Blocking XP computer to log on the Domain

I asked all my department to replace all their XP computer by new one. I suspect that some of them continue to use XP. I cannot check all department myself.

In Microsoft world (Microsoft Domain Server) is it possible to create a policy or a rule to list and/or block all XP machine or XP user on his domain?

Solution 1:

Sure. Create a GPO with a WMI filter scoped to Windows XP, and apply the deny logon interactively/locally rights to DOMAIN\Domain Users, that should prevent them from being able to logon. Although you might get some loud and rowdy responses, be careful of that if you have any concerns of more senior management frowning upon it.

However, they cannot actually "hide" this from you. The operating system is included in the computer object and you can perform a powershell query to detect the systems that still report as that version of Windows. As I recall this value should update if they use install a new operating system.

A powershell script that seeks out the values of each computer object's attributes called "OperatingSystem" and "OperatingSystemVersion" would tell you what you needed to know. For example on my workstation, these return: OperatingSystem: Windows 8.1 Enterprise OperatingSystemVersion: 6.3 (9600) (Major,minor and build#)

Does that help?

Solution 2:

You could not just deny logon, but also disable those old XP accounts in the domain with a single liner in Powershell:

Get-ADComputer -Filter * -SearchBase "OU=MyDepartment,DC=domain,DC=net" -Properties OperatingSystem | ?{$_.OperatingSystem -match "XP"} | Set-ADComputer -Enabled:$false

When they try to logon, they'll see a message saying the computer has lost the trust relationship with the domain.