Q1: Why would a user need to modify altSecurityIdentities? #

Users modify altSecurityIdentities to link their NFC cards to their Active Directory (AD) account using the LinkNFC2AD.exe tool. This enables secure passwordless or multifactor logon with CodeB Credential Provider V2. Per default only Domain Admins have the required rights.

Q2: What tool is used to link an NFC card to an AD user? #

The tool LinkNFC2AD.exe is used to bind an NFC token (for example MIFARE or DESFIRE) to the user’s AD account by writing the card’s identity to the altSecurityIdentities attribute.

Q3: What permissions are required for a user to perform this action? #

The user must have read and write access to the altSecurityIdentities attribute on their own AD user object.

Q4: How do I configure this in Active Directory? #

1. Open Active Directory Users and Computers (ADUC) via dsa.msc.
2. Enable Advanced Features from the View menu.
3. Right-click the Organizational Unit (OU) where users reside, select Properties, go to the Security tab, then click Advanced.
4. Click Add, then:
   • Select the user or a group (e.g., SelfServiceUsers).
   • Assign the following permissions:
     • ✔️ Read altSecurityIdentities
     • ✔️ Write altSecurityIdentities
   • Set Applies to: Descendant User objects.
5. Click OK to apply the changes.

Q5: Is a registry change required on the client? #

No registry change is required for using LinkNFC2AD.exe. The tool directly updates AD via LDAP if permissions are correctly delegated.

Q6: Can this delegation be applied via Group Policy? #

Yes. Group Policy can be used to:

• Assign permissions at the OU level.
• Distribute the LinkNFC2AD.exe tool.
• Optionally, deploy logon UI configurations if needed.

Q7: Is this delegation secure? #

Yes. Users are only granted the ability to write to their own altSecurityIdentities attribute, maintaining strict control under least-privilege principles.