CHOOSE USERS: Choose 2-factor Users
Creating AuthLite Groups
AuthLite uses specially chosen Active Directory Global Groups to tell what users it should care about. It also uses these groups to track whether sessions were authenticated with 1-factor or 2-factor.
To make things easy for administrators to understand, we found the best practice is to make three groups for each type of AuthLite user (see Figure 1). You place users into the "AuthLite Users" group, and this is nested into the AuthLite 1F Tag group. The AuthLite 2F Tag group has no members.
The Tag groups are special and their membership should not be changed after this initial setup. Notice that the AuthLite Users group is a member of the 1F Tag group but not the 2F Tag group. This is intentional.
You can name these groups whatever you want, and place them wherever you want in your directory OU structure. They must be Global Groups, and in general they should not be nested into any other AD group, apart from "Domain Local" and "Builtin" groups. We have a quick powershell script that makes these groups and sets permissions on them.
Next, we'll tell AuthLite about these groups and see how they work.