Specify AD Users that can Login when Multi-Factor Authentication is Unavailable

Use this policy to specify rescue users who can log on to computers in a classic zone or an Auto Zone when multi-factor authentication is required, but the agent cannot connect to the Delinea cloud service.

You should specify at least one user account for this policy to ensure that someone can access the computers in the event that multi-factor authentication is unavailable.

If you enable this policy, you can specify users by name in the following formats:

• SAM account name: sAMAccountName
• SAM account name of a user in a different domain: sAMAccountName@domain
• User Principal Name: name@domain
• Canonical Name: domain/container/cn
• Full DN: CN=commonName,...,DC_domain_component,
• DCdomain_component
• An asterisk (*), which includes all Active Directory users

By default, this policy does not specify any rescue users.

This group policy modifies the adclient.legacyzone.mfa.rescue.users configuration parameter in the agent configuration file.