Navigate to previous Previous Topic Next Topic Navigate to next

Local user MFA in ADSelfService Plus

Local users are accounts that are created and stored directly on a single computer, with no central management through a network domain. These accounts authenticate using locally stored credentials and are only accessible on the machine where they were created. They can exist on both stand-alone and domain-joined systems and are often used for administrative tasks, workgroup environments, or offline systems that do not depend on a centralized directory like Active Directory (AD).

ADSelfService Plus helps administrators secure these local accounts using MFA for various login scenarios, including:

Machine-based MFA for computers with local users can be enabled for the following types of machines:

This guide will take you through the process of enabling, configuring, and overseeing local user MFA:

  1. Enabling local user MFA
  2. Configuring local user MFA
  3. Manage enrolled users via reports
  4. Manage agent-installed machines

Configuration steps

1. Enabling local user MFA

Before configuring local user MFA, you must first enable it. To do this:

  1. Log in to the ADSelfService Plus admin portal.
  2. Navigate to Configuration > Self-Service > Multi-Factor Authentication.
  3. Click Local User MFA Settings at the top-right of the page.
  4. In the pop-up that appears, check Enable local user MFA.
  5. Click Save.

    6. Enabling local user MFA in ADSelfService Plus

This creates a virtual domain within ADSelfService Plus called localuser.domain into which local users and workgroup (local) Windows computers on which the agent is installed are grouped.

Note:
  • Local user MFA is available only with the Professional edition of ADSelfService Plus with Endpoint MFA.
  • It is currently supported only for Windows machines.

2. Configuring MFA for local users

After enabling local user MFA, follow these steps to configure authenticators:

Step 1: Choose the local user policy

  1. Navigate to Configuration > Self-Service > Multi-factor Authentication and select localusers.domain from the Choose the Policy drop-down.
  2. Click the Authenticators Setup tab and set up the authenticators required for local user MFA.

    3. Authenticators compatible with local user MFA in ADSelfService Plus

    Supported authenticators for Online MFA:

    Supported authenticators for offline MFA:

    • Google Authenticator
    • Microsoft Authenticator
    • Zoho OneAuth TOTP
    • Custom TOTP Authenticator

Step 2: Assigning MFA methods for local user machine logins

  1. Navigate to MFA for Endpoints > MFA for Machine Logins.
  2. Specify which authenticators local users must verify with during Windows machine logins. If needed, you can configure offline MFA as well. Learn more

    3. Configuring local user MFA in ADSelfService Plus

  3. Go to Advanced to protect the following login scenarios with the configured MFA methods:
    • Machine logins and unlocks
    • RDP logins
    • UAC prompts
  4. You can also navigate to Configuration > Administrative Tools > GINA/mac/Linux Installation > Installed Machines > Advanced Machine MFA settings to configure machine-based MFA to protect the Windows machine regardless of whether the user attempting to log in to it is enrolled or not. This setting takes precedence over policy-based machine login configurations on both domain and workgroup machines.

3. Installing the login agent

Local user MFA works by linking the Windows machine with the ADSelfService Plus server via the ADSelfService Plus Windows login agent. You must install this agent on every (domain-joined or workgroup) machine where MFA is needed.

Note: To use Local User MFA, the Windows login agent must be version 6.12 or later. If an earlier version is already installed on domain-joined machines, it must be updated to version 6.12.

Installation options:

On domain-joined machines: You can install the ADSelfService Plus login agent on domain-joined Windows machines through the ADSelfService Plus admin portal, manually, via a GPO, or through tools like Microsoft Configuration Manager or ManageEngine Endpoint Central.

On workgroup machines: The login agent cannot be installed or managed on Windows workgroup machines from ADSelfService Plus. You will need to perform these actions manually or through tools like Microsoft Configuration Manager or ManageEngine Endpoint Central.

Note: The login agent cannot be installed or managed remotely on local (non-domain) machines from within ADSelfService Plus.

4. Enrolling and managing local user accounts

After the login agent is installed on the relevant Windows machines, you need to import and enroll local user accounts. To do so:

  1. Go to Configuration > Administrative Tools > Quick Enrollment.
  2. From the Select the policy drop-down, choose localusers.domain.
  3. You can enroll users using:
    • CSV import: Navigate to Quick Enrollment > Import enrollment data from CSV file. Learn more

      • Enrolling local users via a CSV file in ADSelfService Plus

    • External database: Navigate to Quick Enrollment > Import enrollment data from external database. Learn more
  4. Users imported via either method will be listed under localusers.domain.

Note: Self-enrollment is currently not supported for Windows local users. Only the admin can enroll local users and manage their enrollment information.

A local user cannot be enrolled if their username is the same as another local user's who is already enrolled.

If the username of a local user who has already been enrolled is changed on the machine, the user must be re-enrolled in the product using the new username.

Manage enrolled users via reports

Admins can track enrollment, activity, failures, agent deployment, and authenticator usage from the following reports:

Manage agent-installed machines

Once deployed, view all systems with the login agent installed under:Configuration > Administrative Tools > GINA/mac/Linux Installation > Installed Machines.

Machines on which the login agent is installed for local user MFA in ADSelfService Plus

This report can be viewed for both domain-joined and workgroup Windows machines.

Workgroup machines on which the agent is installed will appear under localusers.domain.

Navigate to previous Previous Topic Next Topic Navigate to next

Thanks!

Your request has been submitted to the ADSelfService Plus technical support team. Our technical support people will assist you at the earliest.

 

Need technical assistance?

  • Enter your email ID
  • Talk to experts
  •  
     
  •  
  • By clicking 'Talk to experts' you agree to processing of personal data according to the Privacy Policy.

Don't see what you're looking for?

  •  

    Visit our community

    Post your questions in the forum.

     
  •  

    Request additional resources

    Send us your requirements.

     
  •  

    Need implementation assistance?

    Try OnboardPro

     

Copyright © 2025, ZOHO Corp. All Rights Reserved.