active-directoryauthenticationwindows 7
There has been various blogs, MSDN pages, posts, etc. about Windows 7 and Windows 2008 R2 supporting biometric authentication built-in (or so it seems). (http://technet.microsoft.com/en-us/library/dd759228.aspx) In Windows 7 and Windows 2008 R2 it includs some group policy settings for it also.
Anyone know how to enable it to work with Active Directory? So that it shows up on the logon screen or UAC prompt?
Try this (on the client computer):
Login locally using a user with administrator privileges.
Connect to your office's wireless network, save the credentials, and then make sure you check the "Connect automatically" checkbox.
Open a command prompt window and type the following command to find the profile name of your wireless network: netsh wlan show profiles
Let's say the profile to use in the example is "office-network". Open regedit and look for the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Create a new String Value (REG_SZ) at that location, and name it anything you want (i.e. WIFI_Connect), and enter the following command string: %comspec% /c netsh wlan connect name="<profile name>" where profile name in our example would be "office-network".
Reboot the laptop for this to take effect.
If it still doesn't work or fails to connect to your office network at pre-logon, try enabling the following Local Group Policy (using gpedit.msc): Computer Configuration\Policies\Administrative templates\System\Logon\Always wait for the network at computer startup and logon. A full description of what this policy does is present on the dialog when you edit it. (It's too long to paste here).
If it still says it cannot find a valid domain, it could be a DNS issue. Make sure that the wireless router providing you the connection is setup to provide the proper DNS servers over DHCP, and that the domain can be resolved with them.
If not of that works, I don't know what is wrong, but it's nothing obvious. Every KB I've read so far point to this solution, and it seems to work well for others.
Do this on the "Default Domain Controller" Policy to apply to the DC's
Best Answer
Windows 7 provides a device abstraction layer such that, assuming your fingerprinter reader's manufacturer has written the appropriate driver software, the reader itself will "just work" with Windows. Microsoft's goal in doing this was to provide a consistent user experience re: enrolling biometric data. (The "provider" functionality in Windows 7 supports only fingerprints. The framework is extensible, by Microsoft, to support other types of biometric data, but only fingerprint UI has been added in Windows 7. No retinal scanners for you... >smile<)
From the scant articles that I'm finding, it appears that the biometric-based logon becomes available after at least one user has "enrolled" their fingerprints, and will work for both local user accounts and domain user accounts.
It's unclear to me where Microsoft is actually storing the biometric data and the user's password. Since it has to be accessible prior to logon, my guess is that they're encrypting it with some machine-specific key and packing it away in the computer's registry somewhere. (Yeah-- per this article that appears to be what's happening...)
It certainly looks like Microsoft hasn't thought at all about how to deploy this functionality across groups of computers. I see no method for "pre-loading" biometric data into groups of machines. My guess is that if, for example, you wanted "enterprise-wide" biometric logon capability you'd need each employee to "enroll" their fingerprints on each computer they were going to logon to.
If, indeed, centralized biometric credential distribution (which, arguably, presents a lot of fun security challenges) isn't a part of the biometric authentication functionality in Windows 7 then, arguably, it's of little use.