We have machines which users takes home, put it in their drawers and then forget they ever got one.
My question is that is there anyway to create a fixlet via where I want to set a 60 days timer that if machine reports in AD the timer should reset itself.
This way I can force users to bring their machines on site for patching,
I don’t think there is a way to get the last time a computer checked in with AD via relevance, so we might have to get creative. I was thinking about ways you can check to make sure AD communication is happening, and the first thing I thought of was that the computer won’t be able to update Domain Group Policy if it’s out of contact with the Domain. With a little digging, I found that event ID 4016 looks to be one that is generated when the computer successfully talks to the domain controller during a gpupdate. An event with that record was not created when I disallowed communication from my test computer to my DC.
From there, I’m using relevance to read the event log and report whether there are any event records with that ID in the last 60 days:
not exists records whose (id of it = 4016 AND time generated of it > now - 60*day) of event log "Microsoft-Windows-GroupPolicy/Operational"
In theory, that will report true if a computer has not talked to the domain in 60 days and false if it has. You could use that to drive an automated report in Web Reports, for your user nagging purposes 
I didn’t spend too much time testing, nor is my test environment particularly representative of a real one, but even if it turns out 4016 isn’t the event log record ID you need, looking for the presence of some event log record should be one way to solve this problem.
If the machine is truly offline for this time, then the “last report time” into bigfix would also be a valid metric, and that is one commonly used to detect these kinds of conditions… that said, I like the idea of also checking for Active Directory as well as BigFix.
There is probably a way to detect this through WMI or Registry or similar.
What ways would you find this info in the GUI? or on the command line? Knowing how to get this answer without relevance makes it easier to figure out how to get it WITH relevance.
I haven’t tested these:
PowerShell: Get-ADComputer -identity ?computer? -Properties * | FT Name, LastLogonDate -Autosize
WMI/Relevance:
selects "* FROM ds_computer" of wmis "root\directory\LDAP"
selects "* FROM Microsoft_DomainTrustStatus" of wmis "root/MicrosoftActiveDirectory"
unique values of (it as integer) of values "EndTimeHi" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}" of (x64 registries; x32 registries)
Q: (it + "01 Jan 1601 12:00:00" as universal time) of (it * second) of (129442497539436142 / 10000000)
A: Thu, 10 Mar 2011 23:55:53 -0500
T: 0.076 ms
I: singular time
I haven’t been able to sanity check this / test it much, but this appears to work:
(it + "01 Jan 1601 12:00:00" as universal time) of (it * second) of (it / 10000000) of (hexadecimal integer it) of (item 1 of it & item 0 of it) of (it, (it as hexadecimal) of unique values of (it as integer) of values "EndTimeHi" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}" of (x64 registries; x32 registries) ) of (it as hexadecimal) of unique values of (it as integer) of values "EndTimeLo" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}" of (x64 registries; x32 registries)
This won’t necessarily be as granular as the GPO update one, but this may also work:
sample times of local computers of active directories