ManageEngine ADSelfService Plus buyer's guide

Introduction

01

ManageEngine ADSelfService Plus buyer's guide

Your all-in-one ADSelfService Plus handbook

Read Online

  • 01Introduction
  • 02What is ADSelfService Plus?
  • 03Why should I consider ADSelfService Plus?
  • 04How will ADSelfService Plus benefit me?
  • 05And more
 
   
Thank You!

You can click and start reading the chapters from below. We've also sent the
link to your inbox for future reference.

Access the guide now

  •  
  •  
  •  
  •  
  • By clicking 'Read now' you agree to processing of personal data according to the Privacy Policy.

Password security today

The world has quickly adopted the hybrid working model and moved on to cloud-based services, and it is great news for having a flexible work environment. However, this news also brings a host of password management hurdles and password security loopholes. These loopholes are also being exploited by threat actors, and the case isn't helped by the fact that may people still use weak and compromised passwords. Since passwords are the first line of defense against threat actors, an organization's security is only as strong as its weakest password. Thus, it is imperative for an organization to take its password security seriously.

The need for better password management solutions

Native password management tools are not capable of handling the demands of today's world. Today, we need more granular control, easier access to our services, and security hardening on a case by case basis. This is why organizations rely on password management and security solutions to take care of their passwords. These solutions help organizations not only harden their password security measures, but also allow for easy password management with functionalities such as remote password self-service and single sign-on for applications. These functionalities help an organization build a strong and hassle-free password framework.

What is ADSelfService Plus?

ADSelfService Plus is an integrated self-service password management and single sign-on solution (SSO) for on-premises and cloud applications. It bolsters an organization's password framework with self-service password reset and account unlock, endpoint and VPN multi-factor authentication (MFA), SSO to enterprise applications, Active Directory (AD)-based multi-platform password synchronization, password expiration notification, and password policy enforcer.

Next Why should
I consider ADSelfService Plus?

What ADSelfService Plus offers

Any organization that's serious about its password security should have its key processes implemented. Here's how ADSelfService Plus can help meet the demands of your organization:

You're on the lookout for: How ADSelfService Plus can help:
Secure authentication

Secure access to machine (Windows, macOS, and Linux OS), VPN, and OWA logins with MFA.

Regulate enterprise application access via single sign-on (SSO) with advanced authenticators including biometrics, or RSA SecurID.

Remote password self-service

Enable users to perform self-service password reset (SSPR), and self-service account unlock only after they prove their identity via the enforced authenticators.

Secure cached credential updates via VPN during remote password resets.

Strong password policy enforcement

Enforce strong user passwords by requiring special characters and blacklisting dictionary words and patterns.

Prevent users from using previous passwords during password resets.

With ADSelfService Plus, you can also implement the following five capabilities that Gartner considers as critical for an IAM framework.

Gartner recommended critical IAM capabilities in ADSelfService Plus

  • User authentication methods: Avoid impersonation attacks using biometrics and other advanced authentication methods. Step up your security by implementing MFA to access endpoints and applications.
  • Adaptive authentication: Enforce risk-based adaptive authentication using factors such as user location, IP address, time of previous logon, or device footprint.
  • SaaS application enablement: Set up SAML 2.0-based SSO for hundreds of enterprise SaaS applications, like Salesforce, ServiceNow, and Slack.
  • Approval-based workflows*: Build purpose-oriented business workflows. Create the required levels of approval by including the rights of the stakeholders. Define the approval flows for business processes, such as user account creation, modification, or permissions management.
Previous Introduction NextHow will
ADSelfService Plus benefit me?

ADSelfService Plus comes packed with functionalities that go beyond native capabilities. Here's a list of what the solution can do, and what you get with each functionality:

Self-service password reset and account unlock

Enables users to reset their forgotten AD domain passwords and unlock their locked out accounts without admin intervention. Users can reset their password from:

  • A web browser using the ADSelfService Plus user portal.
  • The logon screens of Windows, macOS, and Linux machines using the ADSelfService Plus login agent.
  • A mobile device using the ADSelfService Plus mobile app or mobile browser portal.

What you get:

  • Empowers users to reset their passwords and unlock their accounts to help reduce the number of help desk tickets and unburdening help desk personnel. It also improves user productivity as passwords can be reset and accounts can be unlocked swiftly.

Enterprise single sign-on

  • Reduce the number of logins performed by the user by enabling enterprise SSO for Security Assertion Markup Language (SAML) applications like Google Workspace, Microsoft 365, and Salesforce.

What you get:

  • Users can use a single password to log in to and access multiple enterprise applications. This makes handling application accounts easier for them.

Password synchronization

  • This feature allows users to synchronize their AD domain password across their user accounts in integrated on-premises and cloud applications like Microsoft SQL Server, ADFS, Microsoft 365, Google Workspace, and Salesforce.

What you get:

  • Any changes to the domain password results in the changes being reflected across the integrated applications as well.

Multi-factor authentication

MFA improves security through additional layers of identity verification along with the existing credential-based authentication. ADSelfService Plus implements additional identity verification steps for the following:

  • Self-service password reset and account unlock
  • Local and remote machine (Windows, macOS, and Linux), and VPN logins.
  • SSO for enterprise applications.
  • ADSelfService Plus portal logins.

The product supports up to 18 authentication techniques including biometrics, Google Authenticator, Microsoft Authenticator, time-based one-time password (TOTP), and Security Questions and Answers.

What you get:

  • Even if attackers misappropriate users' credentials, they still need to complete the successive stages of authentication to gain access to the resource rendering the exposed passwords useless.

Password expiration notification

  • Password expiration notifications can be sent through email and SMS, or as push notifications. The product allows sending multiple reminder notifications on specific days leading to the expiration.

What you get:

  • Notify users about their impending domain password expiration and remind them to change their passwords before they lose access to their machines.

Password policy enforcer

Advanced password policy controls can be set for an organization in addition to the native domain and fine-grand password policies offered by AD. These advanced password policies can be used to set password controls that are not available in the native policies like:

  • Mandatory inclusion of Unicode characters.
  • Restriction of character repetition of consecutive characters from usernames and old passwords.
  • Restriction on the usage of weak passwords, dictionary words, and palindromes.

What you get:

  • Users can be required to adhere to these policies strictly, thereby preventing them from setting weak passwords that may jeopardize the security of an organization.

Conditional access

  • Automate access decisions to organizational resources using risk factors such as IP address, time of access, the device used, and the user's geolocation.

What you get:

  • IT admins can set pre-defined conditions based on these risk factors that provide users with complete and unrestricted access, limited access, or no access to the resource.

Self-service directory update

  • Allow users to update their AD profile information like email address and mobile number without IT admin intervention. IT admins can also create modification rules that auto-populate values for certain attributes based on other attribute values provided.

What you get:

  • This helps decrease the help desk workload while improving user productivity.

Employee directory search and organization chart

  • Allow users to search for information on other users (users, contacts, and groups) in the organization, and view the Organization Chart that displays all the employees in the organizational hierarchy.

What you get:

  • This helps users discover details about other users from a single portal.

Mail group subscription

  • Provide users with the ability to subscribe themselves to organizational email groups.

What you get:

  • This lets users get access to the email groups they need without help desk assistance.
Previous How will
ADSelfService Plus benefit me?
Next What do
I get with each edition of ADSelfService Plus?

What do I get with each edition of ADSelfService Plus?

ADSelfService Plus is available in three editions: Free, Standard, and Professional. Here's what you get with each edition:

Standard Professional Free (for up to 50 domain users)
Web-based Self-Service Password Reset and Account Unlock Includes everything in the Standard edition, and: Supports all functionalities in the Professional edition
Password Expiry Notifier Password Reset from Windows, macOS, and Linux login screens Password Self-Service
Password Policy Enforcer MFA for Windows, macOS, and Linux machine logons Directory Self-Service
Real-time Password Synchronizer MFA for VPN logons Cloud Applications SSO & Password Sync
Password Reset Using iOS and Android App as well as Mobile Browser MFA for OWA logons -
Self-Service Directory Update, Employee Search, Organization Chart, and Mail Group Subscription Cached Credentials Update for Remote Password Reset Password Policy -
- Enforcement in Windows Change Password Screen and ADUC -
Starts at $595 for 500 domain users Starts at $1195 for 500 domain users -
Previous What do
I get with each edition of ADSelfService Plus?
Next What do
People say about ADSelfService Plus?

What your peers say about ADSelfService Plus

“Now users do not have to travel to the office to perform Active Directory Password Reset. Helpdesk calls related to password reset have been reduced by 100%.”

Piergiuseppe Delfino
CIO at AUBAY SpA, Italy

"Other options, were requiring a modification of the Active Directory schema, I liked that ADSelfService Plus did not. The ability to ‘brand’ the tool to our School was also important"

Robert Peterson
Technical Support Manger, The Principia

"The deployment is very simple, which makes it nearly fun. We didn’t find any other software which is that fast in deployment like ADSelfService Plus. The Instructions are clear and straight forward; the support is working great."

Matthias Ziolek
Manager, Landratsamt Schwarzwald-Baar-Kreis
Previous What do
People say about ADSelfService Plus?
Next What is the
Architecture of ADSelfService Plus?

What is the architecture of ADSelfService Plus?

ADSelfService Plus's components There are four components that are required to run ADSelfService Plus, which are:

  • 1.Server
  • 2.Database
  • 3.AD integration
  • 4.ADSelfService Plus web portal

Server

The server is where ADSelfService Plus is installed, and it can be a member server or a domain controller. In case you are configuring a high availability environment, you will need a primary server and a secondary server. Both servers need to have ADSelfService Plus installed.

To enable load balancing, a primary server and one or more secondary servers have to be configured. All the servers need to have ADSelfService Plus installed.

Database

ADSelfService Plus uses a database to store information like Active Directory (AD) attribute details, audit data, product configuration data, enrollment data, etc. The product comes with a built-in PostgreSQL database. You can also use a standalone MS SQL database or PostgreSQL database.

Integration with Active Directory

AD forms the cornerstone of ADSelfService Plus. Scheduled synchronization of data between ADSelfService Plus and AD is necessary to allow the IT administrators to create various self-service policies and apply them to organizational units (OUs) and groups, install the login agent on domain computers, and configure various features and settings from within the product's portal. Synchronization with AD is also necessary for end users to perform the various self-service actions.

ADSelfService Plus web portal

There are two kinds of ADSelfService Plus web portals:

Admin portal: The admin portal lets the IT administrator of the solution configure domain and connection settings (SSL, proxy server, etc.), create and apply various policies, deploy MFA, integrate on-premises and cloud applications with password sync and SSO, and do much more.

User portal: The user portal lets the users enroll themselves in ADSelfService Plus, perform the various self-service actions, search for employees, view the organization chart, etc.

Optional components

ADSelfService Plus login agent

  • The ADSelfService Plus login agent is software which, when installed on Windows, macOS, and Linux domain computers, provides users with the option to reset Active Directory passwords and unlock accounts from their login screen. Installing the login agent also enables endpoint MFA for Windows, macOS, and Linux logons.
  • The login agent can either be pushed onto the client computers using the admin portal, Active Directory GPOs, Microsoft System Center Configuration Manager (SCCM), third-party endpoint management solutions like ManageEngine Desktop Central, or be installed manually.

ADSelfService Plus password sync agent

  • The ADSelfService Plus password sync agent synchronizes native password changes (password changes using the Ctrl+Alt+Del option, and password resets using the Active Directory Users and Computers console) across all the enterprise applications that are integrated with ADSelfService Plus for password synchronization. It is also used to enforce the customized password policy created in ADSelfService Plus during these native password changes. The Password Sync Agent has to be installed on all the domain controllers in a configured domain.

ADSelfService Plus mobile application

The ADSelfService Plus mobile app lets domain users perform AD password resets and account unlocks using their mobile device. It enables users to enroll themselves for certain MFA methods. The mobile app is also used to receive push notifications for:

  • Notifying users upon successful completion of self-service actions
  • Informing users of impending password and account expiration
  • Distributing enrollment reminders

With the app, users can also authenticate themselves using a MFA method like time-based one-time-passcode, push notifications, fingerprint-based, and QR codes. The mobile app can be either manually installed by users or pushed to mobile devices by the IT administrator.

Integrate with enterprise applications

  • Through password synchronization and single sign-on, ADSelfService Plus integrates with various enterprise applications such as Google Workspace, Salesforce, Microsoft 365 (formerly Office 365), and Dropbox. When password synchronization is enabled, any change to users' domain passwords is synchronized across all the integrated applications, enabling the user to access all of them with a single password. In the case of SSO, if the user has logged into their ADSelfService Plus account, they are automatically logged into these cloud applications without having to furnish their user credentials.

VPN server and Network Policy Server

  • To secure your VPNs using ADSelfService Plus' MFA feature, the VPN server should use a Windows Network Policy Server (NPS) to configure RADIUS authentication, and the ADSelfService Plus NPS extension has to be installed in the NPS. This extension mediates between the NPS and ADSelfService Plus to enable MFA during VPN connections.
Previous What is the
Architecture of ADSelfService Plus?
Next Where can
I get more information?
Resource Description
Admin guide A one-stop guide that covers everything administrators should know to set up and run ADSelfService Plus.
User guide A detailed explanation on getting started with ADSelfService Plus, and how to use the solution.
Detailed architecture An in-depth explanation of the components and deployment scenarios.
Privileges and permissions requirement guide An elaboration of all the necessary roles and permissions required for ADSelfService Plus.
Click here to request a demo Click here to get a customized quote

For more details or speak to someone:

Email us:

Call us: +1 844 245 1108 (toll-free)

Previous What is the
Architecture of ADSelfService Plus?

© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.

Kindly fill the form to access all chapters.
Welcome