A feature request I’ve seen customers frequently make is the ability to secure resources based on whether a smartcard was used to log on or a normal username/password combination was used.
This is now possible in a W2k8 R2 domain (domain functionality must be at W2k8 R2 level).
In short; the process is as follows:
The result: When the user logs on with a smartcard they have access to the resource through the group Sid that is present in their access token. When they log on with a username and password they don’t have access as the Sid for the group is not present in their access token in that case.
Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide http://technet.microsoft.com/en-us/library/dd378897(WS.10).aspx
What's new in smartcards in Windows 7 and Windows Server 2008 R2http://technet.microsoft.com/en-us/library/dd367851(WS.10).aspx