A new feature of Windows Server 2016 is that the passwords for accounts that have a plain Login with smartcards be automatically renewed according to the password light lines.
If the "Smart card is required for interactive logon" option is enabled for a user account, the password of the user account is set to a random value once. However, the password never changes after that, which makes the account more vulnerable to pass-the-hash attacks.
The newly introduced feature solves this problem by generating new randomly generated passwords for corresponding accounts on a regular basis (depending on the password policy configured for the account).
Previously, it was necessary to write a script which, for example, briefly removes the option "Smart card is required for interactive logon" and then immediately reactivates it in order to achieve a comparable result.
Activate the option
For the setting to take effect, the functional level of the forest must be on Windows Server 2016.
Using the Active Directory Administrative Center, right-click on the domain name and select "Properties".
Then the option "Enable rolling of expiring NTLM secrets during sign in, for users who are required to use Microsoft Passport or smart card for interactive sign on" can be activated.
At the domain level, this sets the msDS-ExpirePasswordsOnSmartcardOnlyAccounts attribute to TRUE.
If the domain is installed with functional level "Windows Server 2016", the attribute is already enabled.
Related links:
External sources
- Forest and Domain Functional Levels (Microsoft)
- What's new in Credential Protection (Microsoft)
- Expire Passwords On Smart Card Only Accounts (Microsoft)
English 
Deutsch