When you deploy an agent, you specify whether the agent is unrestricted or restricted.
Unrestricted agents. Unrestricted agents process all authentication requests from all users in the same deployment as the agent.
However, to allow a user to authenticate with a logon alias, the user must belong to a user group that is associated with the logon alias and that is enabled on the unrestricted agent.
Restricted agents. Restricted agents process authentication requests only from users who are members of user groups that have been granted access to the agent. Users who are not members of a permitted user group cannot use the restricted agent to authenticate. Resources protected by restricted agents are considered to be more secure because they process requests only from a subset of users.