Specify AD groups that require multi-factor authentication

Specify the Active Directory groups that require multi-factor authentication.

This parameter is only for autozone and classic zone.

By default no Active Directory group require multi-factor authentication. When you specify one or more groups in this parameter, the groups specified will require multi-factor authentication.

Any groups listed here can be domain local, global or universal groups. They must be security groups; however, distribution groups are not supported.

You specify each group by name or you can list the groups in a file. The group name can be specified in any of the following formats:
- sAMAccountName
- [email protected]
(specify the domain if the group is not in the current domain)
- canonicalName

If a name contains space characters, you can put the name in double quotes or escape the space characters using backslashes:
e.g. "Domain Admins", Domain\ Users

adclient writes any name that is not recognized to the Centrify DirectControl log file.

You can enter the list of groups separated by comma, for example:
centrify_groups, "Domain Admins", Domain\ Users, group1, [email protected]

You can also use a file to specify groups. In the file, enter each name line by line. You can mix name formats, for example:
"Domain Admins"
Domain\ Users
[email protected]

This policy modifies the adclient.legacyzone.mfa.required.groups setting in the Centrify DirectControl configuration file.

Supported on:


Administrative Templates (Computers)

Administrative Templates (Users)