How do I allow local users to log on to a domain joined system without using an AuthAnvil passcode?

Since the AuthAnvil Windows Logon Agent will check against domain groups on domain joined systems, local users cannot be added to the override group, so cannot log in without a token. As a workaround, you can toggle the logon agent's behavior so that only members of the override group need to log on using a token, and all other users, including local users, can log on without providing an AuthAnvil credential. For portable machines, or other machines that will not always be in contact with a domain controller, the machine just needs to do a successful authentication against a domain controller so that it can cache the group membership.

Note: To mitigate the security risk, make sure that all users who need to use tokens are members of the override group, as any user who is not will be able to authenticate with just a Windows username and password.

To toggle the override group functionality, set the registry key HKLM\SOFTWARE\Scorpion Software\AuthAnvilLogon\OverrideGroupRequires2FA to 0 for the default behavior, or to 1 to force members of the Override Group to log on using a token.



If you have any questions or need some help, we would be happy to assist. Open a case at or send an email to

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section