This configuration parameter specifies a list of Active Directory users who can log on to computers in a classic zone or an Auto Zone when multi-factor authentication is required, but the agent cannot connect to the Centrify cloud service. You should specify at least one user account for this parameter to ensure that someone can access the computers in the event that multi-factor authentication is required but not available.

In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy, or to temporarily override group policy.

You can separate each user by a space or a comma and you can use double quotes or escape characters to include spaces or special characters in user names.

For example, to specify that user amy adams has the ability to log on to a computer in an Auto Zone if she is required but unable to authenticate using multi-factor authentication, you would define the parameter value in the following way:

adclient.legacyzone.mfa.rescue.users: amy.adams

Supported user name formats

You can specify users by name or you can list the user names in a file in the following formats:

  • SAM account name: sAMAccountName
  • SAM account name of a user in a different domain: sAMAccountName@domain
  • User Principal Name: name@domain
  • Canonical Name: domain/container/cn
  • Full DN: CN=commonName,...,DC=domain_component,DC=domain_component
  • An asterisk (*), which includes all Active Directory users.

Specifying the parameter value in a separate file

To specify a file that contains a list of Active Directory user names, you can set the parameter value using the file: keyword and a file location. For example:

adclient.legacyzone.mfa.rescue.users: file:/etc/centrifydc/legacy_user_users_mfa.rescue 

In the etc/centrifydc/legacy_user_users_mfa.rescue file, you would type each user name on its own line using any of the supported name formats. For example: