How can I lock out remote user from their own computer?

Solution 1:

If they're not connected via VPN, there's nothing you can do. The machine is offline from your perspective, and cached credentials will still work for them. You can disable their account to prevent a VPN connection, but then you will never get control of the machine.

One option would be to let them connect, or instruct them to connect if you have that option from a legal perspective, then lock them out. But they could still remove the disk and get at data unless you are using something like BitLocker.

But your best option is probably to have HR/legal call them and remind them of their obligations with regards to corporate data and assets, and sick law enforcement on them for theft if they don't comply immediately. Provide them a means to send the laptop back to you without them having to pay for postage or packaging (such as FedEx pickup).

Solution 2:

There are a few ways to force logoff mentioned in the SuperUser question about a force user logoff script for Windows 7.

There's also shutdown /l /f and the fantastic SysInternals suite has PsShutdown.

It will be important to remove the cached credentials from the machine. There are many questions about this, but I don't have a definitive answer or a lab to test this in just yet. Look for https://serverfault.com/search?q=cached+credentials

Alternately, and I'd consider this a better solution but it needs pre-planning, you can obliterate the hard drive's crypto key and then force shutdown the machine. Writing over the encrypted key section with gibberish will prevent the user from every booting the machine up to read anything again. Further, if you keep a copy of the key on your end, you can still access whatever was on the drive unless they overwrite it by bootdisking.