Forum Discussion
Require Smart Card for Domain Admins
I want to set the "smart card required for interactive logon" attribute on the AD accounts of my domain admins via GPO, but the only setting I have found is computer level, which would require it for all users logging onto that computer.
Anyone know how to set that flag on user accounts via GPO?
I think that's correct. It is a device level setting not a user level setting.
Dave Patrick then how do you only require MFA for privileged accounts?
Maybe duo or rsa or okta would work.
- Also should not be the daily account. Admin account should be a second or 3rd account for that user.
This GPO is for device level only for the Interactive logon: Require smart card policy setting requires users to log on to a device by using a smart card. Requiring users to use long, complex passwords for authentication enhances network security, especially if the users must change their passwords regularly.
Note: All users will have to use smart cards to log on to the network. This requirement means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users.
However you need to ensure the users had the following attribute set in AD
Use below powershell to query the status of Smart card
Get-AdUser -filter * -prop SmartcardLogonRequired|select name,SmartcardLogonRequired|ft -auto
