Jump to content

Smart card elevated privilege access

bobmagoo

By bobmagoo
in Windows 2000/2003/NT4

 Share

Recommended Posts

bobmagoo

bobmagoo

Posted
Posted (edited)

Hi all,

I'm working on setting my users up with smart card enabled logins tied in with their AD accounts on a Win 2k3 server. The problem I'm running into is that, with the way things are currently setup, some users have a "normal"/underprivileged account for desktop work and such, and then they have another account with elevated privileges that they use when they need to do something requiring more access.

I'm not sure if it's possible, but what I'm looking for is for a given user to be able to use their smart card to login to their desktops using their underprivileged account, and then use that same card to access their admin level account(like sudo on the Linux side) when the need arises.

If there's any way to do what I'm talking about without restructuring the AD I'm all ears.

Thanks

Edited by bobmagoo
Link to comment
Share on other sites
  • 3 weeks later...

adamt

adamt

Posted
Posted

Hi all,

I'm working on setting my users up with smart card enabled logins tied in with their AD accounts on a Win 2k3 server. The problem I'm running into is that, with the way things are currently setup, some users have a "normal"/underprivileged account for desktop work and such, and then they have another account with elevated privileges that they use when they need to do something requiring more access.

I'm not sure if it's possible, but what I'm looking for is for a given user to be able to use their smart card to login to their desktops using their underprivileged account, and then use that same card to access their admin level account(like sudo on the Linux side) when the need arises.

If there's any way to do what I'm talking about without restructuring the AD I'm all ears.

Thanks

I'm not entirely sure I understand what's needed here - but I think this should be a step in the right direction:

http://blogs.technet.com/b/askds/archive/2009/08/10/mapping-one-smartcard-certificate-to-multiple-accounts.aspx

Unfortunately, it seems you'll need to be running all Win2k8 DCs, and your CA will need to be running on an Enterprise edition of Windows.

Not cheap if you're currently a Win2k3 Std shop throughout.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...