For Windows computers, the most basic rights are the system rights that determine whether a user can log on locally, log on remotely, or both. The rights that grant users local and remote access are defined by default in the Windows Login role so that you can grant users access simply by assigning the Windows Login role and without defining any custom roles or any additional access rights. You can enable or disable these system rights in any custom role definition, but you cannot add, modify, or delete them.
In most cases, you can assign the Windows Login role to all local Windows users, all Active Directory users, or both, to allow users to log on locally or remotely. However, the system rights in the Windows Login role do not override any native Windows security policies. For example, most domain users are not allowed to log on locally on domain controllers. Depending on how your organization has configured native Windows security policies, users might need to be members of a specific Windows security group, such as Server Operators or Remote Desktop Users, to log on to specific computers locally or remotely.
If you would like to require multi-factor authentication for users or groups that use Centrify-managed Windows computers, you must assign them the require MFA for login role in addition to the Windows Login role as there is no system right to enable multi-factor authentication within the Windows Login role.
If you enable multi-factor authentication, users will be required to type their password and provide a second form of authentication before being able to log on. For example, you can configure an authentication profile that requires users to answer a phone call, click a link in an email message, respond to a text message, provide a one-time‑password (OTP) token, or answer a security question. Before defining this system right, however, you should be aware that multi-factor authentication for Centrify-managed Windows computers relies on the infrastructure provided by the Privileged Access Service.
For more information about preparing to use multi-factor authentication, see the Multi-factor Authentication Quick Start Guide.
In addition to the system rights that specify whether a user can log on locally or remotely, you can use the Rescue rights setting to specify that users in a particular role should always be allowed to log on to a computer. This option is intended as a “safety net” for “emergency” situations when users would normally be locked out. For example, if auditing is required for a role, but the agent is not running or has been removed, users are not allowed to log on. You can use the rescue rights option to allow selected administrative users access to computers when they would otherwise be locked out and prevented from logging on. Because this option allows unaudited activity, you should strictly limit its use.
Note: If you do not explicitly set the Rescue rights option for any users, only the local administrator and the domain administrator accounts will have rescue rights. Those accounts are always allowed to log on by default.