Specify a list of rescue users (when the agent is not joined to a zone)

When the agent is not joined to a zone, use this group policy to specify a list of users who can log on without using multi-factor authentication if the machine runs into rescue mode or Windows Safe Mode.

The user name can be specified in any of the following formats:
- sAMAccountName
- [email protected]
(specify the domain if the account is not in the current domain)
- * (this includes all AD users)

You can enter the list of users separated by comma, for example:
joe, janedoe, user1, [email protected]

Supported on:

Specify a list of rescue users (enter the comma-separated user or group names, e.g. [email protected], [email protected], or use * to include all AD users):

Registry PathSoftware\Policies\Centrify\DirectAuthorize\Agent
Value NameZonelessRescueUsers
Value TypeREG_SZ
Default Value


Administrative Templates (Computers)

Administrative Templates (Users)