Blocking logon to AD disabled PCs that have credentials cached

Posted by aspoons@reddit | sysadmin | View on Reddit | 7 comments

So as the title says I am looking for a way to block users from signing in to a computer that is disabled in AD even if they previously used it and the system has their credentials cached locally.

Now for the long explanation of our processes: The primary tools I have at my disposal are PDQ and AD. We have 50+ locations spread out across the US. Sometimes we have a computer go missing at a remote site and we have policies in place for offline computers. We initially contact supervisors and such to try and find the machine but sometimes we are told it can't be found. Eventually it gets disabled in AD after some time and it gets reported as lost/destroyed company property against that location.

After it has been disabled in AD we remove it from PDQ because that is licensed per device and we can't keep paying for lost devices indefinitely. We do have a package that while we are trying to track it down (and when we terminate a remote employee) that sets the windows cached credentials to zero and then restarts the PC. So if the computer powers on and connects to the internet between us starting the search for it and deleting it from PDQ it we can force it to use a connection to AD and it also sits in an OU that only allows admins to log in.

The problem is a scenario we have seen and we are trying to 'fix'. A computer was reported lost. Eventually it gets deleted from PDQ and disabled in AD (eventually disabled PCs also get purged from AD after a much longer time). The person who had used it before it became 'lost' claims they just 'found' it in a closet and decided to use it. Since the laptop had their credentials cached they could log in to it. Since it was disabled in AD it wasn't allowed to connect to get a Group Policy update or anything. However since most tools these days are web based it worked for them for a very long time. Then suddenly they called our IT helpdesk about something and we discovered they had been using a disabled reported lost PC for a couple months.

I am trying to find a way to 'brick' a computer in this type of situation. My initial thought was some small script that runs on system startup and checks the last time it checked in with AD, and if that is greater than X days set the logon cache to zero. This would be very similar to our PDQ script we push to remote laptops on employee termination. The problem I have is that I can't find anything to query that is local on the system to do this check. I know there is an AD field, and we use that when initially finding offline systems. But this script will need to run purely locally as it is disabled in AD and can't connected to the domain controller to query that. It could also be not on our physical network at the time if it is a laptop.

Has anybody done something like this before, tried to solve this issue, or know of something that can be checked that is stored on the local PC and doesn't require reaching out to some other system to discover if it has been unable to connect to AD for an extended period of time? My searches also seem to indicate there is no way to set a maximum age on cached credentials either.

[-]

GeneMoody-Action1@reddit

There is no perfect solution, but it is safe to assume any toll that could manage this remotely could execute a command, set up a job to run on the system the next time it is seen to force recovery on bit locker and shutdown.

Obviously unless you set up some process running on it locally outside a user context making decisions, you cannot do anything when it is not connected, but if the system is reported lost, locking it up should be a first priority anyway.

tjn182@reddit

Powershell to ping AD controller.
If no ping, write registry value with first date time of failed communication.
If communication, remove date time value.
If no communcation and date time value is 30 days or older, set cachedloginscount reg key to 0. Boom, no cached logins.

Thoughts?

Crenorz@reddit

enable MFA on logins

ntrlsur@reddit

This right here. MFA on login will fix that problem quickly. It could introduce some other issues but nothing that isn't fixable.

ZAFJB@reddit

Since the laptop had their credentials cached they could log in to it.

Only if they are not connected to the LAN.

You are chasing an unfixable problem. If it is not on your LAN, you can't do anything to it.

The solution is to not allow cached credentials.

If you Entra join the devices you might have better luck.

wastewater-IT@reddit

Sounds potentially risky to successfully do this, but for last check-in to AD you could run a "gpresult /x [file name]" to save the GPResult to an XML file, then parse that XML file for the ExtensionStatus -> EndTime property for Group Policy Infrastructure which is the last GPO refresh time.

scytob@reddit

Don't disable in AD until you know the credential has expired?

Don't allow cached lgogns? (yeah i understand how stupid that is)

For existing machines you are hosed.

For current active machines you could deploy a time based logon script that checks dates against say last time a DC was contacted and if that is exceeded delete the cached creds, reg location of cached creds is in this article https://woshub.com/cached-domain-logon-credentials-windows