I'm looking for a way to use smart cards to lock and unlock windows workstations used by shared user accounts.
1) We want to lock/unlock the shared user account with each user's personal staff card.
2) in specific areas we want to lock the workstation, but let the screen still showing the active session/programs. It should be as if only the keyboard and mouse don't work while the card is not in the card reader.
Normally we can have a policy locking the account when the card is removed from its reader. However, in this case we have several groups of people sharing a single login to access various resources. We want a single user to be able to unlock several different shared user accounts. Let's say an engineer or supervisor that has a larger area of responsibility.
Best Answer
For #1, your options are either to:
Create a shared user account that can log on to specific workstations and then use user account certificate mapping to map smartcard certificates from specific users to that shared account.
Go with what Greg Askew said and add a second shared identity to the smartcard that users then select when they're logging on.
For requirement #2, I'm not sure what does that outside of some custom coding. It sounds like you want to trigger some sort of kiosk mode when a smartcard is removed. If all you want is to show a list of logged on users you could set the smart card removal behavior to Lock Workstation and then make sure the
Interactive logon: Display user information when the session is locked.GPO is configured.If you truly want to just disable mouse/keyboard on smartcard removal, I think your only option is to write some code to talk to the Windows API and watch for those events using the
SCardGetStatusChangefunction per MSDN and this StackExchange post.