Prevent local administrators from being able to log on in rescue mode (when there are no explicit rescue users defined)

Use this group policy to prevent local administrators that are not defined rescue users from logging on to a machine that runs into rescue mode or Windows Safe Mode.

By default, if this policy is set to "Disabled" or "Not Configured" all local administrators are able to log on without multi-factor authentication when the machine runs into these modes.

If you set this policy to "Enabled," local administrators will not be able to log on in rescue mode or Windows Safe Mode. You can add individual accounts to the rescue user list by issuing them a rescue user role, or a custom role with the rescue user system right selected, or, if you are not joined to a zone, by enabling the group policy, "Specify a list of rescue users (when the agent is not joined to a zone)" and adding their account to the rescue user list.


Supported on:
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Centrify\DirectAuthorize\Agent
Value NameDisableLocalAdminRescue
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

Deny users

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Centrify\DirectAuthorize\Agent
Value NameDisableLocalAdminRescue
Value TypeREG_DWORD
Default Value*

centrify_windows_settings.admx

Administrative Templates (Computers)

Administrative Templates (Users)