I have a hybrid joined Windows domain and have set up log-on with Smart Cards and Windows Hello for business. I would like to be able to set file server permissions based on whether a user logged on with the smart card or not. Based on very limited information I have found along with some testing I have found that users are added to the "NT AUTHORITY\This Organization Certificate" (SID S-1-5-65-1) Special Identities Group when they log on with a smart card or WHFB but not when they log on with a username/password.
My problem is that I can not find "This Organization Certificate" in the Select Users, Computers, Service Accounts, or Groups from a computer on the domain (It does show up on non-joined computer). When I search for "This" the only thing that comes up is "This Organization"
I also feel there is a good chance I'm missing something blindingly obvious about what I'm trying to do because the "Key Property Multi-factor Authentication" special identity group worked fine for WHFB, just not for SmartCards.
So far I've looked these solutions
- Adding "This Organization Certificate" to the Well Known Security Principals in ADSI Edit Configuration. I have not found much guidance on doing this (or if it is possible) but believe I figured out the Mandatory attributes, but am getting a "Illegal modify operation" error 0x2077 UpdErr: DSID-0305149b, probloem 6002 error.
- Finding a way to specify group by it SID
- Determine why smart card logon doesn't add user to "Key Property Multi-factor Authentication" (just thought of that when typing this)
As you might infer, I'm jumping in the deep end trying to figure this, if there are any good books or sites that you can recommend that would be helpful too
Thanks
