Set up a smart card for user logon to windows server 2012 R2

Similar Messages

• Configuring group policy for user profiles in Windows Server 2012 R2 Domain

  Requesting some experts advise on configuring group policy for user profiles.
  We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
  The settings which I am concerned:
  1. Folder Redirection: Desktop, Documents, Favorites.
  2. Quota for Folder Redirection - 1 GB per user.
  3. Map a networked drive - 1 GB per user.
  4. Roaming profile - (Will ignore if it does not suit our requirement). 
  The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
  Thanks a lot for your valuable time and efforts.

  Hi,
  >>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  This depends on where our outlook data files are stored. If these data files are stored under
  drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
  However, regarding your question, we can refer to the following thread to find the solution.
  Roam outlook profiles without roaming profiles
  http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
  In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
  Configuring Folder Redirection
  http://technet.microsoft.com/library/cc786749.aspx
  Hope it helps.
  Best regards,
  Frank Shen

• What share/ntfs permission i've to setup for user profile disks on Server 2012 R2?

  Please, let me know.
  Regards!
  Lasandro Lopez

  Hi Lasandro,
  As far as I know, share permissions for UPD are automatically set up by the management tools.
  Besides, regarding how to install and configure UPD, the following article can be referred to as reference.
  Installing and Configuring User Profile Disks (UPD) in Windows Server 2012
  https://social.technet.microsoft.com/wiki/contents/articles/15304.installing-and-configuring-user-profile-disks-upd-in-windows-server-2012.aspx
  In addition, regarding UPD, the following article can be referred to for more information.
  Easier User Data Management with User Profile Disks in Windows Server 2012
  http://blogs.msdn.com/b/rds/archive/2012/11/13/easier-user-data-management-with-user-profile-disks-in-windows-server-2012.aspx
  Best regards,
  Frank Shen

• How do I get a reliable schedule for automatic update in Windows Server 2012 R2?

  I don't understand why MS broke the automatic update in Windows Server 2012 R2. In previous versions, I used to set it for automatic updates - Saturdays at 2AM. I can no longer pick a weekly update in the GUI and the time seems to have no impact on its capricious
  reboots due to updates.   It might happen 2 days later at noon.   The best option for now is to just shut off the automatic updates but I'm reading this issue has been around since 2012 R1.   There supposedly is a fix/patch for
  2012 but it doesn't say if the patch is for 2012 R2 and the automatic updates haven't installed a fix that actually fixes what is broken with the automatic updates.
  Why even leave the GUI for automatic updates if it doesn't mean anything?
  Is there a simple registry key I can change so updates occur according to the schedule that you created in the GUI?      Please no powershell - worst crutch MS ever created to not fix their own gui.
  I'm seeing people have tried some advanced work around using GPO but many said those don't work reliably either on hosts or domain controllers.

  This may explain:
  http://blogs.technet.com/b/wsus/archive/2013/10/08/enabling-a-more-predictable-windows-update-experience-for-windows-8-and-windows-server-2012-kb-2885694.aspx
  http://blogs.technet.com/b/wsus/archive/2013/06/11/wsus-blog-managing-updates-with-deadlines-in-an-era-of-automatic-maintenance.aspx
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Web Access for Remote Desktop on Windows Server 2012

  Hello,
  i've a Windows Server 2012 without a domain. So i installed the remote desktop session host, the remote desktop license server and the remote desktop gateway as a server role only. All is working fine. Without a domain, no management tools for remote
  desktop are available. So i configure the remote desktop via the registry. I define (via registry) some remoteapps, too. All values are copied from a running Windows Server 2008 R2. So the remoteapps are runing.
  Now i want to use the new Microsoft Remote Desktop client for Android. To use a remoteapp i must define a remote resource. To define a remote resource i need a url to the web access for remote desktop. So i installed the web access. But if i login to the
  web access, i don't see any remoteapp. What's wrong? I've set the ShowInTSWA to 1. What must i do to access an existing remoteapp via web access?
  Martin

  Hi Martin,
  Server 2012 RD Web Access is designed to retrieve published RemoteApps and Desktops from a Server 2012 RD Connection Broker and/or a Server 2008 R2 RD Session Host server.  From your description it doesn't appear that you are using either of the above.
  I know it is a more complicated set up, but you should consider having a domain, creating a RDS deployment, etc., so that you can use the full featureset as it was intended.  You can do it all on a single server if needed.  For Server 2012
  there is a hotfix that needs to be applied to permit RD Connection Broker to work on the same server instance as active directory.
  -TP

• Restore deleted AD User Account in Windows Server 2012

  Good day.
  I know Windows Server 2012 has an Active Directory Recycle Bin feature, however upon enabling the feature it doesn't display the deleted user account I have deleted prior to enabling the feature. Is this normal? Does the feature only displays deleted AD
  objects after you have enabled it? Is there other way to display those objects? Thanks in advance.

  Hi James,
  Yes, You should have a valid system state back to perform an authoritative restore.
   In case you don’t have any system state backup, you can use ADRestore to restore tombstoned objects. When an object is deleted from Active Directory, it isn't actually removed but is instead marked as deleted by an internal marker called
  a tombstone. 
  Note: ADRestore cannot restore the group membership for a user. Meanwhile, not all attribute data can be restored.
  http://blogs.technet.com/b/asiasupp/archive/2006/12/14/using-adrestore-tool-to-restore-deleted-objects.aspx
  Regards,
  Rafic
  If you found this post helpful, please give it a "Helpful" vote.
  If it answered your question, remember to mark it as an "Answer".
  This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
  No he can _not_, as there is no tombstones when the recycle-bin is enabled, recycled objects can not be restored/reanimated.
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Programmatic webdav/unc access requires user logon to windows server 2008 R2

  I have an automated process (a .net windows service) that connects to sharepoint document library via a UNC (\\mysharepointsite\doclib).  When the machine is rebooted,
  accessing this folder results in a  System.IO.IOException: The network name cannot be found exception.
  However, if we log into the windows server 2008 r2 machine under the account that the service is running on, it starts working, and continues to work even when we log out.  It continues to work until we reboot the computer.
  I've already run into and solved other user-centric fixes for 2008.  For example, the "Desktop Experience" feature is required to browse the path and all, and unchecking "automatically detect settings" significantly speeds up browsing of these paths. 
  However, I'm not sure what user logon initializes that would be fixing this problem.

  I can further simplify this.  The following command will fail initially:
  dir \\myspserver\mypath
  However, running the same command after browsing to the same path in windows explorer succeeds.  At this point I've eliminated the programming as an issue so i will try to post a similar question on technet.  However, please let me know if anybody
  has any further info.

• Firefox Settings for users in a Windows Server 2008/Win 7 Environment

  I am currently building images of Windows 7 with Firefox 4 for use on our machines. We use Windows Server 2008 to apply user settings. I am looking for a way that I can provide bookmarks, change some of the default settings, and remove the start-up splash screens for Firefox. It turns out that each time a unique user logs into a computer, they have to walk through these splash screens, and the settings revert back to defaults, and the bookmarks are gone. We have several thousand users on our network, so any help fixing this issue would be appreciated.

  Generally it is the browser service that populates network neighborhood. This technology is no longer used with newer OS like server 2008, windows 7/8.
  Description of the Microsoft Computer Browser Service
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• Auto start a program without logon on Windows Server 2012

  I develop a software that starts at server startup without login, it works fine with older versions of Windows Server (2003, 2008) with 2012 my executable program that starts only when a session is opened (administrator or user). 
  My program uses a 32bit architecture it is found in: 
  HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6432Node \ Microsoft \ Windows \ CurrentVersion \ Run 
  How can i make my program starts automatically after any system reboot without logon? 
  Thank you for your cooperation

  Make it a service and configure it to start automatically.
  .:|:.:|:. tim

• ADM templates for office 2003 on Windows server 2012

  Hi Guys,
  i am planing to upgrade from server 2003 to server 2012 but we will still be using office 2003.
  Can i install office 2003 adm templates on server 2012?
  Many thanks for your help
  Theo

  yes, the template can still be installed in the policy store or on a computer running gpmc and added in on 2012.
  they will process fine
  although on a side note I think office 2003 is out of support - or due to be - so you might want to look at upgrading that too in the near future.
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  My Blog
  LinkedIn:

• How to allow more than two users on remote desktop on windows server 2012 foundation?

  i have a dell server power edge T300 with windows server 2012 foundation. I am unable to connect more than two remote desktop at once.

  Hi,
  Add to Brain, you cannot have more than 15 user accounts in Windows Server 2012 Foundation.
  In order to access a hosted application, such as Microsoft® Office, a license for Windows Server 2012 Remote Desktop Services is required for each user account (not to exceed 15 user
  accounts) that directly or indirectly uses RD Gateway to host a graphical user interface, including using Remote Desktop Connection (RDC) client. When using Remote Desktop Services, you may not install or use Remote Desktop Connection Broker or Remote
  Desktop Virtualization Host role services. For more information about Remote Desktop CALs , see http://go.microsoft.com/fwlink/?LinkId=140238.
  http://technet.microsoft.com/en-us/library/jj679892.aspx
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• Multi-Hypervisior Manager support for Windows Server 2012 R2

  Hi,
  I am attempting to connect to a Windows Server 2012 R2  Hyper-V and am getting the following error message.
  "Unable to Connect to host hyper01"
  I have tested and can connect to a Windows Server 2012 without issue.  Checking the documentation for support and whilst Windows Server 2012 is not supported I wanted to ensure I wasn't making an error.
  If it is indeed not supported at this moment, is there a viable alternative?
  Many Thanks
  Tristan

  Hi,
  Windows 2012  R2 is not supported by MHM 1.x. Please take a look at http://www.vmware.com/pdf/vcenter-multi-hypervisor-manager-11-guide.pdf, page 9, "vCenter Multi-Hypervisor Manager Software Requirements" section.
  For you convenience I'm pasting the list of supported third-party hypervisors:
  Microsoft Hyper-V Server 2012
  Microsoft Hyper-V for Windows Server 2012
  Microsoft Hyper-V Server 2008 R2
  Microsoft Hyper-V for Windows Server 2008 R2
  Microsoft Hyper-V for Windows Server 2008
  Regards,
  -Ilko

• The use only smart cards for several hundred users

  How can I assign soon as possible,
  use only the smart card for
  a few hundred users? I also have
  a group of people who would like to allow the use of
  a login and password, and smart card.
  Using GPO to the computer,
  will be applied to the station, and I would just like
  to the user. I know that
  the card user can select
  to use a smart card, but
  how to do it automatically for a group of people
  (several hunderd)?

  I would use LDAP query via GUI tools (like AD Administrative Console) or console tools (Active Directory PowerShell module) get target users by using some filter and enable smart card checkboxes. GPO cannot be used to make changes in AD.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Use smart card for 802.1x secured WiFi authentication

  Hi,
  is it possible to use a certificate stored on a USB Security Token for WiFi 802.1x authentication?
  I have setup a test environment with all required components (AD, Enterprise CA, NPS, WPA2-Enterprise capable WiFi Access Point, all required certificates, all Server 2012 R2 / Windows 8.1 Pro) and created a user certificate for WPA2-Enterprise secured
  WiFi access (802.1x). Everthing works fine as long as the user certificate is stored in the local certificate store of the user's client computer: The user can connect to the WiFi network and the NPS logs show that the user has been authenticated correctly
  and granted access.
  To test this scenario with a Smart Card (Safenet USB Token), I stored that same user certificate on the token (incl. private key). The Safenet software on the client computer automatically makes the certificate stored on the token available in the local
  certificate store as soon as the token has been plugged in (checked via MMC Certificates snap-in). But the certificate can't obviously be used for the desired WiFi authentication: If I try to connect the secured WiFi (the same as in scenario 1) the connection
  fails.
  As I'm using exactly the same certificate in both scenarios, I don't think there's anything wrong with the settings in the certificate, the NPS or any other infrastructure component. The reason for failure in scenario 2 must be lying somewhere in either
  the local client computer configuration or in the Safenet software on the client computer.
  I'm very familiar with all the PKI and authentication stuff, but I'm new to smart cards. Are there differences between different types of smart cards and for what purpose one can use them? (USB tokens, chip cards, virtual tokens, etc.?)
  Has anybody experience in creating a 802.1x secured WiFi access with smart card based user certificates who could advise?
  Thanks + Best Regards
  Matt

  Hi,
  I found some links form technet site which can be helpful in this case
  Network access authentication and certificates
  http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx
  Enable smart card or other certificate authentication
  http://technet.microsoft.com/en-us/library/cc737336(v=ws.10).aspx
  Quote:
  Client certificate requirements
  With EAP-TLS or PEAP-EAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
  The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory.
  The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed
  by CryptoAPI and specified in the remote access policy nor the Certificate object identifier checks that are specified in IAS remote access policy.
  The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
  For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).
  For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client's fully qualified domain name (FQDN), which is also called the DNS name
  Yolanda Zhu
  TechNet Community Support

• Using Smart Cards for SSPR

  I'm working on ForeFront Identity Manager 2010. I'd like to enable AD users to use Smart Cards to reset their passwords. I watched this video www.youtube.com/watch?v=b4aGLnZHZN4. From this video (minute 2), it's said that we could use smart cards to authenticate
  to Self-service Password Reset instead of Q/A gate.
  I looked at ForeFront Identity Manager Portal but I couldn't find where to configure to use Smart Cards for this purpose. I only found "SMS authentication gate" and "Question and Answer Gate". Can somebody help me?
  Thanks,
  Hai

  I am still interested in Clients or other Inquiries in this
  Subject.