Home
Contents
CLOSE
AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens Installation and Upgrading Configuration Token Management How to Log In Troubleshooting
CLOSE
Fig. 1) User Rights Assignment Allow/Denies
Fig. 1) User Rights Assignment Allow/Denies

If you want to allow ONLY 2-factor users on a particular machine, just break the problem into two parts:

  1. Use group policy to constrain the set of users who are allowed to log on, to only the group named AuthLite Users.  Do this using the Computer policy's "User Rights Assignment" sections highlighted in Green.  Anyone not represented in these settings will not be allowed.
  2. Now, add the AuthLite 1-Factor Session Tag group to the sections highlighted in Red.  This adds the additional constraint that even if you would otherwise be allowed to log on, 1-factor AuthLite users are blocked.

As a quick example, if you set the "Allows" to AuthLite Users  (or you could choose AuthLite 2-Factor Session Tag here), and then set the "Denies" to AuthLite 1-Factor Session Tag, then you have successfully blocked everyone but 2-factor AuthLite users.  This may not be what you truly want; consider that you should still allow "Administrators" to log on too.  (That will cover local admins as well as all domain admins).

Note: Always test that 1-factor logons and authentication of disallowed users gets blocked properly as you expect.  Just because 2-factor is working does not imply it is being enforced successfully.