Context
When a user opens an Active Directory session with his smartcard, it happens that some applications do not support smartcard logon, but needs classical user/password login.
Dilemma
When you use Active Directory Users and Computers MMC, you only have the option “Smart Card is required for interactive logon”:
This action does the following:
- Disable logon with password
- Change the user password
- User does not password expiration date
Solution
User modification
Do not change user with ADUC MMC
Change users properties with a PowerShell Script
$oUser = [ADSI]("LDAP://" + $Props.distinguishedname)
Write-Output "Found user: $($oUser.DistinguishedName)"
Write-Output " --> Setting SMARTCARD_REQUIRED (No password change)"
[int]$userFlags = $oUser.useraccountcontrol[0]
$oUser.useraccountcontrol = $userFlags -bor $ADS_UF_SMARTCARD_REQUIRED
$oUser.setinfo()
# $oUser.ObjectSecurity
$self = [System.Security.Principal.SecurityIdentifier]'S-1-5-10'
[guid]$nullGuid = [guid]"00000000-0000-0000-0000-000000000000"
Write-Output " --> Changing rights and attributes"
$oUser.get_ObjectSecurity().AddAccessRule($(New-Object DirectoryServices.ActiveDirectoryAccessRule `
$self, "ExtendedRight", "Allow", $(GetADRightGuid("Reset Password")) `
))
$oUser.get_ObjectSecurity().AddAccessRule($(New-Object DirectoryServices.ActiveDirectoryAccessRule `
$self, "ExtendedRight", "Allow", $(GetADRightGuid("Change Password")) `
))
$oUser.CommitChanges()
Check password expires
On the OU in which the account is, link a GPO with a PowerShell login script and add the equivalent script:
$oUser = SearchAD -ADSearchBase $RootDSE.defaultNamingContext `
-ADFilter "(&(objectClass=user)(objectcategory=person)(sAMAccountName=$($env:username)))" `
-ADProperties "distinguishedname", "displayname", "samAccountName", "useraccountcontrol", "objectGUID", "PwdLastSet"
$PwdLastSet = ([DateTime]::FromFileTime([Int64]::Parse($oUser.Properties["pwdlastset"])))
$UF = [int32]$oUser.Properties["useraccountcontrol"][0]
$bSmartCard = ($UF -bor 0x40000) -eq $UF
$bExpiresPassword = ($UF -bor 0x10000) -eq $UF
$pwdAge = (get-date) - $pwdLastSet
$OutBox.AppendText(" --> DistinguishedName : $($oUser.Properties["distinguishedname"])`n")
$OutBox.AppendText(" --> DisplayName : $($oUser.Properties["displayname"])`n")
$OutBox.AppendText(" --> Password expires : $($bExpiresPassword)`n")
$OutBox.AppendText(" --> Requires SmartCard : $($bSmartCard)`n")
$OutBox.AppendText(" --> Password date (UTC) : $($pwdLastSet)`n")
$OutBox.AppendText(" --> Password age : $($pwdAge.Days) Days $($pwdAge.Hours) Hours $($pwdAge.Minutes) Mn
I loved as much as you’ll receive carried out right here.
The sketch is attractive, your authored material stylish.
nonetheless, you command get bought an nervousness over that you wish be delivering the following.
unwell unquestionably come further formerly again as exactly the
same nearly a lot often inside case you shield this increase.
Visit my web site :: special
I am sure this article has touched all the internet people, its really really nice article on building up new website.
Its like you read my mind! You appear to know so much about this, like you wrote the book in it or something. I think that you can do with some pics to drive the message home a little bit, but instead of that, this is magnificent blog. An excellent read. I’ll certainly be back.
That means you’ll lead some supplemental features and from access to additional channels where you can forward movement visibility, without having to make nous of some complicated, handbook migration process. https://googlec5.com
Hi, Neat post. There’s a problem along with your web site in internet explorer, could check this? IE still is the marketplace leader and a big part of people will leave out your fantastic writing due to this problem.
I have been surfing online more than 2 hours today, yet I never found any interesting article like yours. It’s pretty worth enough for me. In my view, if all webmasters and bloggers made good content as you did, the internet will be a lot more useful than ever before.
What’s up, I read your blog like every week. Your humoristic style is awesome, keep it up!
Hello there, You have done a fantastic job. I will certainly digg it and personally suggest to my friends. I’m confident they will be benefited from this website.
I’ll immediately grab your rss as I can’t to find your e-mail subscription hyperlink or e-newsletter service. Do you have any? Please permit me recognise in order that I may subscribe. Thanks.
Pingback: active directory smart card login - levelonoir.fr
Pingback: codetwo login - playsquare.tv