They usually connect to our network by a VPN. Right now there is just the (password protected) Administrator account and their domain user account on the laptop. Windows 7 and Server 2008R2 in use here.
I want to change their password or disable/lock their account and have it take immediate effect so that they cannot get to our domain at all, or get to any files on the laptop.
If they're logged in already, do they have to log out first?
If they're not logged into the VPN, won't the computer just save their previous password/credentials if they log on when not connected to any network?
Is there another way to do what I want to do?
Best Answer
If they're not connected via VPN, there's nothing you can do. The machine is offline from your perspective, and cached credentials will still work for them. You can disable their account to prevent a VPN connection, but then you will never get control of the machine.
One option would be to let them connect, or instruct them to connect if you have that option from a legal perspective, then lock them out. But they could still remove the disk and get at data unless you are using something like BitLocker.
But your best option is probably to have HR/legal call them and remind them of their obligations with regards to corporate data and assets, and sick law enforcement on them for theft if they don't comply immediately. Provide them a means to send the laptop back to you without them having to pay for postage or packaging (such as FedEx pickup).