AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens Installation and Upgrading Configuration Token Management How to Log In Troubleshooting

Group Policy Exception

Normally, we expect there to be a group policy enforcing 2FA for AuthLite users at all OU levels for all logon types.  But in some cases this is too strict (e.g. it breaks Exchange ActiveSync).

  • Make an Organizational Unit containing only the Server(s) you wish to allow.  To keep applying existing policies to them, you can make a new OU under the one they are currently deployed to.  If they are in the Computers container, then make an OU from the root of the domain and move them into it.

  • In Group Policy Management, define a new Group Policy object and link it to the new OU.
  • In Computer Policy's "User Rights Assignment" section, define the "Deny access to this Computer from the Network" item, and make its contents either:
    • An empty list, or
    • Whatever non-AuthLite-related items you want to include in this list.
  • Wait for replication
  • On each affected server, run:

    gpupdate /force

and the servers should now permit 1-factor access by AuthLite users to network protocols (e.g. including all Exchange access).