In addition to the Override Password, the AuthAnvil Windows Logon Agents offer another mechanism for controlling which users need two-factor authentication to log onto the system; the Override Group. The Override Group is either an Active Directory or a local group that is defined on a per-machine basis. The members of this group are allowed to log on without providing an AuthAnvil passcode. This means that you can use different groups for every machine if you want to. One thing to keep in mind is that if a machine is domain joined, it will use an Active Directory group, otherwise, it will use a local group. This is to prevent someone with local admin access from defining a local override group on a domain joined system and creating themselves a back door into the network. Also, Override Group members must be direct members, no group nesting allowed!
One common usage of Override Groups is to provide an outside user temporary access to a system. Most commonly, if a vendor or contractor needs to do some work on a recurring but sporadic basis, and you don’t want to issue them a token, their user account can be added to the override group during the times that they need access to the network. This way, you can allow them temporary, recurring access to the network, without having to issue them a token or give out the override password, as well as having logging information from every time they access a system.
Like Override Passwords, Override Groups provide an audit trail, writing event ID 7 to the Application event log any time a member logs in. This can be monitored either by your favorite RMM tool, or by triggering an action every time the event happens in Windows Server 2008 or later. This way you’ll know every time a member has logged in.
Today’s best practice is: use Override Groups to effectively manage who can log on without a token. Monitor their use, membership changes and tampering with the Logon Agent using our management packs for your favorite RMM tool, such asKaseya or LabTech.
If you don’t have an RMM tool available, or are using one that we haven’t built a management pack for yet, you can audit changes to the security group by:
- Enable Security Auditing. A screencast on configuring security auditing can be found at:http://silverstr.ufies.org/AccountAuditing/AccountAuditing.htm.
- Watch the event log for the group member added and group member removed events for your override group.
Windows Server 2003
| Event Source | Event ID | Event Type | Quick Description |
| Security | 632 | Success Audit | Global Group Member Added |
| Security | 633 | Success Audit | Global Group Member Removed |
| Security | 636 | Success Audit | Local Group Member Added |
| Security | 637 | Success Audit | Local Group Member Removed |
| Security | 660 | Success Audit | Universal Group Member Added |
| Security | 661 | Success Audit | Universal Group Member Removed |
Windows Server 2008 and later
| Event Source | Event ID | Event Type | Quick Description |
| Microsoft Windows security auditing. | 4728 | Success Audit | Global Group Member Added |
| Microsoft Windows security auditing. | 4729 | Success Audit | Global Group Member Removed |
| Microsoft Windows security auditing. | 4732 | Success Audit | Local Group Member Added |
| Microsoft Windows security auditing. | 4733 | Success Audit | Local Group Member Removed |
| Microsoft Windows security auditing. | 4756 | Success Audit | Universal Group Member Added |
| Microsoft Windows security auditing. | 4757 | Success Audit | Universal Group Member Removed |
Make good use of override groups, they’re a powerful tool, and can save you quite a bit of hassle.
Questions?
If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to support@scorpionsoft.com.