First post within the community so sorry if this is the wring place etc.
I am looking at how other companies handle remote employees and terminations when it comes to locking the employee's laptops.
We are looking at ideas on how to handle when someone has left the company but still has our laptop, these are domain bound most the time. For our MacBook we use JAMF to lock them which is great, however I do not believe Windows/Kaseya has this option.
Sometimes we do not want to wipe the laptop either.
How do you suggest we can lock the laptop from use?
Any info you need let me know, the majority are Win 10 and Win 7
We have procedures that can disable user accounts and remove accounts from the admins group. For example, we have one and sometimes two local admin accounts (one for us, one for the customer IT) and these are defined in Managed Variables. We pass those to a procedure that scans the Administrators group and removes any account (not group) that isn't in the list. It then updates the credentials for the allowed accounts and makes sure that the local Administrator account is disabled.
You could remove or disable unauthorized local accounts and clear the credential cache, which would prevent login by the user with known local or cached credentials.
We also move computers into a "Disabled Objects" OU which has a policy applied that prevents login by any user except the local administrator group members. It displays a "restricted logon" message on the logon page.
Can you share the procedures?(if possible) We also have the same concern here on the office.
The tools I referenced are compiled applications that are part of our RMM Suite for VSA. Our procedures remain very simple and leverage the apps we develop. Some of our security is based on GPOs in AD, and a strong AD structure. You can download our AD Design Guide from our website in the Standards & Practices section to learn more about that.
Our User Account Management application can create, update, or remove user accounts. Removal works based on a list of "authorized" accounts - everything else is removed. When creating accounts or updating credentials, the procedures pull the credentials from Managed Variables to pass to our app. We even have a tool that will cipher the passwords stored in the Managed Variables using an org-specific cipher key-part. No clear-text passwords anywhere!
If you still have remote access to the laptop then I would edit the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\CachedLogonsCount and set it to 0
Then reboot the laptop. As long as they do not have local access to the laptop then it will have to be physically attached to the domain for anyone to logon.