Regarding AD Self Service Plus Forced enrollment, there is little doco on this and given the fact that it could effect large numbers of users in a large directory I need to know more about it.

 

Apparently it edits the logon script. Is this the per user logon script you can set when you open one user's properties in AD?  Will this interfere with a logon script applied by group policy?

 

Is there a way to have it only apply to certain OU's or users rather than have it apply to all non-enrolled accounts?  What happens with service accounts and administrative accounts that we don't want to be affected?

 

How can I test this on a couple of users before I rollout globally?

I looked in the hta file and it has a line saying: msgDisplay serverURL=" http://localhost:8888"

Is this modified when you enable forced enrollment?

If I run the hta without modifying it I get a popup saying "Server unreachable right now"

I tried changing this to our selfservice URL ( https://selfservice.mycompany.com.au:443)  and running it on my desktop but nothing happens. You see a popup flash and then disappear moments later, too fast to even see what was on it.