Require Smart Card for Domain Admins

%3CLINGO-SUB%20id%3D%22lingo-sub-1421206%22%20slang%3D%22en-US%22%3ERequire%20Smart%20Card%20for%20Domain%20Admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1421206%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20to%20set%20the%20%22smart%20card%20required%20for%20interactive%20logon%22%20attribute%20on%20the%20AD%20accounts%20of%20my%20domain%20admins%20via%20GPO%2C%20but%20the%20only%20setting%20I%20have%20found%20is%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Ecomputer%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Elevel%2C%20which%20would%20require%20it%20for%20all%20users%20logging%20onto%20that%20computer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20know%20how%20to%20set%20that%20flag%20on%20user%20accounts%20via%20GPO%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1421206%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EManagement%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1421615%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20Smart%20Card%20for%20Domain%20Admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1421615%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20that's%20correct.%20It%20is%20a%20device%20level%20setting%20not%20a%20user%20level%20setting.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Finteractive-logon-require-smart-card%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Finteractive-logon-require-smart-card%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1421770%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20Smart%20Card%20for%20Domain%20Admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1421770%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F51719%22%20target%3D%22_blank%22%3E%40Dave%20Patrick%3C%2FA%3E%26nbsp%3Bthen%20how%20do%20you%20only%20require%20MFA%20for%20privileged%20accounts%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1421933%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20Smart%20Card%20for%20Domain%20Admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1421933%22%20slang%3D%22en-US%22%3E%3CP%3EMaybe%20duo%20or%20rsa%20or%20okta%20would%20work.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I want to set the "smart card required for interactive logon" attribute on the AD accounts of my domain admins via GPO, but the only setting I have found is computer level, which would require it for all users logging onto that computer.

 

Anyone know how to set that flag on user accounts via GPO?

3 Replies
Highlighted

I think that's correct. It is a device level setting not a user level setting.

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interac...

 

 

 

Highlighted

@Dave Patrick then how do you only require MFA for privileged accounts? 

Highlighted

Maybe duo or rsa or okta would work.