When you enable the policy that requires users to use a smartcard for encrypting files with efs or encrypting fixed or removable drives with bitlocker to go you can create recovery agents and export the related private keys to removable drives (stored in a safe place) to safely recover encrypted files and encrypted logical volumes in the case the smart cards were lost by the users. So while for efs and bitlocker to go the recovery agents are the solution for lost smartcards, i don't know what is the standard recovery method for lost logon smartcard. I try to explain better what i mean: I wish to implement a windows server 2008 R2 domain enabling the policy that requires users to log on to the domain using a smart card for ALL domain users, so including domain administrators and enrollment agents, with no exception. Let's imagine, as an absurd hypothetical scenario, that every domain user, so including every domain administrator and enrollment agent, has lost his/her logon smartcard. In this case, how could a domain administrator logon to the domain and perform administrative tasks? Are there any standard recovery methods that Microsoft provided for handling a situation like the one i imagined above? Thanks a lot.Michele

On Thu, 6 Jan 2011 10:32:58 +0000, Evolve_or_Die wrote: Let's imagine, as an absurd hypothetical scenario, that every domain user, so including every domain administrator and enrollment agent, has lost his/her logon smartcard. In this case, how could a domain administrator logon to the domain and perform administrative tasks? Are there any standard recovery methods that Microsoft provided for handling a situation like the one i imagined above? No, because as you said in your own post, that is an absurd situation. If you feel strongly enough about this occurring, though I've done hundreds of smart card deployments and have never had a customer worry about this, then simply issue one or more extra smart cards and keep them locked in a safe somewhere. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Want custom ringtones on your Windows Phone 7 device? If at first you don't succeed, you must be a programmer.

if (for some reason) smart card logon failed (none can logon to domain using any smart card), the last chance is to load domain controllers in Directory Services Restore Mode, disable smart card requirement for administrator account, restart server in normal mode, logon with password and start issue investigation/resolution process.http://en-us.sysadmins.lv

Thanks. I thought that in DSRM mode you couldn't perform domain administrative tasks, so you confirm me that if you start in DSRM mode you can disable smart card requirement for administrator account, is this a "standard" procedure? Michele

Thanks Paul. So is it possible to issue more than one card for every domain user and keep all them active, that is, isn't it mandatory to revoke the previous smartcard logon certificate to issue another one for the same user, or maybe you are telling me that the same logon user certificate can be enrolled muliple times, that is on multiple smartcards? Thank you. Michele

In fact, you can establish requirement to use smart-cards for interactive logon only. So, you can NET USE domain controller from non-domain computer with that Administrator's credentials even if that checkbox is set. The only issue is password. System changes user's password to random when you set "require smart-card" option, but does not prevent you to forcibly change the password later. So, you can change password for administrator before your issue occurs and NET USE to the domain from non-domain computers later .)MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor

Thank you. Yor advice is really appreciated. This is a great way to solve the problem, i would have only to change the random generated password with some other strong randomly generated password and save it on an efs file for the absurd event i described above. Really thank you.Michele

Oh noes. You better keep backup administrators' smartcard in a safe .) What's the point of smartcards, if you still can use passwords for the same accounts.MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor

I agree. Nevertheless there must be always a way to solve in a quick way even an absurd event, i think this is a rule of all the security systems, even the most secure ones, otherwise there can be the risk that, with some events occuring, the system is so secure that it can't be used anymore. Don't you think so? Michele

Of course, but the resque plan should not be absurd, too .))MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor

Is your advice absurd?:-) I don't think that generating a very long random password is an absurd recovery method, with the actual computers speed, if you generate a long random password using all the special characters too, it would require very long time for an attacker to recover the password with a brute force attack, don't you think so? And, a part of that, there must be a reason if Microsoft decided to generate that random strong password instead of disabling it completely. Michele

Is it your advice absurd?:-) I don't think that generating a very long random password is an absurd recovery method, with the actual computers speed, if you generate a long random password using all the special characters too, it would require very long time for an attacker to recover the password with a brute force attack, don't you think so? And, a part of that, there must be a reason if Microsoft decided to generate that random strong password instead of disabling it completely. Michele

On Thu, 6 Jan 2011 10:57:55 +0000, Evolve_or_Die wrote: Thanks Paul. So is it possible to issue more than one card for every domain user and keep all them active, that is, isn't it mandatory to revoke the previous smartcard logon certificate to issue another one for the same user, or maybe you are telling me that the same user certificate can be enrolled muliple times, that is on multiple smartcards? You can enroll a user for as many smart cards as you like, there is no limit. In fact, if you wanted to impose a limit you'd have to use something like Forefront Identity Manager Certificate Management to do so. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Want custom ringtones on your Windows Phone 7 device? Another megabytes the dust.

Thanks Paul, so yours is another way to solve the problem.Michele

On Thu, 6 Jan 2011 11:19:59 +0000, Evolve_or_Die wrote: Thank you. Yor advice is really appreciated. This is?a great way to solve the problem, i would have only to change the random generated password?with some? other strong?randomly generated password and save it on?an efs file for the absurd event i described above. Given your scenario how are you going to open the EFS file containing the encrypted password? Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Want custom ringtones on your Windows Phone 7 device? %Disclaimer: Any errors in spelling, tact, or fact are transmission errors.

I would have backed it up in its original encrypted format, so, since i would have backed up also the efs private key i could have been able to restore it in every windows professional os. By the way, may i ask you something, how could i administer a domain controller using the net use command like Window.NT.LV suggested? I mean, i know that i can map shared resources with net use, does this mean that if i mapped the domain controller using net use command and domain administrator username and password i would be able to perform any administrative task on domain controller? ThanksMichele

On Thu, 6 Jan 2011 13:34:00 +0000, Evolve_or_Die wrote: I?would have backed it up in its original encrypted format, so, since i would have backed up also the efs private key i could have been able to restore it in every windows professional os. But in your scenario no one in the company can log on. By the way, may i ask you something, how could i administer a domain controller using the net use command like Window.NT.LV suggested? You'll have to ask him, I didn't see how that was useful either. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Want custom ringtones on your Windows Phone 7 device? Any program that runs right is obsolete.

yes about your reply i would have backed it up on a removable drive, so no need to logon to the domain to use that removable drive. Michele

Just a question. how could i administer a domain controller using the net use command like you suggested? I mean, i know that i can map shared resources with net use, does this mean that if i mapped the domain controller using net use command and domain administrator username and password i would be able to perform any administrative task on domain controller?Michele