Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Exception groups
Exception groups are Active Directory groups that you create, whose members are exempted from this option. Users in these groups can log in using their AD user name and password, if necessary. The purpose of creating exception groups is to allow users who regularly use a smart card for login, but don’t have it with them, to temporarily log in with a user name and password.
You create a group in Active Directory and add the user accounts that will be able to log in to their computers without a smart card. After enabling the policy, click Add and enter the name of the group or click Browse and enter search criteria to find it. You can add multiple exception groups if you wish.
The computer must be in connected mode for any group membership changes to take effect immediately.
Note: “Smart card is required for interactive logon” should be disabled in user account settings in order for the exception group to work.
A smart-card user who is a member of an exception group may see the following prompt at some point after logging in with an Active Directory user name and password, “The system was unable to unlock your login keychain”, because the login keychain is locked with the smartcard PIN and cannot be unlocked with a user name and password. If adding the user to the exception group is temporary, the user should click "Continue Log In" and enter the smartcard PIN when prompted with “Security wants to use the 'login' keychain.”