We want to set up RSA Agent for Windows to challenge all users except those in a group.
If we specify the group as a local group on the machine are there restrictions over what it can contain ? We want it to contain a mix of local accounts and AD accounts (or maybe an AD group that contains a list of accounts).
I noticed in an earlier question (https://community.rsa.com/message/923459?commentID=923459#comment-923459 ) there was mention of some restrictions on nesting groups so just wondered what these are.
One option, if you have two different Domains (not in the same forest), is to include one group from each Domain in the Local group. You would need a two-way trust between the two AD Domains that are not in the same forest, and you could manage the users where they are from;
local users in the local group
Domain Users in the Domain Group, in this case two Domain groups one from each Domain.
It is the Local Windows agent that does the Domain lookups. Be careful about nesting other Domain groups in your top level domain group that you include in your local challenge group, if the lookup fails then you have to choose a programmatic default, i.e. fail close challenge or fail open no challenge. The Default is fail close.