[gptalk] Re: Automatic Disabling of AD Computer accounts

  • From: "Jakob H. Heidelberg" <jakob@xxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 17 Oct 2007 16:26:45 +0200

Him

The below script is the VBS/WMI way of performing a shutdown. This
particular script pops up a confirmation message box - this must be changed
in your case of course.

You could maybe add a line "Wscript.Sleep 1000*15" to wait 15 seconds before
shutdown is performed - or maybe "Wscript.Sleep 1000*60*5" to wait 5 minutes
instead. But, it should work, just haven't had the time to test it as a
computer startup script, sorry.

/Jakob H. Heidelberg


'SHUTDOWN.VBS START
Option explicit

If Msgbox("Do you want to shut down this computer?", 4, "System Shutdown") =
6 then
        Dim osObj, osColl 
        const nLogOff=0 
        const nReboot=2 
        const nForceLogOff=4 
        const nForceReboot=6 
        const nPowerDown=8 
        const nForcePowerDown=12 

        Set osColl = GetObject("winmgmts:{(Shutdown)}").ExecQuery("Select *
from Win32_OperatingSystem") 

        For Each osObj in osColl
            osObj.Win32Shutdown(nForcePowerDown)
        Next
Else
        msgBox "Shutdown cancelled",vbOKOnly+vbInformation,"System Shutdown"
End if
'SHUTDOWN.VBS END




-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF
Sent: 17. oktober 2007 15:42
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Automatic Disabling of AD Computer accounts

I think I had the same problem with the shutdown command once. Try using
psshutdown from the Systinternals PSTools suite (now owned by Microsoft).

Regards,
Jamie Nelson

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ray Lewis
Sent: Wednesday, October 17, 2007 1:01 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Automatic Disabling of AD Computer accounts

Thanks for all the feedback - this is now in place with the revoked log on
locally permission. I actually tried using a startup script with the below
command, but although the "Running Startup Scripts" initiates, it doesn't
work:

 

shutdown -s -f -t 50 -c "This Machine is not correctly configured for this
Domain - please contact your IT Department for further assistance"

 

No doubt Windows has something in place that is set to ignore the shutdown
command during a startup sequence - does anyone know a way around this, is
there a .vbs alternative?

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of bart.schillebeeks@xxxxxxxxxx
Sent: 12 October 2007 09:59
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Automatic Disabling of AD Computer accounts

 

What is actually the question. 

 

To disallow workstations being used by anyone except from a certain group of
administrators , is very easy. 

 

I have a quarentine ou which runs a gpo that screws down almost everything
on the machine. If any user logs on, the only thing they get is a message
saying their machine has been quarentined and that they need to contact the
helpdesk. they don't have the "log on locally right" anymore,  from there on
it logs itself back of. If an administrator logs on he is granted "log on
locally" and can administer the machine. 

If moved out of this ou then all is back to normal. 

 

If you mean you completely want to seperate a machine from your network due
to certain parameters. You will need to wait for NAP (network access
protection)  that is available in Windows 2008 Longhorn. 

There you can disallow network connection to certain vlans based on the
health of your machine.  

 

Vriendelijke groeten,
Cordialement,
Kind Regards, 
Schillebeeks Bart
Active Directory Security Consultant
Bart.schillebeeks@xxxxxxxxxx
AD Internet Consulting BVBA 
"When once you have tasted flight, you will always walk with your eyes
turned skyward, for there you have been and there you always will be."
Leonardo da Vinci, 1452-1519 
Disclaimer:
Any views expressed in this message are those of the individual sender,
except where the message states otherwise and the sender is authorised to
state them to be the views of any such entity.This Message is in no way
legally binding and has to be viewed as a personal opinion of the sender.
This message reflects in no way the views of FORTIS BANK and its associates
and AD internet Consulting BVBA and its associates. Unless otherwise stated,
any pricing information given in this message is indicative only, is subject
to change and does not constitute an offer to deal at any price quoted. Any
reference to the terms of executed transactions should be treated as
preliminary only and subject to our formal written confirmation.

AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal ON:0470419019
www.adinternet.com mailto:Sales@xxxxxxxxxxxxxx

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Larry.Trimble@xxxxxxxxxxxxxxxxxx
Sent: Thursday, October 11, 2007 6:20 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Automatic Disabling of AD Computer accounts

How about this for a thought?  Set up a special group in AD (that holds only
the members that you want to logon to those workstations then setup a GPO up
in the OU then under "User Rights Assignment\Allow log on locally" allow
only that group to log on?  This would prevent anyone other than members of
that group to logon to the workstation.

 

You would need to make sure that you had a GPO that would set "Allow log on
locally" back to standard when you wanted that workstation active again.

 

If you stacked the GPO's correctly then all you would have to do is to add
the workstation to the group that applies the "Allow log on locally" special
group when you wanted to block access and remove it from the applies group
when all access was allowed..

 

Regards

Larry

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Thorbjörn Sjövold
Sent: Thursday, October 11, 2007 09:30
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Automatic Disabling of AD Computer accounts

 

The problem with any type of solution where the local computer is crippled
instead of working in AD, is that it is hard to undo it, since GP will not
be applied regardless where in AD it is moved when the time comes to restore
the computer again :-).

 

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: den 11 oktober 2007 16:07
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Automatic Disabling of AD Computer accounts

 

I suppose there might be a security setting you could set that would make
the computer unable to talk to the rest of the domain. Something like an SMB
Signing setting that is incompatible with your servers/DCs? 

 

darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ray Lewis
Sent: Thursday, October 11, 2007 1:57 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Automatic Disabling of AD Computer accounts

 

Thanks Thorbjörn,

 

What about an alternative restriction to prevent the machines being able to
sign on or being issued a token?

 

I've looked at IPSEC solutions but would prefer to steer clear of this
method.

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Thorbjörn Sjövold
Sent: 11 October 2007 09:27
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Automatic Disabling of AD Computer accounts

 

I do not think there are such a solution available, the problem here would
be that this would be something that need to run in AD and not on the
computers where the GP CSEs reside and execute, in theory it might be
possible for a computer to disable itself from a startupscript, but the
other way around it tough for obvious reasons :-). The problem is similar to
the situation with the Password Policy GP setting that actually executes on
the Domain Controllers.

 

 I normally prefer using GP compared to "external" solutions, but a
workaround could be  a small script or program that runs as a scheduled job
on a DC that does the trick, although you need to take into consideration
that there could be disabled computers in other OUs for other reasons etc.
Also unless you use the DirSync control to monitor changes, you will also
have to live with a polling solution so it the change will not be immediate.


 

 

Thorbjörn Sjövold

Special Operations Software

www.specopssoft.com <http://www.specopssoft.com/> 

thorbjorn.sjovold a t specopssoft.com

 

Download our free tool for remote Gpupdate with graphical reporting,
http://www.specopssoft.com/products/specopsgpupdate/
<http://www.specopssoft.com/products/specopsgpupdate/> 

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ray Lewis
Sent: den 11 oktober 2007 09:38
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Automatic Disabling of AD Computer accounts

 

Hi all...

 

Is there a GPO rule I can tag to an OU that will "automatically" disable the
computer accounts within it? For example, as soon as a machine is moved into
that OU, it becomes disabled and cant be re-enabled unless moved.

 

Cheers guys...

 

Ray

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: