How can I lock out remote user from their own computer?

windows-server-2008 active-directory windows-7
6,598

Solution 1

If they're not connected via VPN, there's nothing you can do. The machine is offline from your perspective, and cached credentials will still work for them. You can disable their account to prevent a VPN connection, but then you will never get control of the machine.

One option would be to let them connect, or instruct them to connect if you have that option from a legal perspective, then lock them out. But they could still remove the disk and get at data unless you are using something like BitLocker.

But your best option is probably to have HR/legal call them and remind them of their obligations with regards to corporate data and assets, and sick law enforcement on them for theft if they don't comply immediately. Provide them a means to send the laptop back to you without them having to pay for postage or packaging (such as FedEx pickup).

Solution 2

There are a few ways to force logoff mentioned in the SuperUser question about a force user logoff script for Windows 7.

There's also shutdown /l /f and the fantastic SysInternals suite has PsShutdown.

It will be important to remove the cached credentials from the machine. There are many questions about this, but I don't have a definitive answer or a lab to test this in just yet. Look for https://serverfault.com/search?q=cached+credentials

Alternately, and I'd consider this a better solution but it needs pre-planning, you can obliterate the hard drive's crypto key and then force shutdown the machine. Writing over the encrypted key section with gibberish will prevent the user from every booting the machine up to read anything again. Further, if you keep a copy of the key on your end, you can still access whatever was on the drive unless they overwrite it by bootdisking.

Share:
6,598

Related videos on Youtube

Matt
Author by

Matt

Hi.

Updated on September 18, 2022

Comments

  • Matt
    Matt over 1 year

    They usually connect to our network by a VPN. Right now there is just the (password protected) Administrator account and their domain user account on the laptop. Windows 7 and Server 2008R2 in use here.

    I want to change their password or disable/lock their account and have it take immediate effect so that they cannot get to our domain at all, or get to any files on the laptop.

    If they're logged in already, do they have to log out first? If they're not logged into the VPN, won't the computer just save their previous password/credentials if they log on when not connected to any network?

    Is there another way to do what I want to do?

    • user1364702
      user1364702 almost 12 years
      Just disabling the account won't do it? I'm assuming this is a fired employee...why isn't the IT department locking out the account?
    • loislo
      loislo almost 12 years
      @BartSilverstrim I gather that Matt is the IT department. Locking on the domain side and forcing him off the VPN are easier tasks. I think the challenge rests in the remote laptop that he doesn't have physical control over. Cached credentials and files held remotely can be issues.
  • Hennes
    Hennes almost 12 years
    SWecomd that. This sounds as a technical answer to a non-technical problem.
  • Wesley
    Wesley almost 12 years
    Pertinent avatar is pertinent.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Re-add computer to domain without local admin
How to make network drives appear even if disconnected?
The session setup from the computer <computerName> failed to authenticate
How do you rebuild a Windows 7 user profile on a PC joined to an Active Directory domain and why would you want to do this?
Active Directory computer account password not in sync
How can I rejoin a Windows machine to the domain without losing user data if trust relationship on machine was broken
Is there a way to copy a user profile to other client stations previously not logged into?
How can I enable domain authentication over wireless in Windows 7/2k8?
How can I clear cached domain credentials?
Getting Squid to authenticate with kerberos and Windows 2008/2003/7/XP