✖

Related Products
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
EventLog Analyzer

Real-time Log Analysis & Reporting
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo

Force enrollment using logon script

The Force enrollment using a login script feature, when enabled, will force unenrolled users logging into their Windows desktop to complete enrolling for the authenticators enabled for them in ADSelfService Plus.

Forcing enrollment via the login script in ADSelfService Plus

You can achieve this by configuring schedulers to force unenrolled users to complete enrollment. These schedulers will periodically scan your AD for unenrolled users and associate their accounts with a logon script. This script will prompt users to enroll whenever they log in to their machines.

Here's how it works:

When users log in to their Windows machines, ADSelfService Plus will show an alert asking users to enroll for password self-service.
If required, you can prevent users from closing the alert, launching other applications, or clicking any part of their Windows desktop until they complete enrollment.
Users must click on the Enroll Now button and enroll with ADSelfService Plus to make the pop-up message disappear.
If enrollment is mandated, users will regain access to their machines only after successful enrollment.

Steps for forcing enrollment using a logon script

Log in to the ADSelfService Plus web console with admin credentials.
Navigate to Configuration > Administrative Tools > Quick Enrollment and click Force Enrollment using Logon Script.
Enter a Scheduler Name and Description.
Select the policy that applies to the users for whom you want to force enrollment.
Enter the name you want to be displayed for the Window, in the Window Title field.
Enter the message to be displayed to the users regarding mandatory enrollment, in the Window Content field.
Enter the text for the click-to-action button in the Enroll Button field.
Leave the Cancellation Button unchecked if you want to force users to enroll when they log in to their machine. If cancellation is enabled, users can close the logon script and access their machine without completing the enrollment process. However, they will be prompted to enroll when they log in to ADSelfService Plus. If you want to give your users the option to skip enrollment, enable the Cancellation Button option and customize the click-to-action text accordingly.

Important: If the user account logging into the Windows machine has been blocked in ADSelfService Plus, the force enrollment window will not be shown to them. They will be prompted to enroll when their account is unblocked and they log in to ADSelfService Plus.

Schedule the frequency to which force enrollment logon script automatically applies to newly added Active Directory users
Click Save

Important:

By default, the logon script file (the default location is <C:\Program Files\ManageEngine\ADSelfService Plus\bin ADSelfService_Enroll.hta) will be placed in the SYSVOL folder when forced enrollment is enabled.
ADSelfService Plus will stop showing the force enrollment alert during login once users finish the enrollment process.
The user account configured in ADSelfService Plus' Domain Settings should have read/write permission over the script path and the permission to copy the script file to the SYSVOL folder in the domain controller. If the required permissions are not granted or there's an issue that prevents the script file from being copied to the SYSVOL folder, make sure you manually copy and paste the script file to the SYSVOL folder.

Configuring forced enrollment of users with ADSelfService Plus

ADSelfService Plus allows you to enforce enrollment only for a particular set of users instead of enforcing it for all users in a self-service policy. All you need to do is manually add an entry in the ADSelfService_Enroll.hta file and then configure the logon script to a particular OU through Group Policy. This will enforce the enrollment only for those users who are within the specified OU.

Steps to be followed in ADSelfService Plus

Navigate to the <ADSelfService Plus_Installation_Dir>\bin folder (the default location is <C:\Program Files\ManageEngine\ADSelfService Plus\bin) and locate the ADSelfService_Enroll.hta script file.
Open the file in a text editor and locate the property postData.
Add &manualScript=true at the end of the code as shown below:
postData= "user=" + objNetwork, UserName + "&domainFlatName=" + objNetwork.UserDomain + "&domainDNSName=" +strdns + "&manualScript=true"
To allow users to close the enrollment request pop-up displayed in their login screen, append &forceEnroll=false to the manualScript tag as shown below:
postData = "user=" + objNetwork.UserName + "&domainFlatName=" + strdns + "&manualScript=true&forceEnroll=false".

Save the file and apply the script to users through group policies.

Configure the logon script to a particular OU through group policy

Open Server Manager and go to Tools > Group Policy Management.
Expand the Domains tree, right-click the desired domain or OU, and select Create a GPO in this domain and Link it here.
The New GPO dialog box is displayed. Enter a Name for the GPO and click OK.

Find the newly created GPO under the domain or OU that you created in the above step, right-click it, and select Edit.

In the Group Policy Management Editor that opens, go to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff), then double-click on Logon displayed on the right pane.

In the Logon Properties window that opens, click Show Files. A folder whose name ends in User\Scripts\Logon\ is displayed.

Copy your logon script, in our case, ADSelfService_Enroll.hta file from <Install Directory>\bin (the default location is <C:\Program Files\ManageEngine\ADSelfService Plus\bin), and paste it here.
Click Add in the Logon Properties window.
Click Browse to open the logon script directory, select your logon script file and click OK.
Ensure that your selected logon script file is displayed in the Logon Properties window. Click OK.

Now, enrollment will be enforced during login for users who belong to the desired OU.

Steps to follow if you are you already using a logon script

The force enrollment logon script that comes bundled with ADSelfService Plus is compatible with any type of logon script that you may already be running in your Windows environment.

If you’re already using a logon script, follow the steps given below:

If the logon script is a batch file, add the following line at the end of your logon script: path = "<ScriptPath>" start /d %path% ADSelfService_Enroll.hta
If the logon script is a VB script, add the following lines at the end of your logon script: Set objShell = WScript.CreateObject ("WScript.Shell") path = "<ScriptPath>" objShell.Run(path+"\"+"ADSelfService_Enroll.hta") Set objShell = nothing

Important: Replace <ScriptPath> with the location of the ADSelfService_Enroll.hta file (the default location is <C:\Program Files\ManageEngine\ADSelfService Plus\bin).

Tip:

Enable single sign-on via NTLMv2 authentication to allow users to log in to ADSelfService Plus automatically when they click on the Enroll button.

Here’s a demo video that takes you step by step through configuring forced enrollment.

Previous Topic Next Topic

Thanks!

Your request has been submitted to the ADSelfService Plus technical support team. Our technical support people will assist you at the earliest.

Need technical assistance?

Enter your email ID
Talk to experts

Don't see what you're looking for?

Visit our community

Post your questions in the forum.
Request additional resources

Send us your requirements.
Need implementation assistance?

Try OnboardPro