Use this group policy to prevent local administrators that are not defined rescue users from logging on to a machine that runs into rescue mode or Windows Safe Mode.
By default, if this policy is set to "Disabled" or "Not Configured" all local administrators are able to log on without multi-factor authentication when the machine runs into these modes.
If you set this policy to "Enabled," local administrators will not be able to log on in rescue mode or Windows Safe Mode. You can add individual accounts to the rescue user list by issuing them a rescue user role, or a custom role with the rescue user system right selected, or, if you are not joined to a zone, by enabling the group policy, "Specify a list of rescue users (when the agent is not joined to a zone)" and adding their account to the rescue user list.
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Centrify\DirectAuthorize\Agent |
Value Name | DisableLocalAdminRescue |
Value Type | REG_DWORD |
Enabled Value | 1 |
Disabled Value | 0 |
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Centrify\DirectAuthorize\Agent |
Value Name | DisableLocalAdminRescue |
Value Type | REG_DWORD |
Default Value | * |