Force enrollment using logon script :

This feature, when enabled, will prevent users from accessing their desktop until they enroll in ADSelfService Plus for password self-service. 

enrollmentReminder
Here's how it works:

In ADSelfService Plus, you can configure force enrollment schedulers that automatically scan your AD for unenrolled users and associate their accounts with a logon script. This script will prompt users to enroll whenever they log in to their machines.  

Steps for forcing enrollment using a logon script
Important:
  1. By default, the logon script file (located at \bin\ ADSelfService_Enroll.hta) will be placed in the SYSVOL folder when forced enrollment is enabled.  
  2. ADSelfService Plus will stop showing the force enrollment alert during login for users who have finished the enrollment process. 
  3. The user account configured in ADSelfService Plus' Domain Settings should have read/write permission over the script path and the permission to copy the script file to the SYSVOL folder in the domain controller. If the required permissions are not granted or there's an issue that prevents the script file from being copied to the SYSVOL folder, make sure you manually copy and paste the script file to the SYSVOL folder.

Configuring forced enrollment of users with ADSelfService Plus

ADSelfService Plus allows you to enforce enrollment only for a particular set of users instead of enforcing it for all users in a self-service policy. All you need to do is manually add an entry in the ADSelfService_Enroll.hta file and then configure the logon script to a particular OU through Group Policy. This will enforce the enrollment only for those users who are within the specified OU.

Steps to be followed in ADSelfService Plus

  1. Navigate to <Installation_Dir>\bin folder (Default location:
    C:\Program Files\ManageEngine\ADSelfService Plus\bin) and locate the ADSelfService_Enroll.hta script file.
  2. Open the file in a text editor and locate the property postData.
  3. Add &manualScript=true at the end of the code as shown below:
    postData= "user=" + objNetwork, UserName + "&domainFlatName=" + objNetwork.UserDomain + "&domainDNSName=" +strdns + "&manualScript=true"
  4. To allow users to close the enrollment request pop-up displayed in their login screen, append &forceEnroll=false to the manualScript tag as shown below:
    postData = "user=" + objNetwork.UserName + "&domainFlatName=" + strdns + "&manualScript=true&forceEnroll=false".

Save the file and apply the script to users through group policies.

Configure the logon script to a particular OU through group policy

  1. Open Server Manager and go to Tools → Group Policy Management.
  2. Expand the Domains tree, right-click the desired domain or OU, and select Create a GPO in this domain and Link it here.
  3. The New GPO dialog box is displayed. Enter a Name for the GPO and click OK.
  4. enrollmentReminder
  5. Find the newly created GPO under the domain or OU that you created in the above step, right-click it, and select Edit.
  6. enrollmentReminder
  7. In the Group Policy Management Editor that opens, go to User Configuration → Policies → Windows Settings → Scripts (Logon/Logoff), then double-click on Logon displayed on the right pane.
  8. enrollmentReminder
  9. In the Logon Properties window that opens, click Show Files. A folder whose name ends in User\Scripts\Logon\ is displayed.
  10. enrollmentReminder
  11. Copy your logon script, in our case, ADSelfService_Enroll.hta file from <Install Directory>\bin (Default location: C:\Program Files\ManageEngine\ADSelfService Plus\bin), and paste it here.
  12. Click Add in the Logon Properties window.
  13. Click Browse to open the logon script directory, select your logon script file and click OK.
  14. Ensure that your selected logon script file is displayed in the Logon Properties window. Click OK.

Now, enrollment will be enforced during login for users who belong to the desired OU.

Are you already using a logon script? 

The force enrollment logon script that comes bundled with ADSelfService Plus is compatible with any type of logon script that you may already be running in your Windows environment. 

If you’re already using a logon script, follow the steps given below: 

  1. If the logon script is a batch file, add the following line at the end of your logon script: path = "<ScriptPath>" start /d %path% ADSelfService_Enroll.hta
  2. If the logon script is a VB script, add the following lines at the end of your logon script: Set objShell = WScript.CreateObject ("WScript.Shell") path = "<ScriptPath>" objShell.Run(path+"\"+"ADSelfService_Enroll.hta")
    Set objShell = nothing
  3. Important: Replace with the location of the ADSelfService_Enroll.hta file.

    Tip:

     Enable single sign-on via NTLMv2 authentication to allow users to log in to ADSelfService Plus automatically when they click on the Enroll button.

Here’s a demo video that takes you step by step through configuring forced enrollment.

Copyright © 2023, ZOHO Corp. All Rights Reserved.