Using Duo with elevated rights in Active Directory for RSAT commands

kacrayton80 · ‎12-21-2022

Does Duo support user “run-as” and RSAT commands in AD with elevated rights? If so, are there instructions on how to set this up.

I am looking to support Active Directory Administrators with MFA for when they use administrative tools with their Server Admin account or running commands using run as and their AD admin accounts.

DuoKristina · ‎01-04-2023

This FAQ item may answer your question:

What logon interfaces can Duo protect?

Duo Authentication for Windows Logon provides two-factor authentication for RDP and local console logons, and credentialed UAC elevation prompts (e.g. Right-click + “Run as administrator”).

Duo’s Windows Logon client does not add a secondary authentication prompt to the following logon types:

Shift + right-click “Run as different user”

PowerShell “Enter-PsSession” or “Invoke-Command” cmdlets

Non-interactive logons (i.e. Log on as a Service, Log on as Batch, Scheduled Tasks, drive mappings, etc.)

Pre-Logon Access Providers (PLAPs) such as Windows Always On VPN

RDP Restricted Admin Mode

Enabling UAC elevation protection is a checkbox in the Duo installer, described in step 6 here:

So, if your admin uses have RSAT tools installed locally, and launch a tool like ADUC as an administrator (vs as a different user), there could be a Duo prompt on elevation.

Duo, not DUO.

RT1978 · ‎01-24-2024

Thanks for this information, it's exactly what we were looking for.

I have a question: We want to configure this on a large number of PCs. Can the installation be configured to select specific check boxes shown above without touching each PC? Something like a config file, with the options pre-specified that would be selected during the installation. Thanks in advance.

raulgc · ‎02-01-2024

Yes you can do it with gpo. Here's the guide from duo with the resources needed to do it.

https://duo.com/docs/winlogon-gpo