Group Policy Settings for Managing a Smart Card Infrastructure

Define Group Policy settings to enforce the required smart card use

Require a smart card for logon

J 1 1


Smart card removal behavior

Do not allow smart card device redirection v j

illegal for non-trainer use

illegal for non-trainer use


Require smart card for logon

Smart card removal behavior

You can use Group Policy settings in Active Directory to manage smart cards in your organization. Windows Server 2003 supports various smart card-specific settings.

When you set the Interactive logon: Require smart card for logon policy on a user account, the user cannot log on to the account by using a password. The user can only log on by using a smart card.

The advantage of using this policy setting is that it enforces strict security. However, if users are unable to log on by using conventional passwords, you must provide an alternate solution in the event that smart cards become unusable. This policy setting applies to interactive and network logons only. It does not apply to remote access logons, which are managed by policy settings that are configured on the remote access server.

If you choose not to use this security policy setting, users can revert to their standard network passwords if their smart cards are damaged or unavailable. However, this weakens security. In addition, users who use their passwords infrequently might forget them and either write them down or call the help desk for a password reset, thus increasing help desk costs to the organization.

Users who walk away from computers that are running an active logon session create a security risk. To enforce the security of your system, it is best if users either log off or lock their computers when they leave. The Interactive logon: Smart card removal behavior policy allows you to force users to log off or lock their computers when they remove their smart cards.

Whether you set the smart card removal behavior policy depends on how your users interact with their computers. For example, this policy is a good choice if you are using computers in an open floor or kiosk environment. This policy might not be necessary when users have dedicated computers or exclusive use of multiple computers. You can use a password-protected screensaver or other means to lock the computers of these users.

Do not allow smart card Use the Interactive logon: Do not allow smart card device redirection policy device redirecti┬░n if you do not want to use smart cards in conjunction with Terminal Services sessions. If you enable this policy, users will be able to log on to their workstations by using smart cards, but they will not be able to use smart cards to authenticate to a Terminal Services session. Restrict this use of smart cards if you are concerned about the network resources required for Terminal Services sessions in your environment.

Note Another Group Policy setting that will impact users when they log on using smart cards is the Account lockout threshold policy that is configured at the domain level. This policy disables accounts after a set number of failed logon attempts. This policy applies to users who log on by using passwords in addition to users logging on by using smart cards.

Was this article helpful?

0 0
Computer Hard Drive Data Recovery

Computer Hard Drive Data Recovery

Learn How To Recover Your Hard Drive Data After A Computer Failure.

Get My Free Ebook


  • jakub
    Where i found force smart card logon" group policy in windows 2008?
    7 years ago
  • maria wexler
    When enabling smart card removal behavior policy it does not work?
    7 years ago
    How to disable smart card logon on windows 2008 server without having other users?
    7 years ago
  • AWET
    How to enforce CAC card using group policy?
    8 months ago
  • karolin
    Is there a policy thatsets a time to live for smart cards CAC on a website?
    7 months ago
  • marcel
    How to use group policy management to force smart card log on?
    28 days ago

Post a comment