Still have the problem with RSA smartcards in which a user with a smartcard can plug it into a physical server and logon even though they do not have the rights to logon to that server. They are not local admins. It's as if the RSA is bypassing all other security.MCITP Exchange 2010 | MCTS Exchange 2007 | MCITP Lync Server 2010 | MCTS Windows 2008 | MCSE 2003

Hi, In your another thread, this problem has been solved by enabling the "smartcard is required" option and applying KB909520 on some of the servers. So, does the issue reoccur? Have you tried Vadims suggestions in that thread? Regards, Bruce

1) some user accounts are not domain admins, yet they are still able to log in locally. They are also not local admins on the servers. 2) KB909520 was installed on some servers. I would have to check with client to see if these particular servers have the update. 3) the smartcard is required option? Are you referring to the check box in Active Directory Users & Computers? If so, that is enabled. 4) as for the RSA cards and settings, I would have to ask them as I don't have access to that anyway.MCITP Exchange 2010 | MCTS Exchange 2007 | MCITP Lync Server 2010 | MCTS Windows 2008 | MCSE 2003

Hi I think by default all users can log on locally to server. did you check if the user can log on with credentials(username ,Password),not with smart card? I think you have to configure a Deny logon locally policy through GPO Hope this can help Renato Kurti CCNA,CCNP Security,CCAI,MCP,MCTS,MCITP:EA,MCT

If we disable the smartcard is required, then the users cannot log on to the servers, which is correct since they are not local admins on them. So we would have to configure a Deny GPO? Wow. That could be alot of work because each server would have to be evaluated to determine whether or not someone should be able to log on. If this is true, why does it happen with Smartcard logons? Why doesn't the logon also evaluate what rights the user has to the local machine?MCITP Exchange 2010 | MCTS Exchange 2007 | MCITP Lync Server 2010 | MCTS Windows 2008 | MCSE 2003

Hmm I don't see any connection between authentication method and user rights If you cant log on with username /password it means you dont have to set up any gpo. Renato Kurti CCNA,CCNP Security,CCAI,MCP,MCTS,MCITP:EA,MCT

well that's what I am getting at. The users have no rights to logon to the machine either locally or through RDP. However, when the "smartcard is required" is enabled on their accounts, they can log on.MCITP Exchange 2010 | MCTS Exchange 2007 | MCITP Lync Server 2010 | MCTS Windows 2008 | MCSE 2003