I use the CAC to log on as well, but of course remove the card when I leave, since getting on base is a pain without it! But while I am logged on, without the card inserted, all of my System Prefs are locked. If I try to change that, I have to reinsert the card. Are you saying that you can make changes with the card removed? What configuration setting would control that?

Yes it doesn't matter if my card is inserted or not. I don't know what would be different between your config and mine. What is your setup i.e. are you using a regular account, or an admin account etc. I am using an admin account and I suppose that could be different. The obvious solution if you can't figure this out is to leave your card inserted while you are using your machine and remove it when you leave.

In the "Security" pref-pane, there's a checkbox for that.

Just a stupid question:
Is it considered good practice to leave the card inside the reader while working ?

My understanding is that the presence of the card replaces the need to type in the admin password.

If that is so, you'd be quite more vulnerable to someone tricking you into installing something like the "opener"-shell-script than regular people without fancy card-readers, becaus you won't see the pw-prompt.
But being a civilian and consequently lacking the possibilty to check it out, I may be mistaken here.

No the OS still asks for your admin password when installing etc. It just allows for authentication using a pin as opposed to username and password. It does not override the need for an admin password to install. I leave my card in while I am at my machine and remove it when I am gone. It will only ask for your pin initally when doing digitally signed email then it will not ask for it again as long as you do not remove it, once the card has been removed you must reauthenticate the email program (you can still read email and send non-digitally signed).

Oh also to clarify...I have the "require password to unlock each secure system preference" button checked. So if i want to change one of those prefs like security for instance then I do need to authenticate, however when I uncheck that button then I don't need to authenticate to change those prefs. I understood the problem to mean that he couldn't change any of his prefs without authenticating.

I'm also using an Admin account. If I unlock System Prefs while my card is in the reader, they stay unlocked until I log out. However, I have to do that every time I log in, or leave the card in the reader.