For a user to avail the Self-reset password or self-unlock account features, users have to be enrolled with ADSelfService Plus.
When a user enrolls with ADSelfService Plus, the information provided by the user is used to authenticate them when they use the features Self-reset password and self-unlock account. Trusting end users with the power to reset their password or unlock their accounts carries a certain amount of risk. Security becomes paramount and keeping that in mind, ADSelfService Plus uses Security Questions, Mail/SMS Verification code/secure link and Google Authenticator to verify the identity of users.
ADSelfService Plus strives to make the enrollment process easy by offering many ways to enroll. Administrators can enroll users or make them enroll themselves. Each method is useful in tackling a set of possible scenarios. Depending on your needs, you could choose the option that best fits the bill.
When your organization has no data pertaining to enrollment, the administrator could make the users enroll themselves.
Administrators can choose to either notify users to enroll or force them to enroll with ADSelfService Plus.
When you have just deployed ADSelfService Plus in your organization, the administrator could select this method to let all employees know of the deployment. This option, when enabled, sends a notification mail or push notification to all users who have not yet enrolled with ADSelfService Plus.
The notification mail can be sent to non-enrolled users automatically via a scheduler. The scheduler can be run at different frequencies like once in a month, once in a week, daily or even hourly! When the scheduler runs, it searches for all the non-enrolled employees and newly added employees within the selected domain/policy and sends a notification mail to all these users urging them to enroll with ADSelfService Plus.
Click on Enrollment Notification for further details.
Force Enrollment searches for all non-enrolled users within the selected domain/policies and associates their accounts with a Logon Script. The logon script forces them to enroll before starting their work when they log in to their machines which are connected to the domain.
Linking non-enrolled users’ account with a logon script can be done using a scheduler. The scheduler can be tasked to run periodically to check for non-enrolled and newly added users and set up the logon script to their accounts.
When Force Enrollment is in effect, the administrator can enable “Single Sign-On” for users. Enabling SSO will automatically sign in the user to ADSelfService Plus when they click on “Enroll” in the logon script. Click on Single Sign-On to know how to enable SSO.
Note: If your organization already has a logon script running, the force enrollment logon script can easily be configured to run along with the existing logon script.
For step-by-step instructions on how to enable Force Enrollment for non-enrolled users, click here.
Let us look at the options that allow the administrator to enroll users without their intervention.
Import Enrollment Data from CSV file:
Auto Enrollment option could be used when your organization has previously deployed a self-service password reset program. The Administrator could import the existing security questions and answers along with the user’s Mobile number and Email ID that are stored in a CSV file format. The imported Security Questions and Answers, E-Mail ID and Mobile numbers are used to enroll the user.
There in an alternate way to enroll users using the Mobile number and E-Mail ID attributes from the Active Directory. You can specify the AD attributes of Mobile numbers and E-Mail ID from which the data has to be fetched. The data that has been fetched from the Active Directory cannot be edited by the users. So, the admin does not have to worry about the user modifying the values. When ADSelfService Plus is deployed, this option can be used to quickly enroll all users within a matter of minutes. It does not needlessly trouble the user with notifications to enroll.
Click here for further details.
Import Enrollment Data from External Database:
This option of ADSelfService Plus can be used to connect your in-house data sources like Oracle, MS SQL and MY SQL with ADSelfService Plus.
If your organization has an external database that has enrollment data stored in it, a connection has to be set up between ADSelfService Plus and the database. When the connection has been set up and ADSelfService Plus has been given sufficient permission to access the database server, data can be fetched and users can be enrolled.
Also, any changes made on the database server like bulk user additions can be easily updated to ADSelfService Plus with just a click using the “Fetch Again” option!
Note: A scheduler can also be run that will regularly search for newly added users in the connected external data sources and enrolls them with ADSelfService Plus. The scheduler can be configured to search for new additions in the data sources at different frequencies as required.
For instructions on how to connect and fetch data from an external data source, click here.