I would like to gently remind users who have logged in with cached credentials for X days that they should bring their machine back and connect it to the network for a boot or two, and I'd like to push the structure out through GPO. There is significant interest (and no answers) in expiring cached credentials after some time, but I dont' want to prevent users from working, just request/annoy them to come "home" once in a while.
I have found mention that comparing %logonserver% with %computername% as a valid way to check for cached login, but these are old (~2003). When I do that in Win7 while booted and logged in via cached credentials, my %logonserver% is the PDC of the user account's domain. (The computer account is in a subordinate domain.) Why would the system report a %logonserver% that is unreachable? Has something changed in how this works?
What appears fairly foolproof (when done manually) is to monitor the Security Log for EventID 4624 with Login Type 11. I can trigger a scheduled task on the EventID, but I don't know how to filter for Login Type. I also don't think the scheduled task can work in the user's security context because the Security Log requires elevation or at least admin rights. Is this true? Additionally, I haven't a clue how to establish a scheduled task via GPO/script especially one that would run under local admin creds (with each laptop having a unique password).
I can't believe something that seems so common sense is so challenging that it hasn't been solved yet.