Force enrollment using logon script :
This feature, when enabled, will prevent users from accessing their desktop until they enroll in ADSelfService Plus for password self-service.
Here's how it works:
-
When users log in to their machines, ADSelfService Plus will show an alert asking users to enroll for password self-service.
-
While this alert is displayed, users will not be able to click any part of their Windows desktop or launch other applications.
-
Users must click on the Enroll Now button and enroll with ADSelfService Plus to make the pop-up message disappear.
-
Only after successful enrollment, users will regain access to their machines.
In ADSelfService Plus, you can configure force enrollment schedulers that automatically scan your AD for unenrolled users and associate their accounts with a logon script. This script will prompt users to enroll whenever they log in to their machines.
Steps for forcing enrollment using a logon script
-
Log in to the ADSelfService Plus web console as an admin.
-
Navigate to Configuration → Administrative Tools → Quick Enrollment and click Force Enrollment using Logon Script.
-
Enter a Scheduler Name and Description.
-
Select the policy of the user , you want to force enrollment script.
- Enter the force enrollment script title in the Window Title field
- Enter the force enrollment script content in the Window Content field
- Enter customized text of Enroll Button
-
Enable the Cancellation Button option and Customzie the text
Important:
Uncheck the Cancellation button, if you want to force users to enroll when they log in to their machine. If the Cancellation Button is enabled, users can close the logon script and access their machine without completing the enrollment process. However, they will be prompted to enroll when they log in to ADSelfService Plus.
- Schedule the frequency to which force enrollment logon script automatically applies to newly added Active Directory users
- Click Save
Important:
-
By default, the logon script file (located at \bin\ ADSelfService_Enroll.hta) will be placed in the SYSVOL folder when forced enrollment is enabled.
- ADSelfService Plus will stop showing the force enrollment alert during login for users who have finished the enrollment process.
-
The user account configured in ADSelfService Plus' Domain Settings should have read/write permission over the script path and the permission to copy the script file to the SYSVOL folder in the domain controller. If the required permissions are not granted or there's an issue that prevents the script file from being copied to the SYSVOL folder, make sure you manually copy and paste the script file to the SYSVOL folder.
Configuring forced enrollment of users with ADSelfService Plus
ADSelfService Plus allows you to enforce enrollment only for a particular set of users instead of enforcing it for all users in a self-service policy. All you need to do is manually add an entry in the ADSelfService_Enroll.hta file and then configure the logon script to a particular OU through Group Policy. This will enforce the enrollment only for those users who are within the specified OU.
Steps to be followed in ADSelfService Plus
- Navigate to <Installation_Dir>\bin folder (Default location:
C:\Program Files\ManageEngine\ADSelfService Plus\bin) and locate the ADSelfService_Enroll.hta script file.
- Open the file in a text editor and locate the property postData.
- Add &manualScript=true at the end of the code as shown below:
postData= "user=" + objNetwork, UserName + "&domainFlatName=" + objNetwork.UserDomain + "&domainDNSName=" +strdns + "&manualScript=true"
- To allow users to close the enrollment request pop-up displayed in their login screen, append &forceEnroll=false to the manualScript tag as shown below:
postData = "user=" + objNetwork.UserName + "&domainFlatName=" + strdns + "&manualScript=true&forceEnroll=false".
Save the file and apply the script to users through group policies.
Configure the logon script to a particular OU through group policy
- Open Server Manager and go to Tools → Group Policy Management.
- Expand the Domains tree, right-click the desired domain or OU, and select Create a GPO in this domain and Link it here.
- The New GPO dialog box is displayed. Enter a Name for the GPO and click OK.
- Find the newly created GPO under the domain or OU that you created in the above step, right-click it, and select Edit.
- In the Group Policy Management Editor that opens, go to User Configuration → Policies → Windows Settings → Scripts (Logon/Logoff), then double-click on Logon displayed on the right pane.
- In the Logon Properties window that opens, click Show Files. A folder whose name ends in User\Scripts\Logon\ is displayed.
- Copy your logon script, in our case, ADSelfService_Enroll.hta file from <Install Directory>\bin (Default location: C:\Program Files\ManageEngine\ADSelfService Plus\bin), and paste it here.
- Click Add in the Logon Properties window.
- Click Browse to open the logon script directory, select your logon script file and click OK.
- Ensure that your selected logon script file is displayed in the Logon Properties window. Click OK.
Now, enrollment will be enforced during login for users who belong to the desired OU.
Are you already using a logon script?
The force enrollment logon script that comes bundled with ADSelfService Plus is compatible with any type of logon script that you may already be running in your Windows environment.
If you’re already using a logon script, follow the steps given below:
- If the logon script is a batch file, add the following line at the end of your logon script: path = "<ScriptPath>" start /d %path% ADSelfService_Enroll.hta
- If the logon script is a VB script, add the following lines at the end of your logon script: Set objShell = WScript.CreateObject ("WScript.Shell") path = "<ScriptPath>" objShell.Run(path+"\"+"ADSelfService_Enroll.hta")
Set objShell = nothing
Important:
Replace with the location of the ADSelfService_Enroll.hta file.
Tip:
Enable single sign-on via NTLMv2 authentication to allow users to log in to ADSelfService Plus automatically when they click on the Enroll button.
Here’s a demo video that takes you step by step through configuring forced enrollment.