0

I'm looking for a way to use smart cards to lock and unlock windows workstations used by shared user accounts.

1) We want to lock/unlock the shared user account with each user's personal staff card.

2) in specific areas we want to lock the workstation, but let the screen still showing the active session/programs. It should be as if only the keyboard and mouse don't work while the card is not in the card reader.

Normally we can have a policy locking the account when the card is removed from its reader. However, in this case we have several groups of people sharing a single login to access various resources. We want a single user to be able to unlock several different shared user accounts. Let's say an engineer or supervisor that has a larger area of responsibility.

AL3
  • 23
  • 5
  • 2
    "We want to lock/unlock the shared user account with each user's personal staff card." Why not issue a second certificate to their smart card for the shared identity? – Greg Askew Sep 29 '16 at 20:23
  • Your solution will not allow the second case; locking with keeping desktiop visible. We also still want users to be able to use their personal accounts on other computers. – AL3 Sep 30 '16 at 10:53
  • I'm not aware of any solution for the second case. Also, they would still be able to "use their personal account on other computers" if they had additional certificates on their smart card. – Greg Askew Sep 30 '16 at 12:29

1 Answers1

0

For #1, your options are either to:

  1. Create a shared user account that can log on to specific workstations and then use user account certificate mapping to map smartcard certificates from specific users to that shared account.

  2. Go with what Greg Askew said and add a second shared identity to the smartcard that users then select when they're logging on.

For requirement #2, I'm not sure what does that outside of some custom coding. It sounds like you want to trigger some sort of kiosk mode when a smartcard is removed. If all you want is to show a list of logged on users you could set the smart card removal behavior to Lock Workstation and then make sure the Interactive logon: Display user information when the session is locked. GPO is configured.

If you truly want to just disable mouse/keyboard on smartcard removal, I think your only option is to write some code to talk to the Windows API and watch for those events using the SCardGetStatusChange function per MSDN and this StackExchange post.

Community
  • 1
bobmagoo
  • 452
  • 2
  • 12
  • Thank you for your input. We'll have to look at writing an application for the keyboard/mouse locking. – AL3 Oct 14 '16 at 11:11