Transcription
Client Software installation viaGroup Policy Object (GPO)www.adselfserviceplus.com
Table of ContentsDocument Summary1ADSelfService Plus Client Software1ADSelfService Plus Client Software Installation via GPO2Step 1: Create a GPO and name it2Step 2: Configure Script settings to run ‘ReinstallAgent.vbs’ at startup4Step 3: Configure Administrative Templates settings9Step 4: Apply the GPOTesting and diagnostics1115www.adselfserviceplus.com
Document summaryThis document describes ADSelfService Plus Client Software, its uses, and the method to install it usinga GPO. The document is written with the assumption that you are a system administrator with a basicknowledge of the Windows operating system, Active Directory, and enterprise software deployment.However, care has been taken to keep the installation steps as simple as possible.ADSelfService Plus Client SoftwareWith web‐based password self‐service software, end users no longer need to rely on administrators orhelp desk technicians to reset passwords or unlock accounts. Though it offers them self‐reliance, thereis still a small element of dependency involved; an end user needs to borrow someone else’s computerfor a brief period to access the self‐service portal.ADSelfService Plus Client Software eradicates such dependencies and offers complete passwordself‐service abilities to users. It allows end users to reset passwords and unlock accounts right from theWindows logon prompt on their computers.Customizing Microsoft’s built-in GINA/CP, this feature adds a button labeled Reset Password/UnlockAccount to the built-in Windows logon prompt. Clicking it leads users to the self‐service website wherepasswords can be reset and accounts unlocked. This saves end users the hassle of seeking othermachines to use the self‐service portal.ADSelfService Plus Client Software is compatible with the following operating systems:Windows XPWindows Server 2008Windows VistaWindows Server 2008 R2Windows 7Windows Server 2012Windows 8Windows Server 2012 R2Windows 8.1Windows Server 2016Windows 10Windows Server 2019Windows Server 2003Windows Server 2022Windows Server 2003 R21www.adselfserviceplus.com
ADSelfService Plus Client Software installation via GPOImportant: Before starting with the steps below, place the ReinstallAgent.vbs andADSelfServicePlusClientSoftware.msi files in a network shared folder on the server.The ADSelfServicePlusClientSoftware.msi and ReinstallAgent.vbs files are available in thebin directory of the ADSelfService Plus installation folder. The default location isC:\Program Files\ManageEngine\ADSelfService Plus\bin.Best practice: Create a group and add all the computers on which you want to installADSelfService Plus Client Software. Create a GPO and apply it to this group.For successful installation, follow the steps below in order.Step 1: Create a GPO and name itFor Windows Server 2003 and Windows Server 2003 R21. Open the Active Directory Users and Computers console.2. Right-click the parent container of all the computer objects (which are added to a group—referto the best practice above) and select Properties.2www.adselfserviceplus.com
3. In the Properties dialog box that appears, select the Group Policy tab. Under this tab,click New to create a GPO.For Windows Server 2008 and above1. Open the Group Policy Management console.2. On the left pane, right-click the Group Policy Objects container and select New.3www.adselfserviceplus.com
3. Give a descriptive name to the GPO and click OK.Step 2: Configure script settings to run ReinstallAgent.vbs at start-up1. Right-click the GPO you just created and click Edit to open the Group Policy Object Editor.2. Depending on your operating system, do the following:For Windows Server 2003 and Windows Server 2003 R2: In the Group Policy Object Editor,on the left pane, double-click Computer Configuration(Startup/Shutdown)4Windows SettingsScriptsStartup.www.adselfserviceplus.com
For Windows Server 2008 and above: Double-click Computer ConfigurationWindows SettingsScripts (Startup/Shutdown)PoliciesStartup.3. Right-click Startup and select Properties.a. In the Startup Properties dialog box, click Show Files.5www.adselfserviceplus.com
b. Paste the ReinstallAgent.vbs script file in the startup folder window that opens, thenclose the window.c. Click Add in the Startup Properties dialog box.6www.adselfserviceplus.com
d. In the Add a Script dialog box, do the following:i. For Script Name, click Browse and select the ReinstallAgent.vbs script.ii. For Script Parameters, enter the parameter (see the syntax below) and click OK.7www.adselfserviceplus.com
Syntax for the parameterImportant: Before setting the parameter, check the accessibility of ADSelfServicePlusClientSoftware.msi.Windows Server 2003 and Windows Server 2003 R2“/MSIPATH:” MSI file path ” /SERVERNAME:” server-name ” /PORTNO:” port-no ”/FRAMETEXT:” frame-text ” /BUTTONTEXT:” button-text ” /PROD TITLE:” ProdTitle ”/PROTOCOL:” http or https ” /WRAPPINGPROVIDER:” WrappingProvider-GUID ”/IMAGEPATH:” path of IMG file ” ”Windows Server 2008 and above/MSIPATH:” MSI file path ” /SERVERNAME:” server-name ” /PORTNO:” port-no ”/FRAMETEXT:” frame-text ” /BUTTONTEXT:” button-text ” /PROD TITLE:” ProdTitle ”/PROTOCOL:” http or https ” /WRAPPINGPROVIDER:” WrappingProvider-GUID ”/IMAGEPATH:” path of IMG file ” /WINDOWSLOGONTFA:” true or false ” /BYPASS:” true or false ””Where:MSIPATH folder location where ADSelfServicePlusClientSoftware.msi is storedSERVERNAME server on which ADSelfService Plus is runningPORTNO port number through which ADSelfService Plus is runningClient software customization parameters (optional)FRAMETEXT description textBUTTONTEXT text that appears on the client software buttonWRAPPINGPROVIDER globally unique identifier of your third-party GINA/CP extension, if anyIMAGEPATH folder location of the .bmp image file to be used as the client's iconWINDOWSLOGONTFA Enter “true” if you want MFA to be enabled during logon. Enter “false”if you do not want MFA to be enabled.BYPASS Enter “true” if you want to bypass logon MFA when the ADSelfService Plus server isunreachable. If not, enter ervicePlusClientSoftware.msi” /SERVERNAME:”XYZ /PORTNO:”8888” /FRAMETEXT:”If you’ve forgotten your password.” /BUTTONTEXT:”Reset Password”/PROD TITLE:”ADSelfService Plus” /PROTOCOL:”https” b0d28ed}” A:”true” /BYPASS:”false”Note: For Windows Server 2003 and Windows Server 2003 R2, the parameters for the scriptshould be enclosed within double quotes to support multiple parameter values.8www.adselfserviceplus.com
e. You will be directed back to the Startup Properties dialog box. Click Apply first, then clickOK to complete the procedure.Step 3: Configure Administrative Templates settings1. Depending on your operating system, do the following:For Windows Server 2003 and Windows Server 2003 R2: On the left pane of theGroup Policy Object Editor window, double-click Computer ConfigurationAdministrative TemplatesSystem.For Windows Server 2008 and above: Double-click Computer ConfigurationWindows SettingsScripts (Startup/Shutdown)PoliciesStartup.2. Under System, configure the following settings:a. ScriptsOn the right pane of the Group Policy Object Editor, double-click Run logon scriptssynchronously and select Enabled. Click Apply, then click OK.Double-click Specify maximum wait time for Group Policy scripts and select Enabled.Click Apply, then click OK.9www.adselfserviceplus.com
b. LogonDouble‐click Always wait for the network at computer startup and logon and select Enabled.Click Apply, then click OK.10www.adselfserviceplus.com
c. Group PolicyDouble‐click Configure Group Policy slow link detection and select Enabled.Click Apply, then click OK.Step 4: Apply the GPO1. On the left pane of the Group Policy Object Editor, right-click the GPO you are workingon (available in the top-left corner) and select Properties.11www.adselfserviceplus.com
2. In the Properties dialog box that appears, click the Security tab.a. Important note: On this tab, under Permissions for Authenticated Users, uncheck theApply Group Policy permission before proceeding further.3. Click Add to open the Select Users, Computers, or Groups dialog box.a. Click Object Types and make sure Groups is checked, then click OK.12www.adselfserviceplus.com
4. Enter the name of the group that contains all the computers set for Client Software installationand click Check Names.a. Highlight the desired group and click OK to return to the Security tab.b. The group will now be added to the list of Group or user names.5. With the newly added group highlighted, apply the following permissions:a. For Read, check Allow.b. For Apply Group Policy, check Allow.c. Click Apply, then click OK.13www.adselfserviceplus.com
6. Reboot the computers to apply the GPO and wait until the next start-up for the ResetPassword/Unlock Account button to appear on the Windows logon screen.To apply the GPO directly to computers:If you prefer to apply the GPO directly to computers instead of the group, pleasefollow the steps below:1. Follow steps 1 and 2 shown above.2. Click Object Types. Make sure Computers is checked. Click OK.3. Use Check Names to find the necessary computers. Highlight the computers you wantto add and click OK to return to the Security tab.4. Set the Read and Apply Group Policy permissions to Allow for every computer thatyou just added.5. Important note: After completing all these steps, remember to uncheck theApply Group Policy permission.6. Reboot all the client machines.14www.adselfserviceplus.com
Testing and diagnosticsTo test whether the installation was successful:1. In the Command Prompt of your client machines, type gpresult /v.2. Ensure that:The GPO you configured appears under the subheading Applied Group Policy Objects.ReinstallAgent.vbs appears under the subheading Startup scripts.To diagnose, please check the AdsspScriptlog.txt file in the Windows directory (stored inC:\\Windows by default) or go to StartRun and type %windir%\AdsspScriptlog.txt.ManageEngine ADSelfService Plus is an integrated self-service password management, MFA, and SSO solution. It offersself-service password reset and account unlock; endpoint MFA for machine, VPN, and OWA logons; SSO for enterpriseapplications; AD-based multi-platform password synchronization; password expiration notifications; and a PasswordPolicy Enforcer. It also provides Android and iOS mobile apps that facilitate self-service for end users anywhere, anytime.ADSelfService Plus reduces IT expenses associated with help desk calls, improves the security of user accounts, andspares end users the frustration of computer downtime.For more information about ADSelfService Plus, visit .
Double click Configure Group Policy slow link detection and select Enabled. Click Apply, then click OK. c. Group Policy 1. On the left pane of the Group Policy Object Editor, right-click the GPO you are working on (available in the top-left corner) and select Properties. Step 4: Apply the GPO 11 www.adselfserviceplus.com
