What is the Self-Enrollment process and how does it work?
The Self-Enrollment process is an activity that allows users to register their mobile phone number and associate it with their profile. This will enable the user to perform password resets and/or profile unlocking directly from their smartphone through identity verification.
Script integration
The ADSelfService_Enroll.bat script has been created and integrated into the existing Windows login script.
The script is executed only if the logging-in user is NOT part of the "Domain Admins" group.
goline.scr
…
IF InGroup("Domain Admins") = 0
? "Execute ADSelf Service Enrollment…"
RUN @LSERVER + "NETLOGONADSelfService_Enroll.bat"
ENDIF
…
ADSelfService_Enroll.bat
@echo off
%SystemRoot%System32mshta.exe %LOGONSERVER%NETLOGONADSelfService_Enroll.hta
The .bat script opens the ADSelfService_Enroll.hta file using mshta.exe.
This file contains the actual script to carry out the Self-Enrollment procedure.
What happens for users who have already completed Self-Enrollment?
If an user has successfully completed the Self-Enrollment process, the script will recognize this status and allow the user to access the system as usual, without any further actions required.
No window will appear in this case.
What occurs if the user has not yet completed Self-Enrollment?
If an user has not yet completed the Self-Enrollment process, the script will detect this status and display a Self-Enrollment screen after the user logs in.
Clicking the "Enroll" button will initiate the guided procedure.
For the first two weeks, a "Cancel" button will be available, allowing the user to temporarily bypass the Self-Enrollment process and access the system as usual.
What happens after the first two weeks?
After the initial two-week period, the "Cancel" button will be removed from the Self-Enrollment screen. This means the user can no longer avoid the process and will be required to complete Self-Enrollment to access the Windows system.
To remove the "Cancel" button, simply uncomment the following code present in the ADSelfService_Enroll.hta file and delete the currently active on