Smart card is required for interactive logon

[In_the_desert]

I have several users that logon without smart cards on a daily basis. I also have users that are required to login with smart cards. I have one user in particular that doesn't have a smart card and so his account is setup to allow him to login with a username and password. The problem is that for this one individual every day when he comes into work and attempts to login it tells him he needs a smart card. So everyday he calls me, I go into Active Directory, and sure enough "Smart card is required for interactive logon" is checked. I uncheck this box and he is fine for the rest of the day. Does anybody have any ideas on this?

[atheria]

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption
SCFORCEOPTION = 1 - change to 0 (zero)

If you don't have this in your registry, you will have to find another way unless your unit is willing to give the poor guy a CAC card.

The thing is if Group Policy is in force the "option" will change back to "1" as soon as the machine is seen by AD and GP... Either way, it's a pain.

It's not possible in a military system to set up an OU... I am giving the "best" answer for those who are not at the OU level. In a corporate environment where "we" would be much 'higher' in the food chain deleting or making an OU might work.

In a US "military" AD the structure for Cryptographic Logon Exceptions ALREADY EXISTS !
Additionally the cards may be generically called SmartCards but that is not the DoD name.

What I described, (setup an OU as a CrytptoGraphic Logon Exception. Then MOVE/CREATE the
user's AD Account into the CrytptoGraphic Logon Exception OU) is industry *best* practice.
Having worked with PKI on AD for 6~7 years, I know this to be a fact.

Final notes...
US Military application of "SmartCards" is not and should NEVER be discussed in public
forums!
Bypassing DoD security measures is a violation of DoD regulations.

[javavaperware]

On a related note, has anyone had an issue where if they want to turn on "Require Smart Card" for certain privileged accounts in active directory, it works, but if you then untoggle the "Require smart card" attribute on the user object, it seems to invalidate the active directory user account password, needing a manual password change. The password last set attribute still shows the time of the previous AD password change, but it just seems that toggling "require smart card" mangles it and doesn't update the password last set attribute in AD.

[clteston]

We are just starting to look at using SmartCards and I am seeing the exact same thing. Can anyone point to a Microsoft doc that describes the relationship between the SmartCard and AD passwords?

[super soaker]

Smartcard logon in part works by having a Domain Controller template based certificate in the authenticating domains local computer certificate stores. In the more straightforward scenario of an Enterprise Certificate Authority, where information regarding the installed CA is stored in the forest AD, the domain controller certificate is auto enrolled to the domain controller as a matter of course. That can make for a nice starting place for configuring smartcard logon to work in your environment.