Permit 1-factor Network Access to a Server
Group Policy Exception
Normally, we expect there to be a group policy enforcing 2FA for AuthLite users at all OU levels for all logon types. But in some cases this is too strict (e.g. it breaks Exchange ActiveSync).
Make an Organizational Unit containing only the Server(s) you wish to allow. To keep applying existing policies to them, you can make a new OU under the one they are currently deployed to. If they are in the Computers container, then make an OU from the root of the domain and move them into it.
- In Group Policy Management, define a new Group Policy object and link it to the new OU.
In Computer Policy's "User Rights Assignment" section, define the "Deny access to this Computer from the Network" item, and make its contents either:
- An empty list, or
- Whatever non-AuthLite-related items you want to include in this list.
- Wait for replication
On each affected server, run:
and the servers should now permit 1-factor access by AuthLite users to network protocols (e.g. including all Exchange access).