Specify AD users that can login when multi-factor authentication is unavailable

Specify the Active Directory users that can login when multi-factor authentication is unavailable.

This parameter is only for autozone and classic zone.

When you specify one or more users in this parameter, the users specified will be able to login without using multi-factor authentication when multi-factor authentication is unavailable, for example when Centrify Identity Platform cannot be reached.

You specify users by name or you can list the user names in a file. The user name can be specified in any of the following formats:
- sAMAccountName
- sAMAccountName@domain.com
(specify the domain if the account is not in the current domain)
- UPN
- distinguishedName
- canonicalName
- *
(this includes all AD users)

If a name contains space characters, you can put the name in double quotes or escape the space characters using backslashes:
e.g. "Krusty T. Clowns", Jane\ Doe

You can enter the list of users separated by comma, for example:
joe, janedoe, user1, user2@domain.com

You can also use a file to specify users. In the file, enter each name line by line. You can mix name formats, for example:
joe
janedoe
user1
user2@domain.com

This policy modifies the adclient.legacyzone.mfa.rescue.users setting in the Centrify DirectControl configuration file.


Supported on:
centrifydc_settings.admx

Administrative Templates (Computers)

Administrative Templates (Users)