Smart card is required for interactive logon
in [Security]
|
From: atheria on 6 Jan 2010 18:51 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\*ScForceOption * SCFORCEOPTION = 1 - change to 0 (zero) If you don't have this in your registry, you will have to find another way unless your unit is willing to give the poor guy a CAC card. The thing is if Group Policy is in force the "option" will change back to "1" as soon as the machine is seen by AD and GP... Either way, it's a pain. Good Luck! ~atheria In_the_desert;4202461 Wrote: > I have several users that logon without smart cards on a daily basis. I > also have users that are required to login with smart cards. I have one > user in particular that doesn't have a smart card and so his account is > setup to allow him to login with a username and password. The problem is > that for this one individual every day when he comes into work and > attempts to login it tells him he needs a smart card. So everyday he > calls me, I go into Active Directory, and sure enough "Smart card is > required for interactive logon" is checked. I uncheck this box and he is > fine for the rest of the day. Does anybody have any ideas on this? -- atheria ------------------------------------------------------------------------ atheria's Profile: http://forums.techarena.in/members/171474.htm View this thread: http://forums.techarena.in/windows-security/1110440.htm http://forums.techarena.in
From: David H. Lipman on 6 Jan 2010 19:44 From: "atheria" <atheria.44e7ba(a)DoNotSpam.com> | HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\*ScForceOption * | SCFORCEOPTION = 1 - change to 0 (zero) | If you don't have this in your registry, you will have to find another way unless your | unit is willing to give the poor guy a CAC card. | The thing is if Group Policy is in force the "option" will change back to "1" as soon | as the machine is seen by AD and GP... Either way, it's a pain. | Good Luck! | ~atheria | In_the_desert;4202461 Wrote: > I have several users that logon without smart cards on | a daily basis. I > also have users that are required to login with smart cards. I have | one > user in particular that doesn't have a smart card and so his account is > setup | to allow him to login with a username and password. The problem is > that for this one | individual every day when he comes into work and > attempts to login it tells him he | needs a smart card. So everyday he > calls me, I go into Active Directory, and sure | enough "Smart card is > required for interactive logon" is checked. I uncheck this box | and he is > fine for the rest of the day. Does anybody have any ideas on this? -- | atheria ------------------------------------------------------------------------ TechArena.in is a leech of Usenet and fakes that it provides forums when they are actually Usenet news groups and uses the vBulletin USENET gateway. In this case it is a news group within the Microsoft.* hierarchy and can be directly accessed via the Microsoft news server; MSNews.Microsoft.Com using a news client via TCP port 119. Users of TechArena.in are strongly ENCOURAGED to drop the TechArena.in leech of Usenet and access "this" News Group directly with the following News URL... news://msnews.microsoft.com/microsoft.public.windowsxp.security_admin And yes, it is... HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System SCFORCEOPTION = 0 or DELETE "SCFORCEOPTION" and the the user can logon to the Domain via the Domain Name and Password. Also... HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon scremoveoption = 0 or DELETE "scremoveoption" and the OS will not lock the computer when the SmartCard is removed. However, the *best* answer (and I do not know how OLD this thread is and if the OP will actually even SEE the answers) is to setup an OU as a CrytptoGraphic Logon Exception. Then MOVE the user's AD Account into the CrytptoGraphic Logon Exception OU so that the user(s) would not be forced/required to logon to the Domain via a SmartCard. Once the user(s) acquire the SmartCard said user(s) could then have their respective Domain accounts moved out of the CrytptoGraphic Logon Exception and into the normal OU requiring CrytptoGraphic Logons. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: atheria on 6 Jan 2010 21:31 It's not possible in a military system to set up an OU... I am giving the "best" answer for those who are not at the OU level. In a corporate environment where "we" would be much 'higher' in the food chain deleting or making an OU might work. ~atheria David H. Lipman;4758395 Wrote: > From: "atheria" <atheria.44e7ba(a)DoNotSpam.com> > > | > HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\*ScForceOption > * > | SCFORCEOPTION = 1 - change to 0 (zero) > > | If you don't have this in your registry, you will have to find > another way unless your > | unit is willing to give the poor guy a CAC card. > > | The thing is if Group Policy is in force the "option" will change > back to "1" as soon > | as the machine is seen by AD and GP... Either way, it's a pain. > > | Good Luck! > > | ~atheria > > | In_the_desert;4202461 Wrote: > I have several users that logon > without smart cards on > | a daily basis. I > also have users that are required to login with > smart cards. I have > | one > user in particular that doesn't have a smart card and so his > account is > setup > | to allow him to login with a username and password. The problem is > > that for this one > | individual every day when he comes into work and > attempts to login > it tells him he > | needs a smart card. So everyday he > calls me, I go into Active > Directory, and sure > | enough "Smart card is > required for interactive logon" is checked. I > uncheck this box > | and he is > fine for the rest of the day. Does anybody have any ideas > on this? -- > | atheria > ------------------------------------------------------------------------ > > > TechArena.in is a leech of Usenet and fakes that it provides forums > when they are > actually Usenet news groups and uses the vBulletin USENET gateway. In > this case it is a > news group within the Microsoft.* hierarchy and can be directly > accessed via the Microsoft > news server; MSNews.Microsoft.Com using a news client via TCP port > 119. > > Users of TechArena.in are strongly ENCOURAGED to drop the > TechArena.in leech of > Usenet and access "this" News Group directly with the following News > URL... > > news://msnews.microsoft.com/microsoft.public.windowsxp.security_admin > > And yes, it is... > HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System > SCFORCEOPTION = 0 or DELETE "SCFORCEOPTION" > > and the the user can logon to the Domain via the Domain Name and > Password. > > Also... > > HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon > scremoveoption = 0 or DELETE "scremoveoption" > > and the OS will not lock the computer when the SmartCard is removed. > > However, the *best* answer (and I do not know how OLD this thread is > and if the OP will > actually even SEE the answers) is to setup an OU as a CrytptoGraphic > Logon Exception. > Then MOVE the user's AD Account into the CrytptoGraphic Logon Exception > OU so that the > user(s) would not be forced/required to logon to the Domain via a > SmartCard. Once the > user(s) acquire the SmartCard said user(s) could then have their > respective Domain > accounts moved out of the CrytptoGraphic Logon Exception and into the > normal OU requiring > CrytptoGraphic Logons. > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp -- atheria ------------------------------------------------------------------------ atheria's Profile: http://forums.techarena.in/members/171474.htm View this thread: http://forums.techarena.in/windows-security/1110440.htm http://forums.techarena.in
|
Pages: 1 Prev: Raw socket support in Winsock ? Next: Create folder share right for domain user |