Printable View
We have few PCs running with Windows XP and Windows 200 and all these systems are connected with a single network. So far users need to login using their username and password. But I want to restrict all of them to login with smart card through the local computer security policy. Note, I want to do this only for users and not for the Admin. So can you guys please tell me how can I do this keeping an exception for Administrator to use Smart Card logon?
Most probably that is not possible unless and until you delete the local policy registry entry for Smart Card enforcement by login in to Safe Mode. You need to do this because there is no way to add Local account to an exception lists however you can do this on a User and Computer based enforcement in the Active Directory Domain. Once in safe mode, you will need to delete the Smart Card enforcement through Regedit or HKLM hive . Let me know if you need any more help.
By going to Active Directory you can restrict user’s account to use Smart Card logon but remember that it will applied for any domain computer that they logon to. Also exception for Administrator will be bit difficult because computer configuration Group Policy applies to all systems connected with the domain.
First of all the registry key that enables Smart Card enforcement is [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system] "SCForceOption"=dword:00000001
And as far as I know you can disable the enforcement by deleting SCForceOption or setting its DWORD Value to 0. Remember that you need to boot the system in Safe Mode and login as Admionistrator.
Good suggestion in regedit thanks.
Good suggestion in regedit thanks.