Specify a list of rescue users (when the agent is not joined to a zone)

If the agent is not joined to a zone (because your computers are not managed by Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service), use this policy to specify a list of users who can log in without using multi-factor authentication if the machine is running in rescue mode or Windows Safe Mode.

The user name can be specified in any of the following formats:

  • sAMAccountName
  • sAMAccountName@domain (if the account is not in the current domain).
  • UserPrincipalName@domain
  • An asterisk (*), which includes all Active Directory users.

You can enter the list of users separated by a comma, for example:

joe, janedoe, user1, user2@domain.com.

By default, if this policy is set to Disabled or Not configured, only local administrators can log on in rescue mode or safe mode. However, if you enable Prevent local administrators from being able to log on in rescue mode (when there are no explicit rescue users defined), and do not enable this policy, no one will be able to log in if the computer is running in these modes.