Client Software Installation via
Group Policy Object (GPO)
www.adselfserviceplus.com Table of Contents
Document Summary 1
ADSelfService Plus Client Software 1
ADSelfService Plus Client Software Installation via GPO 2
Step 1: Create a GPO and name it 2
Step 2: Configure Script settings to run ‘ReinstallAgent.vbs’ at startup 4
Step 3: Important Settings 9
Step 4: Applying the GPO 11
Testing and Diagnostics 15
www.adselfserviceplus.com Document Summary
This document describes briefly about ADSelfService Client Software, its uses and also illustrates the method to install it using GPO. The document is written with the assumption that you are a system administrator with a basic knowledge of Windows operating system, Active Directory and enterprise software deployment. However, care has been taken to keep the installation steps as simple as possible.
ADSelfService Plus Client Software
With web‐based password self‐service software, end users need not rely on administrators or helpdesk technicians to reset password/unlock accounts anymore. Though it o ers them self‐reliance, there is still a small element of dependency involved: an end‐user needs to borrow someone else’s computer for a brief period to access the self‐service portal.
ADSelfService Plus Client Software eradicates such dependencies and o ers complete password self‐service abilities to users. It allows end‐users to reset password/unlock account right at the Windows log‐on prompt of their computers.
Customizing Microsoft’s native GINA/CP, this feature adds a button – labeled ‘Reset Password/Unlock
Account’ – to native Windows log‐on prompt. Clicking it leads the users to the self‐service website from where password can be reset and/or account can be unlocked. This saves the end users the hassle of seeking other machines to use self‐service portal.
ADSelfService Client Software is compatible with the following Operating Systems:
Windows XP SP3 Windows Server 2003 Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 Window 8 Windows Server 2012
Windows 8.1 Windows Server 2012 R2
Windows 10 Windows Server 2016
1 www.adselfserviceplus.com ADSelfService Plus Client Software Installation via GPO
Important: Before starting with the steps, place the ReinstallAgent.vbs and ADSelfServicePlusClientSoftware.msi files in a network shared folder of the server.
‘ADSelfServicePlusClientSoftware.msi’ and ‘ReinstallAgent.vbs’ files are available in ‘bin’ directory of ADSelfService Plus installation folder. (Default location - C:\Program Files\ManageEngine\ADSelfService Plus\bin).
Best Practice: Create a group and add to it all the computers in which you want to install the Client Software. Create a GPO and apply it to this group.
Follow the steps given below in the same sequence for successful installation:
Step 1: Create a GPO and name it
1. Open Active Directory Users and Computers console 2. Right-click the parent container of all the computer objects (which are added to a group – refer Best Practice above) and select Properties
2 www.adselfserviceplus.com 3. In the properties dialog box that appears, select Group Policy tab. In this tab, click New to create a Group Policy Object.
FOR WINDOWS SERVER 2008 AND LATER
1. Open Group Policy Management console 2. In the left pane, right-click Group Policy Objects container and select New
3 www.adselfserviceplus.com 3. Give a descriptive name to the Group Policy Object and click OK
Step 2: Configure Script settings to run ‘ReinstallAgent.vbs’ at startup
1. Now, right-click the Group Policy Object that you have just created and click Edit to open the GPO Editor
2. In the GPO editor, on the right pane, double-click Computer Configuration Windows Settings Scripts (Startup/Shut Down) Startup (For Windows Server 2008 and later, Computer Configuration Policies Windows Settings Scripts (Startup/Shut Down) Startup)
4 www.adselfserviceplus.com 3. Right-click Startup and select Properties
a. In the Startup Properties dialog box, click Show Files
5 www.adselfserviceplus.com b. Paste the ReinstallAgent.vbs (script) file in the ‘Startup folder’ window that opens, and then close the window.
c. Click Add in the Startup Properties dialog box.
6 www.adselfserviceplus.com d. In the Add a Script dialog box do the following: i. Under Script Name, click Browse and select ReinstallAgent.vbs script. ii. Under Script Parameters, enter the parameter (see syntax) and click OK
7 www.adselfserviceplus.com Syntax for the parameter
WINDOWS SERVER 2003 “/MSIPATH:”
/FRAMETEXT:”
/PROTOCOL:”
/IMAGEPATH:”
WINDOWS SERVER 2008 AND LATER /MSIPATH:”
/FRAMETEXT:”
/PROTOCOL:”
/IMAGEPATH:”
Where,
MSIPATH = folder location where ADSelfServicePlusClientSoftware.msi is stored
SERVERNAME = server in which ADSelfService Plus is running
PORTNO = port number through which ADSelfService Plus in running
Client software customization parameters (optional)
FRAMETEXT = description text
BUTTONTEXT = text that appers on the client software button
WRAPPINGPROVIDER = GUID of your third party GINA/CP extentsion, if any
IMAGEPATH = folder location of the ‘.bmp’ image file to be used as the clients icon
EXAMPLE
/MSIPATH:”\\XYZ\Jone\ADSelfServicePlusClientSoftware.msi” /SERVERNAME:”XYZ
/PORTNO:”8888” /FRAMETEXT:”IF you’ve forgotten your password..” /BUTTONTEXT:”Reset
Password” /PROD_TITLE:”ADSelfService Plus” /PROTOCOL:”https”
/WRAPPINGPROVIDER:“{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}”
/IMAGEPATH:”\\XYZ\Jone\key.png”
Note: In Windows Server 2003, the parameters for the script should be enclosed within
double quotes to support mulitple parameter values.
8 www.adselfserviceplus.com e. You will be back to Startup Properties dialog box. Click Apply first and then click OK to complete the procedure
Important: Before setting the parameter, check the accessibility of ADSelfServicePlusClientSoftware.msi.
Step 3: Important Settings
Once you have completed the above mentioned steps, configure the ‘Administrative Template Settings’ as shown below:
Administrative Template Settings
1. On the left pane of GPO Editor window, go to Computer Configuration Administrator Templates System 2. Under System, configure the following settings:
i. Scripts
In the right pane of the GPO editor, double-click Run logon scripts synchronously and Enable it. Click Apply, and then OK.
Double-click Maximum wait time for Group Policy scripts and Enable it. Click Apply, and then OK.
9 www.adselfserviceplus.com ii. Logon
Double‐click Always wait for the network at startup and logon and Enable it. Click Apply, and then OK.
10 www.adselfserviceplus.com iii. Group Policy
Double‐click Group Policy slow link detection and Enable it. Click Apply, and then OK.
Step 4: Applying the GPO
Once the Administrative Template settings are configured, apply the GPO to the desired computers in the network.
1. On the left pane of the GPO editor, right-click on the GPO you are working on (available on the top left corner of the GPO editor), and select Properties.
11 www.adselfserviceplus.com 2. Click Security Tab, in the properties dialog box that appears.
IMPORTANT NOTE: In the Security Tab, remember to uncheck ‘Apply Group Policy’ permission for ‘Authenticated Users’ before proceeding further
3. Now, click Add to open the Select Users, Computers or Groups dialog box. There, click Object Types button and make sure Groups is checked, and then click OK.
12 www.adselfserviceplus.com 4. Enter the name of the group (that contains all the computers set for Client Software installation) and click Check Names. Highlight the desired group and click OK to return to the ‘Security’ tab.
5. The group will now be added to the list of ‘Group or User Names’ under ‘Security Tab’
13 www.adselfserviceplus.com 6. With the newly added group highlighted, apply the following permissions:
Read Allow Apply Group Policy Allow
Click Apply, and then OK.
7. Reboot the computers to apply the GPO and wait till the next startup for Reset Password/Unlock Account link to appear on the Windows logon screen.
To apply the GPO directly to Computers: In case you prefer to apply the GPO directly to computers instead of the group, please follow the steps given below: a. Follow steps 1 and 2 shown above. b. Click Object Types button. Make sure Computers is checked. Click OK. c. Use Check Names to find the necessary computers. Highlight the desired computers you want to add and click OK to return to the ‘Security’ tab. d. Set Read and Apply Group Policy permissions to Allow for each and every computer that you just added. e. IMPORTANT NOTE: After completing all these steps, remember to uncheck ‘Apply Group Policy’ permission for Authenticated Users. f. Reboot all the client machines.
14 www.adselfserviceplus.com Testing and Diagnostics
To test whether the installation was successful:
1. In the command prompt of your client machines, type gpresult /v. 2. Check whether:
the Group Policy Object you configured appears under the subheading Applied Group Policy Objects. ReinstallAgent.vbs appears under the subheading Startup scripts.
Diagnostics: Please check the “AdsspScriptlog.txt” in the WINDOWS directory (or) Start Run Type in %windir\AdsspScriptlog.txt%
ADSelfService Plus is an integrated self-service password management and single sign-on solution. It helps improve productivity by allowing users to reset their forgotten passwords, unlock their accounts, and update their contact information in Active Directory. It enhances the end-user experience with a real-time password synchronizer and enterprise single sign-on. ADSelfService Plus’ Android and iOS mobile apps as well as GINA/Credential Provider login agents facilitate self-service actions for end users, anywhere, any time.