Automatically change passwords for accounts that require login via smartcard or Windows Hello for Business

A new feature of Windows Server 2016 is that the passwords for accounts that have a plain Login with smartcards be automatically renewed according to the password light lines.

If the "Smart card is required for interactive logon" option is enabled for a user account, the password of the user account is set to a random value once. However, the password never changes after that, which makes the account more vulnerable to pass-the-hash attacks.

The newly introduced feature solves this problem by generating new randomly generated passwords for corresponding accounts on a regular basis (depending on the password policy configured for the account).

Previously, it was necessary to write a script which, for example, briefly removes the option "Smart card is required for interactive logon" and then immediately reactivates it in order to achieve a comparable result.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Activate the option

For the setting to take effect, the functional level of the forest must be on Windows Server 2016.

Using the Active Directory Administrative Center, right-click on the domain name and select "Properties".

Then the option "Enable rolling of expiring NTLM secrets during sign in, for users who are required to use Microsoft Passport or smart card for interactive sign on" can be activated.

At the domain level, this sets the msDS-ExpirePasswordsOnSmartcardOnlyAccounts attribute to TRUE.

If the domain is installed with functional level "Windows Server 2016", the attribute is already enabled.

Related links:

External sources

• Forest and Domain Functional Levels (Microsoft)
• What's new in Credential Protection (Microsoft)
• Expire Passwords On Smart Card Only Accounts (Microsoft)