I could use documentation on how to do this. This is a small AD environment, not a large enterprise sized domain.
I've moved your question to the RSA SecurID Access space where it will be seen by the product's support engineers, other customers and partners. Please bookmark this page and use it when you have product-specific questions.
Alternatively, from the RSA Support page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question. From there, scroll to RSA SecurID Access and click Ask A Question. That way your question will appear in the correct space.
You want Authentication Agent for Windows
installed on user PC's, or windows servers, or on the DC's, or some combination.
Set it up on a test machine and work though the settings... all the major settings are handled by GPO. In a single machine the agent will install local GPO that are accessible with gpedit.msc. You can also install GPO's on DC's and push them down to domain member computers.
force a user to need a securid token to get on the desktop, based on what group the userid is in, and how you set challenge options
-all users, no users, all users in a group (or nested groups), all users not in a group (or nested groups)
More advanced functions (optional):
a) agent autoregistration
If this is a laptop that uses DCHP it can automatically track and update the RSA server with IP address changes. It also allows new agent installs to punch themselves into the RSA server config without an admin needing to access security console. Great for blasting out hundreds of agents, and minimizes admin overhead.
b) offline authentication
The agent can download several days worth of future tokencodes in encrypted files. Users can still get on the desktop if the agent detects there are no RSA servers available (such as at home, or no company VPN connection) and will then compare the token code typed in, to the stored codes, and if there is a match, user logs in.
Great for road warriors who need to use laptops all the time, and most of that time are on networks where no 'home' RSA servers are available.
c) windows password integration
When online and RSA server is reachable, when a user logs in and uses the windows password after the token was used, the agent will capture the password and store a hashed copy on the RSA server. Next time the user logs in, and the token was used, the agent will silently fetch the stored password and replay it to Microsoft login, and if it matches, the user doesn't need to type out the windows password, the agent did it behind the scenes. If there is a problem with this, the agent will allow Microsoft to prompt for the password...or if password needs to be changed it allows Microsoft to prompt for it. Once the password is used and it allows login, the agent again tries to store a copy for the next time. This is simply a convenience...saves the user from typing it all the time.
Install and admin docs are in the agent downloads.
This youtube video
shows agent GPO settings overview. This video is for version 7.2.x the current version is 18.104.22.168 and there are some differences in the initial logon tiles and screens (since this video was produced Microsoft changed credential providers from V1 to V2**) so do not worry if the video doesn't exactly match the agent 22.214.171.124. The GPO settings are the same (with some added features in 126.96.36.199)
**–First introduced in Vista / Server 2008 (v1) [older agent 7.2 in the video]
**–Updated in Windows 8 / Server 2012 (v2) [latest agent to use now, 7.4.2.x]
Retrieving data ...