Hey, thanks for the reply. The number 12 was arbitrary, just tossed out for grins. The Administrator account has 4 phone numbers, as 4 of us use that credential.

I have 5 other users that must logon to a few individual servers, a couple contractors and a few users in my org that manage an application here or there. These users do not use the administrator logon, but either their personal username or a service account.

Is there a way to create a group, then apply that group to a specific server and only allow the users in that group to logon to that one server?

Yep, for that you can:

1. create a group in Duo
2. put Duo users into that group
3. Have unique Duo applications for your servers (so like, for Windows, create a unique Microsoft RDP application for each server and perform the Duo for Windows Logon install on each server using the distinct application info).
4. Apply the group which you want to be able to log in with Duo to the Microsoft RDP application used on that server in the Permitted groups setting.
5. Users in that Duo group can log in with Duo, and users not in that Duo group receive an error telling them they don’t have access.

See Using Groups to Manage Application Access.

Well, some good and bad here.

1. I protected another app, and selected Microsoft RDP. Duo protected the app, and it was named RDP1, as there was already one called RDP.
2. In RDP1, I scrolled down and selected “Only allow authentication from users in certain groups”, and I selected my new group that contained a few different users, and saved.
3. I installed the executable on my test server, and entered the Installation and Secret Keys for RDP1.
   However…
4. When logging on, Duo does not display the group members, it still shows the 4 users from the original RDP. My first thought was, I didn’t use the new keys I just generated. I verified I copied the correct keys by comparing them to the keys shown in RDP1. They are correct.
5. On the server, I uninstalled and reinstalled the executable, and made absolutely certain I used the new keys generated for RDP1. Upon logging on I am still seeing the 4 users from RDP, and none of the users from the new group.
6. I checked the registry on the server, and the new keys I just generated were there as expected.

Do you have any idea what I did wrong? The process is very straightforward, just select the check box to use the group and select the group you want to use. But it doesn’t seem to work on the server.

I am not sure what you mean by “see the four users”.

The Duo Authentication for Windows Logon screen will show the authentication devices attached to a single Duo user. The authentication devices may physically belong to different humans but they would be logically associated with a single user in Duo.

Are you talking about… login tiles shown on the Windows desktop? Like this?

This isn’t controlled by Duo at all and no change to permitted groups on a Duo app would change what Windows shows before a user logs on to the system.

The Duo permitted groups restriction (and Duo authentication itself) comes into play after a user has submitted a primary username and password with success.

To reference the networking diagram shown on the Duo RDP instructions page:

Thanks for trying Duo!