alive by my advice!

[openaccess]

How about making the laptop account (if it is a domain one) expire after the month, so that they will no longer have access to it. Obviously, this wouldn't work if they used the same account to logon to the network normally, but it's just a thought?

[powdarrmonkey]

How about making the laptop account (if it is a domain one) expire after the month, so that they will no longer have access to it. Obviously, this wouldn't work if they used the same account to logon to the network normally, but it's just a thought?

That's an awful lot of admin overhead unlocking accounts for people all the time..

[elloyd69]

Write a section into the staff AUP too........to ensure they bring laptops in and connect to network at regular intervals for 'security updates'......make sure all staff sign the AUP. They then have it in writing. Hopefully this will help and they will 'be required to' bring them in..........

[Quackers]

The only thing i can think of is to the volume licence Vista/7 as they have to be Activated every 6 months from one of your internal servers i believe.

[psydii]

Embed a process across the school that requires daily or even lesson by lesson ICT access by staff. One that supports or is crucial to delivery on a SEF target is most effective.

Remove all PCs from classrooms.

Remind staff that the school furnish them with laptops.


I believe that using a laptop for 'personal gain' is not necessarily a bad thing. We have several members of staff whose non academic activities bring in Industry skills, experience and persons into the establishment, to the benefit of our students.

[azrael78]

It depends whether these laptops are under the LFT scheme or not.
I know that LFT laptop users here can pretty much use their laptops as purely personal resources, if they choose not to bring them in - there's little we can do.

In any case - it should be possible to modify the network login script in such a fashion so that workstations that login to it get a registry 'timestamp' somewhere.

You can write a small script that can live on the laptop, runs inside of local group policy that checks the timestamp, if it's not been updated in 'x' days or whatever - then you can make it do things.

I'd probably go down the route of - if it hasn't been brought in, enumerate and disable all network connections to start. If they have home DSL, then it will nobble it - which means they won't be able to get on the net with them - which as they haven't been in school, is probably a good thing as you can bet they haven't updated the AV etc...

It all depends on how far you want to go and what the actual position is in terms of laptop use... are these school-allocated (read: school paid for) resources that are given to teachers in-place of workstations? Are they allocated like the Laptops For Teachers scheme?

Az

[GrumbleDook]

LFT is done and dusted and if you have LFT machines still running then be glad. A laptop purchased by the school is the property of the school, issued out to the member of staff for work use and any personal gain is done on the back of ensuring that it is used for the benefit of the school.

This will take a 3 pronged attack.

1 - You must have buy-in from SLT for this as they are the people with the carrot and stick. They are the people who have agreed that staff get laptops and they are the people that have to justify to the governors and so on that the school is spending money well, in a way that has a positive impact on the education of the students (please note manglement blurb there ... an important phrase to trot out!) The agreement you get the staff to sign when the laptop is issued should set out reasonable expectations of the use and control of these machines.

2 - Technically, you should track the times when a machine is on the network. It would be a good idea to do this via WSUS actually ... so you know it is also patched to the right levels too. Anyone who does not bring their machine in on a regular basis gets a tap on the shoulder by a person ... not a bit of technology, but a real, live human being who can discuss and explain things (without the large lump of wood unless *really* needed) and who can try and use the carrot side of things a bit more.

3 - A technical response would be to investigate the use of DirectAccess in Windows 7 and Server 2008 R2 to still have control of these machines over the Tinternet when out of the building. Others have already been mentioned (cache times, scripts running in the background, etc), but investigate whether the AV software can centrally do anything to 'disrupt' use ... ie if it is not up to date by x days it will lock out network access so they have to bring it to you anyway (IIRC this is a feature on Sophos or McAffee ... can't remember which!)

HTH

[srochford]

There are technical ways you can deal with this, but really it's another "people" issue.

You need to get management on side; if they're not and you do something to stop staff using the laptop at home then you'll end up with management telling you to reverse the changes and then everyone gets upset.

If management agree that the laptop should be brought in regularly then it's a simple disciplinary issue if they don't do as requested.