05-20-2021 02:09 PM
Is it possible to roll out protection for all endpoints but only prompt for Duo when users login with an admin account? (domain admin, IT support desk, etc…)?
05-21-2021 12:03 PM
Hi @TravisJ,
I think you can accomplish what you’re after using Duo Group Policy, depending on which edition of Duo you are using today. You’ll need to be on at least Duo MFA edition to make use of Policy Enforcement. Please refer to our documentation for Duo Authentication for Windows Logon (RDP) Active Directory Group Policy here.
You can set up a Group Policy for the roles you would like to prompt for Duo 2FA while bypassing all other users. Read how to do that in the help article here: https://help.duo.com/s/article/3888
Our Policy & Control documentation and Duo Policy Guide may also be useful for you to check out.
05-24-2021 12:40 PM
Thank you! That’s exactly what I needed.
06-29-2022 02:22 PM
What we want to happen:
We want to allow all users to RDP into the system and not have DUO pop up unless they are in one of the configured OU Groups we defined. We do want all users with Admin rights from the defined groups to have to use DUO in order to get in.
Issue we are having:
everything works as planned but with one caveat. If an user has local admin rights on a server but they are not in one of the configured OU groups, they gain access without using DUO. Is there any way for DUO to check servers for local admin accounts and force them to use DUO to gain access even if they are not in a defined group?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide