How to remove the force enrollment pop-up (ADSelfService_Enroll.hta) logon script applied to all users in AD
Objective
This article guides you through the process of removing the ADSelfService_Enroll.hta logon script from all users in your AD environment. This is necessary when the script was inadvertently applied to all users instead of a specific OU or group via ADSelfService Plus policy configuration.
Prerequisites
Administrator access to the primary domain controller and the ADSelfService Plus console.
PowerShell should be installed on the domain controller.
Active Directory module for PowerShell should be installed.
Steps to follow
Step 1: Modify the ADSelfService Plus policy configuration
Log in to the ADSelfService Plus administrative console.
Navigate to Configuration > Self-Service > Policy Configuration.
Locate and edit the policy that applied the logon script.
Modify the policy to select only the intended OUs or groups.
Save the changes.
Step 2: Remove the logon script via PowerShell
Open PowerShell as an administrator on your domain controller.
Import the Active Directory module using the command import-module activedirectory
Execute the following command to remove the ADSelfService_Enroll.hta script from all user accounts
get-aduser -filter {scriptPath -like 'ADSelfService_Enroll.hta'} | Set-ADUser -Clear scriptPath This command finds all users with the specified script path and clears the script path attribute.
Validation and confirmation
- Log in to a domain computer as a user who is not included in the ADSelfService Plus policy configuration.
- Verify that the force enrollment pop-up does not appear during login.
Best practices
- When configuring ADSelfService Plus policies, always select specific OUs or groups to avoid applying settings to unintended users.
- Test policy changes in a test environment before implementing them in production.
- Regularly review the logon scripts assigned to users to ensure they are still necessary.
How to reach support
If the issue persists, contact our support team here.New to ADSelfService Plus?
Related Articles
How to enable Partial Enrollment for Active Directory users in ADSelfService Plus
Active Directory domain users need to complete enrollment with ADSelfService Plus before they can use the below listed features: Self-service password reset Self-service account unlock Endpoint multi-factor authentication ADSelfService Plus' logon ...How to automatically enroll users with ADSelfService Plus using an external database?
Privileges The ADSelfService Plus server should have permission to access the external database server. SELECT privilege over the database table(s) for the user account that will be querying the external database. This should be an account in the ...How to enable force enrollment of users based on their OU(s) and group(s) using login script in ADSelfService Plus?
Solution The Force Enrollment using Login Script feature of ADSelfService Plus allows you to forcefully enroll the un-enrolled users with a login script. You can schedule the execution of a login script to enable force enrollment. Only after the ...How to automatically enroll new users for self-password reset with CSV files?
With a multitude of users, ensuring them to enroll for password expiry notifications can be a cumbersome process. Despite the reminders, when the user fails to enroll, the administrator’s intervention becomes mandatory. With ADSelfService Plus' Auto ...How to modify a specific authenticator enrolled by a user?
Once the user has enrolled with the enabled authenticators in ADSelfService Plus, they may want to modify the enrollment information. This article explains the multiple methods to modify authenticator enrollment modification. Self-modification of the ...