Home
Contents
CLOSE
AuthLite Interactive Documentation
FEATURES: What can AuthLite Do? TOKEN TYPES: What "Factors" are supported? INSTALL: How and where to install AuthLite? CONFIGURE AuthLite for your needs CHOOSE USERS: Choose 2-factor Users ENFORCE 2-factor Logons ADMINISTER AuthLite Tokens LDAP logon support/enforcement VPN and RADIUS Configuration How to Log In Event Logging
CLOSE
Fig. 1) User Rights Assignment Allow/Denies
Fig. 1) User Rights Assignment Allow/Denies

If you want to allow ONLY 2-factor users on a particular machine, just break the problem into two parts:

  1. Use group policy to constrain the set of users who are allowed to log on, to only "AuthLite Users".  Do this using the Computer policy's "User Rights Assignment" sections highlighted in Green.  Anyone not represented in these settings will not be allowed.
  2. Now, add "AuthLite 1F Tag" to the sections highlighted in Red.  This adds the additional constraint that even if you would otherwise be allowed to log on, 1-factor AuthLite users are blocked.

As a quick example, if you set the "Allows" to "AuthLite Users" (or you could choose "AuthLite 2F Tag" here), and then set the "Denies" to "AuthLite 1F Tag", then you have successfully blocked everyone but 2-factor AuthLite users.  This may not be what you truly want; consider that you should still allow "Administrators" to log on too.  (That will cover local admins as well as all domain admins).

Note: Always test that 1-factor logons and authentication of disallowed users gets blocked properly as you expect.  Just because 2-factor is working does not imply it is being enforced successfully.