In the initial stage of deploying MFA for computer logon across your entire domain and user base, you might not want to enfore MFA on all user accounts on day one. Instead, you might consider to enforce MFA gradually across your user base, in stages. To do so, you need to create a special user group in AD and a couple of logon policies in DualShield. For the simplicty of this guide, let's call this AD group as DualShield MFA group.
The strategy is that MFA will only be enforced on users who are a member of the DualShield MFA group. All other domain users will be able to continue to login into the domain with password only.
The first step is to create the DualShield MFA group in your AD server.
Then, create the following 2 logon policies in your DualShield server:
For the general guide of creating a logon policy, expand the link below
| Expand |
|---|
| title | How to create a logon policy |
|---|
|
| Include Page |
|---|
| Create a logon policy |
|---|
| Create a logon policy |
|---|
|
|
Domain Logon Policy
| Section |
|---|
| Column |
|---|
|  Image Added
|
| Column |
|---|
| Option | Value |
|---|
| Category: | Logon | | Holder: | Domain | | Domain: | Select your AD domain | | Name: | Describe the purpose of this policy | | Apply policy to these applications: | Select the application that this policy will be applied to | | Authentication: | Select "Multi-factor authentication is not required for all users" |
|
|
Group Logon Policy
| Section |
|---|
| Column |
|---|
|  Image Added
|
| Column |
|---|
| Option | Value |
|---|
| Category: | Logon | | Holder: | Group | | Domain: | Select your AD domain | | Group | Select the DualShield MFA group | | Name: | Describe the purpose of this policy | | Apply policy to these applications: | Select the application that this policy will be applied to | | Authentication: | Select "Multi-factor authentication is not required for all users" |
|
|
Image Added