This article discusses about the users/groups exclusion from 2FA in the FortiAuthenicator windows agent.
FortiAuthenicator windows agent.
When excluding the users/groups on FortiAuthenicator Windows Agent, there are considerations to follow. Except for the documentation of how to exempt the users/group on the next link:
If the exempt group option is used and after adding the user to the exempt group on the LDAP side, it may require a restart of the server where FortiAuthenticator Agent is installed so it has fresh group memberships.
It is always possible to check the group membership on the windows server in CMD with the command:
There is also the option to cache User Groups under Exempt Users. User groups will be then saved locally on the FortiAuthenticator Agent for the number of days selected under the option.
The option is disabled by default and you can also choose '0' days which means that groups are cached for unlimited time.