Password Self-Service Deployment:

In order to take ADSelfService Plus' self-service features to the end-users, you have to implement the following:

Configuring self-service actions :

ADSelfService Plus offers four self-service features to domain users (Password reset, Account unlock, Directory self-update, and Change password). Based on the departments and organizational hierarchy, you can choose to enable specific features based on users' OUs and group membership. Thereby, they can decide which users can avail themselves of any or all of these features. This is done in the Policy Configuration section by configuring a self-service policy for the users and defining the extent to which they can use ADSelfService Plus. Click on Steps to create a policy for further details.

Identity verification :

Once domain users are made part of a self-service policy, their identities need to be verified they can make use of the self-service password reset or account unlock features via the ADSelfService Plus' end-user portal, ADSelfService Plus mobile app, and Windows/macOS/Linux login screens. You can authenticate user identities using any of the fifteen multi-factor authentication (MFA) methods supported by ADSelfService Plus during:

Identity verification by multi-factor authentication (MFA) is carried out using the information provided by users during enrollment into ADSelfService Plus.

By clicking on the above links you can view the configuration steps for each of these methods.

You can enable specific MFA methods for specific set of users and can specify the number of authentications users must complete in order to verify their identity. They also have the option of forcing users to verify their identities with certain MFA methods. This is done using the MFA/TFA settings (Configuration > Self-Service > Mulit-factor Authentication > MFA/TFA Settings). To know more about configuring MFA, Click here.

User enrollment :

In order to perform identity verification, users need to enroll with ADSelfService Plus by providing certain information. The information provided varies based on the MFA method configured. ADSelfService Plus simplifies the enrollment process by offering multiple enrollment options:

Enrollment without user's intervention

  • Import Enrollment Data from CSV file :

    You can import the existing security questions and answers along with the user’s mobile numbers and e-mail IDs that are stored in a CSV file format. This imported information is then used to enroll users. Click here for further details.


  • Import Enrollment Data from External Database :

    Connect the organization's data sources like MS SQL, PostgreSQL, Oracle, and MySQL with ADSelfService Plus. Once ADSelfService Plus has been given sufficient permission to access the database server, data can be fetched and users can be automatically enrolled. Any changes made on the database server can be easily updated to ADSelfService Plus with just a click using the Fetch Again option.
    A scheduler can also be set to search for newly added users in the connected external data sources regularly and enroll them with ADSelfService Plus. For more information on how to import enrollment data from an external database, Click here.

Note : For certain MFA methods like AD Security Questions, Mail verification, and SMS verification, you can choose to use the users' Active Directory attribute values (mail, mobile, sAMAccountName, etc.) for identity verification. In this case, enrollment is not required.

Enrollment by users :

Users can enroll with ADSelfService Plus using the ADSelfService Plus client portal, ADSelfService Plus mobile app, and the Mobile Web App. In order to enforce user enrollment, you can implement the following measures:

  • Enrollment Notification :

    When ADSelfService Plus is deployed in an organization, the administrator could use enrollment notification to inform employees of the product and encourage them to enroll themselves with it. The option, when enabled, sends an e-mail or push notification to all users who have not yet enrolled with ADSelfService Plus. You can also set up a scheduler to automatically send notifications to non-enrolled users regularly. Click here for further details.


  • Force Enrollment :

    This involves searching for all non-enrolled users within the selected domain or policies and associates their accounts with a Logon Script. The logon script forces them to enroll when they log into their domain user accounts. Linking non-enrolled users’ accounts with a logon script can be done using a scheduler. The scheduler can be set to run periodically to check for non-enrolled and newly added users and set up the logon script to their accounts. For steps on how to enable Force Enrollment for non-enrolled users, Click here.

Securing self-service actions

ADSelfService Plus' Security Centre lists out links to security settings in the other sections of the product. These include:

  • Block user accounts failing at identity verification.
  • Session timeout.
  • CAPTCHA (word verification).
  • Enforce password strength level.
  • Force users to change password at next logon.
  • Prevent users from providing the same answer to multiple questions.
  • Prevent users from using any word of a question in their answers.
  • Display security questions one by one.
  • Display only a random subset from a user's security questions.
  • Make security answers case sensitive.
  • Hide answers during reset / unlock operations.
  • Email notification upon password self-service.
  • Secure connections (SSL/LDAPS/TLS).
  • Restrict inactive users.

Enabling these security settings protects the user accounts in a domain and secures the connections between the ADSelfService Plus server and other components in the network.

Copyright © 2023, ZOHO Corp. All Rights Reserved.