Require Smart Card for Domain Admins

%3CLINGO-SUB%20id%3D%22lingo-sub-1421206%22%20slang%3D%22en-US%22%3ERequire%20Smart%20Card%20for%20Domain%20Admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1421206%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20to%20set%20the%20%22smart%20card%20required%20for%20interactive%20logon%22%20attribute%20on%20the%20AD%20accounts%20of%20my%20domain%20admins%20via%20GPO%2C%20but%20the%20only%20setting%20I%20have%20found%20is%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Ecomputer%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Elevel%2C%20which%20would%20require%20it%20for%20all%20users%20logging%20onto%20that%20computer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20know%20how%20to%20set%20that%20flag%20on%20user%20accounts%20via%20GPO%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1421206%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EManagement%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1421615%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20Smart%20Card%20for%20Domain%20Admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1421615%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20that's%20correct.%20It%20is%20a%20device%20level%20setting%20not%20a%20user%20level%20setting.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Finteractive-logon-require-smart-card%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Finteractive-logon-require-smart-card%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1421770%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20Smart%20Card%20for%20Domain%20Admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1421770%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F51719%22%20target%3D%22_blank%22%3E%40Dave%20Patrick%3C%2FA%3E%26nbsp%3Bthen%20how%20do%20you%20only%20require%20MFA%20for%20privileged%20accounts%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1421933%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20Smart%20Card%20for%20Domain%20Admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1421933%22%20slang%3D%22en-US%22%3E%3CP%3EMaybe%20duo%20or%20rsa%20or%20okta%20would%20work.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I want to set the "smart card required for interactive logon" attribute on the AD accounts of my domain admins via GPO, but the only setting I have found is computer level, which would require it for all users logging onto that computer.

 

Anyone know how to set that flag on user accounts via GPO?

6 Replies

I think that's correct. It is a device level setting not a user level setting.

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interac...

 

 

 

@Dave Patrick then how do you only require MFA for privileged accounts? 

Maybe duo or rsa or okta would work.

 

 

@sgiovanni I know this is a older post.  But you can mark an account as "Smart card is required for interactive logon" under Account tab in User and Computers.

 

I think marking "Account is sensitive and cannot be delegated" and adding to group  "Protected Users" also should be done.

Also should not be the daily account. Admin account should be a second or 3rd account for that user.

This GPO is for device level only for the Interactive logon: Require smart card policy setting requires users to log on to a device by using a smart card. Requiring users to use long, complex passwords for authentication enhances network security, especially if the users must change their passwords regularly. 

 

Note: All users will have to use smart cards to log on to the network. This requirement means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users.

 

However you need to ensure the users had the following attribute set in AD

 

Seshadrr_0-1622645079890.png

 

Use below powershell to query the status of Smart card 

 

Get-AdUser -filter * -prop SmartcardLogonRequired|select name,SmartcardLogonRequired|ft -auto