Great site by the way!! I am new to powershell, and have only written a few scripts. Currently I am working on a logon script that toggles the useraccountcontrol of "smart card required". We are doing this to scramble the hash on the domain admin accounts when they log in, so as soon as they login the hash is no good, and if someone gets it, they have something that is already invalid. This is a home grown idea to mitigate against PassTheHash. We are going to link this in a GPO to the domain admin OU in Active Directory. The script below works but the only issue is that i need to check if the account is SmartCard required first then toggle the account, if not then don't. Right now it toggles the account when they login whether or not initially it is enabled. We have some service accounts that do not have a smart card so they need to be left alone. The reason i have this go to a file is also because we are emailing out who logged in and the that their password was changed.
note: the reason i am using a foreach is because part of this came from a different script that I was using that pulled in a list of people - now the list is just the single logged in user. I just didn't trim it down which i assume i can.
Thank you very much for your help.
import-module activedirectory
$DAdude = $env:username
$DAdude >>c:\temp\sctest_output\logged_on_user.txt
foreach($dude in $DAdude)
{
Set-ADuser -Identity $dude -SmartcardLogonRequired:$false
}
foreach($dude in $DAdude)
{
Set-ADuser -Identity $dude -SmartcardLogonRequired:$true
}