Prevent clients from logging on to the domain unless they are completely up to date
My domain has just recently been upgraded to Windows 2003 Active Directory. I'm trying to find a method similar to what the Windows 2003 Quarantine Server does for remote clients--preventing them from logging on to the domain unless they are completely up to date with MS critical updates. But, I want this to happen to my regular clients who log in directly onto the domain, not remotely. For example, I would like for them to try to log onto the domain but then a dialogue box pops up and says, "Please wait while these updates are being installed (They would be listed in the pop up box). Your system will reboot and then you can log into the domain." Is this a task Group Policies is capable of handling? Do you think I could write a VB or Perl script to accomplish this? Or is there a third party product that does this?
This can definitely be done. Your best bet is to script the use of MBSA on computer login and then use the information MBSA provides to know if the computer meets the current security standard.
Microsoft has released an excellent document on how they do exactly what you are trying to do:
This was first published in February 2004