Last active
March 30, 2021 00:28
-
-
Save AfroThundr3007730/40fd6d719ad101c5153dc366f75bd2ae to your computer and use it in GitHub Desktop.
Script to enforce Smart Card logon for accounts not in an exemption group
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Start-Transcript C:\ProgramData\smartcard-enforcement.log -Append | |
| function accountFilter($accountList) { | |
| # Filter out system principals and exempt accounts | |
| return $accountList | Where-Object { | |
| # These can't use a smart card | |
| $_.DistinguishedName -notmatch "Service Accounts" -and | |
| $_.DistinguishedName -notmatch "Admin Accounts" -and | |
| $_.DistinguishedName -notmatch "DA Accounts" -and | |
| # Builtin and system principals | |
| $_.Name -notmatch "defaultaccount" -and | |
| $_.Name -notmatch "instructor" -and | |
| $_.Name -notmatch "krbtgt" -and | |
| $_.Name -notmatch "guest" -and | |
| $_.Name -notmatch "mail" | |
| } | Sort-Object | |
| } | |
| $exemptUsers = (Get-ADGroup CLO-Exempt -Properties Members).Members | |
| $scEnabledUsers = Get-ADUser -Filter { SmartcardLogonRequired -eq $true } | |
| $scDisabledUsers = accountFilter (Get-ADUser -Filter { SmartcardLogonRequired -eq $false }) | |
| # List the users exempted from Smart Card logon | |
| Write-Host 'Users currently exempted from Smart Card logon:' | |
| foreach ($user in $exemptUsers) { Write-Host " -" $user } | |
| # Enforce Smart Card logon for all non-exempt users | |
| foreach ($user in $scDisabledUsers) { | |
| if ($ExemptUsers -notcontains $user) { | |
| Write-Host 'Enforcing Smart Card required status for user:' $user.Name | |
| Set-ADUser -Identity $user -SmartcardLogonRequired $true -Confirm:$false | |
| } | |
| } | |
| # Refresh NTLM hash for current Smart Card users (functional level <2016) | |
| # For 2016: Get-ADDomain -Current 1 | Set-ADDomain -PublicKeyRequiredPasswordRolling $true | |
| if (!(Get-ADDomain -Current 1).PublicKeyRequiredPasswordRolling)) { | |
| $LastReset = 'C:\Windows\SYSVOL\domain\scripts\.last-reset' | |
| if ((Get-ChildItem $LastReset).LastWriteTime -lt (Get-Date).AddDays(-60)) { | |
| foreach ($user in $scEnabledUsers) { | |
| Write-Host 'Bumping Smart Card required status for user:' $user.Name | |
| Set-ADUser -Identity $user -SmartcardLogonRequired $false -Confirm:$false | |
| Set-ADUser -Identity $user -SmartcardLogonRequired $true -Confirm:$false | |
| } | |
| Write-Output $null > $LastReset | |
| } | |
| } | |
| Stop-Transcript |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment