Specify the Active Directory groups that require multi-factor authentication.
This parameter is only for autozone and classic zone.
By default no Active Directory group require multi-factor authentication. When you specify one or more groups in this parameter, the groups specified will require multi-factor authentication.
Any groups listed here can be domain local, global or universal groups. They must be security groups; however, distribution groups are not supported.
You specify each group by name or you can list the groups in a file. The group name can be specified in any of the following formats:
- sAMAccountName
- [email protected]
(specify the domain if the group is not in the current domain)
- canonicalName
If a name contains space characters, you can put the name in double quotes or escape the space characters using backslashes:
e.g. "Domain Admins", Domain\ Users
adclient writes any name that is not recognized to the Centrify DirectControl log file.
You can enter the list of groups separated by comma, for example:
centrify_groups, "Domain Admins", Domain\ Users, group1, [email protected]
You can also use a file to specify groups. In the file, enter each name line by line. You can mix name formats, for example:
centrify_groups
"Domain Admins"
Domain\ Users
group1
[email protected]
This policy modifies the adclient.legacyzone.mfa.required.groups setting in the Centrify DirectControl configuration file.