Enable this group policy to require smart card login.
When this policy is enabled, no users can log in to the machine simply with a username and password. Enable smart card support policy must also be enabled in order for this policy to take effect.
Once enabled, this policy can take effect dynamically at the next group policy refresh interval.
Exception group are groups that are exempted from this option. Users in these groups can login using their AD username and password.
The machine must be in connected mode in order for any group membership changes to take effect immediately.
Note that "Smart card is required for interactive logon" should be disabled in user account setting in order for the exception group to work.
Note: When a smartcard user is a member of a exception group and the user login using AD username and password, "The system was unable to unlock your login keychain" may pops up. This is because the login keychain is locked using the smartcard PIN and the user are now logging in with the AD password which cannot unlock the keychain. If adding the user to the exception group is temporary, the user should click "Continue Log In" and enter the smartcard PIN for the "security wants to use the 'login' keychain." prompt.
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Centrify\CentrifyDC\Settings\Mac\Security |
Value Name | SmartCardLoginForce |
Value Type | REG_SZ |
Enabled Value | true |
Disabled Value | false |
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Centrify\CentrifyDC\Settings\Mac\Security |
Value Name | SmartCardLoginForceExceptionGroup |
Value Type | REG_SZ |
Default Value |