Just to answer the question from the title, I believe the answer should be No! And recommend following Microsoft guidance to force smart card use on administrative credentials and have rarely used emergency access accounts to handle the bullet points outlined later in this blog. I’m not going to rewrite what has already been discussed in depth around this topic. for more info check out Securing Privileged Access Reference Material
On any day I get a number of questions and like many of you I spend time searching the interwebs for the answer. Sometimes I find the answer and a lot of times I do not.
I received this question, and have had this discussion multiple times with other admins about the following issues that could occur if they set this flag on a server or domain controller.
- What happens if you are in front of the server will you have a smart card reader attached to the server?
- Does the server vendor support a virtual usb like capability if you have to log on to the console remotely through a drac or ilo?
- How do I logon to a server if my smartcard is missing?
So now back to the question. What happens if I set this on a Domain Controller? I’m going to break my lab so that you don’t have to.
In this scenario I built one Domain Controller, created a generic domainforest and set this setting in the Default Domain Controller GPO
After running a gpupdate /force, I validated the setting was applied on the DC
And to make sure this applies I rebooted the domain controller.
I then tried logging onto the Domain Controller, with the Domain Built-in Administrator account.
So now I cant log onto my one and only Domain Controller because the only account in the domain does not have a smartcard. For grins I shutdown the domain controller and booted it into safe mode. I’m hoping this will let me log on without a smart card.
It does and I’m able to get back onto the system.
Since I tested this with a gpo, I would need to modify the gpo to resolve the issue. But if I applied a security template locally, leveraging safe mode will let me back into the system so that I can back out the change.
This is a short and sweet post, I hope you find this info useful and hopefully it will help you move forward with planning your smart card deployment.
Additional Resources: Log On in Safe Mode to Configure the Computer for Password Logon