cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
919
Views
0
Helpful
3
Replies

Using Duo with elevated rights in Active Directory for RSAT commands

kacrayton80
Beginner
Beginner

Does Duo support user “run-as” and RSAT commands in AD with elevated rights? If so, are there instructions on how to set this up.

I am looking to support Active Directory Administrators with MFA for when they use administrative tools with their Server Admin account or running commands using run as and their AD admin accounts.

3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

This FAQ item may answer your question:

What logon interfaces can Duo protect?

Duo Authentication for Windows Logon provides two-factor authentication for RDP and local console logons, and credentialed UAC elevation prompts (e.g. Right-click + “Run as administrator”).

Duo’s Windows Logon client does not add a secondary authentication prompt to the following logon types:

  • Shift + right-click “Run as different user”
  • PowerShell “Enter-PsSession” or “Invoke-Command” cmdlets
  • Non-interactive logons (i.e. Log on as a Service, Log on as Batch, Scheduled Tasks, drive mappings, etc.)
  • Pre-Logon Access Providers (PLAPs) such as Windows Always On VPN
  • RDP Restricted Admin Mode

Enabling UAC elevation protection is a checkbox in the Duo installer, described in step 6 here:


So, if your admin uses have RSAT tools installed locally, and launch a tool like ADUC as an administrator (vs as a different user), there could be a Duo prompt on elevation.

Duo, not DUO.

RT1978
Beginner
Beginner

Thanks for this information, it's exactly what we were looking for. 

I have a question:  We want to configure this on a large number of PCs.  Can the installation be configured to select specific check boxes shown above without touching each PC?  Something like a config file, with the options pre-specified that would be selected during the installation. Thanks in advance.

Yes you can do it with gpo. Here's the guide from duo with the resources needed to do it.

https://duo.com/docs/winlogon-gpo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links