May 27 2020 09:22 AM
I want to set the "smart card required for interactive logon" attribute on the AD accounts of my domain admins via GPO, but the only setting I have found is computer level, which would require it for all users logging onto that computer.
Anyone know how to set that flag on user accounts via GPO?
May 27 2020 11:31 AM
I think that's correct. It is a device level setting not a user level setting.
May 27 2020 12:39 PM
@Dave Patrick then how do you only require MFA for privileged accounts?
Jun 02 2021 06:16 AM - edited Jun 02 2021 06:20 AM
@sgiovanni I know this is a older post. But you can mark an account as "Smart card is required for interactive logon" under Account tab in User and Computers.
I think marking "Account is sensitive and cannot be delegated" and adding to group "Protected Users" also should be done.
Jun 02 2021 06:33 AM
Jun 02 2021 07:49 AM
This GPO is for device level only for the Interactive logon: Require smart card policy setting requires users to log on to a device by using a smart card. Requiring users to use long, complex passwords for authentication enhances network security, especially if the users must change their passwords regularly.
Note: All users will have to use smart cards to log on to the network. This requirement means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users.
However you need to ensure the users had the following attribute set in AD
Use below powershell to query the status of Smart card
Get-AdUser -filter * -prop SmartcardLogonRequired|select name,SmartcardLogonRequired|ft -auto