I am looking for a way to make domain-joined Windows 7 laptops brick themselves after 90 days of no-contact with a domain controller. I do not want the laptop to wipe itself or anything severe like that. Ideally, I would just like it to display an error message and refuse logons until the computer is brought back on campus and has a chance to do updates, SCCM pushes, GPO refresh, etc.
A solution that requires help desk intervention is fine, as long as it only affects computers that have been offline (I don't want the help desk having to touch every laptop every 90 days if they're here on-site).
The reason is because we have a significant problem with disappearing laptops around here. It's not that they are missing; employees are simply checking them out and then never bringing them back. We have a few dozen computers that we can't find; many of which have not been seen on the network for more than a year. Several people have multiple laptops checked out in their name.
I would also prefer a solution that has a pretense of plausible deniability built into it so that we can make the argument that it's a standard security best practice and resist pressure to exempt people from the policy.
We already make employees to sign an appropriate use policy that requires them to notify IT if a laptop gets lost or stolen. It also mandates disciplinary action if an employee fails to turn over equipment when requested by IT. The problem is that upper management folks are the biggest abusers, and they're mostly above the law. The absence of enforcement from our executive team has created a corporate culture wherein managers and directors act like a "free" computer -- with built-in "free" tech support -- is part of their benefits package.
A computer was recently brought into the help desk because it basically exploded after the user powered it up in their office and it downloaded two years' worth of missing updates and SCCM packages.
Since we can't go the low-tech route of spanking people for not following the rules, we're stuck with using technology to force the issue. We just need laptops to check in on a semi-regular basis so we can track them.