Smart Card Logon

[Guest]

I am trying to implement smart card required logon on my Win XP and Win2K
PC's on the network through the local computer security policy. I need to
restrict all users logging onto those PCs to use a smart card to logon
instead of the normal User ID and password. However, I need to exempt the
administrator account on the local machine from this policy. The security
template options are enabled and disabled but I need to add the local
administrator account as an exception from the smart card requirement. Is
there a way that the template can be edited so that exceptions can be added
or is there a predefined template available from Microsoft? Bottom
line...can this be done?

 

[David H. Lipman]

From: "JayW" <[email protected]>

| I am trying to implement smart card required logon on my Win XP and Win2K
| PC's on the network through the local computer security policy. I need to
| restrict all users logging onto those PCs to use a smart card to logon
| instead of the normal User ID and password. However, I need to exempt the
| administrator account on the local machine from this policy. The security
| template options are enabled and disabled but I need to add the local
| administrator account as an exception from the smart card requirement. Is
| there a way that the template can be edited so that exceptions can be added
| or is there a predefined template available from Microsoft? Bottom
| line...can this be done?

You can't add a Local account to to an exception list. This is done on a User and Computer
based enforcement in the Active Directory Domain.

You can however delete the local policy registry entry for Smart Card enforcement.
This can be done either by booting into Safe Mode and using Regedit or accessing the HKLM
hive remotely or using WMI or other construct remotely.

 

[Steven L Umbach]

That can't be done since computer configuration Group Policy apples to all
users on that domain computer. You can configure user accounts in Active
Directory to require that they use smart card logon but that will apply to
any domain computer that they logon to. To me it seems to defeat the
security advantage of smart cards [multifactor authentication] by exempting
an account for smart card logon where there is an apparent need to otherwise
require smart card logon. Instead make sure that there is a user/group in
the local administrators group that has smart cards that can logon if need
be. Also you can simply undo the security option via Local Security Policy
or at the domain/OU level if that is where it is applied to not require
smart card logon to a domain computer when the need arises.

Steve

 

[Guest]

Since I cannot verify that all users in the domain ( administer an OU) then,
to ensure smart cards are used on my machines it makes perfect sense to
enfoce the Smart Card Logon on the local machine. This way I can ensure that
all users at my location, including those persons from other locations who
are visiting my facility, us a smart card on my machines. However,
administrators of my OU are issued smart cards that are used on their
individual (normal, not admin) user accounts we are not (and cannot be)
isssued smartcards for out admin accounts. The problem with this scenerio is
that with the local machine policy enforcement, admins cannot logonto the
machines without a smart card, and even if they did have a smart card then we
could not log inot the machine remotely with Damaware (for example) without
inserting the card on the local machine.

That can't be done since computer configuration Group Policy apples to all
users on that domain computer. You can configure user accounts in Active
Directory to require that they use smart card logon but that will apply to
any domain computer that they logon to. To me it seems to defeat the
security advantage of smart cards [multifactor authentication] by exempting
an account for smart card logon where there is an apparent need to otherwise
require smart card logon. Instead make sure that there is a user/group in
the local administrators group that has smart cards that can logon if need
be. Also you can simply undo the security option via Local Security Policy
or at the domain/OU level if that is where it is applied to not require
smart card logon to a domain computer when the need arises.

Steve

I am trying to implement smart card required logon on my Win XP and Win2K
PC's on the network through the local computer security policy. I need to
restrict all users logging onto those PCs to use a smart card to logon
instead of the normal User ID and password. However, I need to exempt the
administrator account on the local machine from this policy. The security
template options are enabled and disabled but I need to add the local
administrator account as an exception from the smart card requirement. Is
there a way that the template can be edited so that exceptions can be
added
or is there a predefined template available from Microsoft? Bottom
line...can this be done?

 

[Steven Umbach]

You can simply make sure those domain users are local administrators on the
domain computer they need to manage - they do not need to be using a domain
administrator account. As far as remote logon I believe you can enable smart
card redirection so that you can use your smart card on the computer you are
doing remote management from when using Remote Desktop with the latest RDP
client if that is a possibility though that will not work for Windows 2000.
Unfortuneatly there is no workaround for exempting a specific account.

Steve

Since I cannot verify that all users in the domain ( administer an OU) then,
to ensure smart cards are used on my machines it makes perfect sense to
enfoce the Smart Card Logon on the local machine. This way I can ensure that
all users at my location, including those persons from other locations who
are visiting my facility, us a smart card on my machines. However,
administrators of my OU are issued smart cards that are used on their
individual (normal, not admin) user accounts we are not (and cannot be)
isssued smartcards for out admin accounts. The problem with this scenerio is
that with the local machine policy enforcement, admins cannot logonto the
machines without a smart card, and even if they did have a smart card then we
could not log inot the machine remotely with Damaware (for example) without
inserting the card on the local machine.

That can't be done since computer configuration Group Policy apples to all
users on that domain computer. You can configure user accounts in Active
Directory to require that they use smart card logon but that will apply to
any domain computer that they logon to. To me it seems to defeat the
security advantage of smart cards [multifactor authentication] by exempting
an account for smart card logon where there is an apparent need to otherwise
require smart card logon. Instead make sure that there is a user/group in
the local administrators group that has smart cards that can logon if need
be. Also you can simply undo the security option via Local Security Policy
or at the domain/OU level if that is where it is applied to not require
smart card logon to a domain computer when the need arises.

Steve

I am trying to implement smart card required logon on my Win XP and Win2K
PC's on the network through the local computer security policy. I need to
restrict all users logging onto those PCs to use a smart card to logon
instead of the normal User ID and password. However, I need to exempt the
administrator account on the local machine from this policy. The security
template options are enabled and disabled but I need to add the local
administrator account as an exception from the smart card requirement. Is
there a way that the template can be edited so that exceptions can be
added
or is there a predefined template available from Microsoft? Bottom
line...can this be done?

 

[David H. Lipman]

From: "JayW" <[email protected]>

| Since I cannot verify that all users in the domain ( administer an OU) then,
| to ensure smart cards are used on my machines it makes perfect sense to
| enfoce the Smart Card Logon on the local machine. This way I can ensure that
| all users at my location, including those persons from other locations who
| are visiting my facility, us a smart card on my machines. However,
| administrators of my OU are issued smart cards that are used on their
| individual (normal, not admin) user accounts we are not (and cannot be)
| isssued smartcards for out admin accounts. The problem with this scenerio is
| that with the local machine policy enforcement, admins cannot logonto the
| machines without a smart card, and even if they did have a smart card then we
| could not log inot the machine remotely with Damaware (for example) without
| inserting the card on the local machine.
|


You can temporarily disable enforcement.

The following Registry key enables Smart Card enforcement...


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"SCForceOption"=dword:00000001

To disable enforcement, delete SCForceOption
or set the DWORD = 0 , "SCForceOption"=dword:00000000

You can do this by rebooting the PC into Safe Mode, logon as Admionistrator, and run
Regedit.

If File & Print Shares is anables there are many ways to remotely access this Registry key.