Navigate to home Navigate to previous Navigate to next

Local user MFA in ADSelfService Plus

Local users are accounts that are created and stored directly on a single computer, with no central management through a network domain. These accounts authenticate using locally stored credentials and are only accessible on the machine where they were created. They can exist on both stand-alone and domain-joined systems and are often used for administrative tasks, Workgroup environments, or offline systems that do not depend on a centralized directory like Active Directory (AD).

ADSelfService Plus helps administrators secure these local accounts using MFA for various actions, including:

Device-based machine MFA can be enabled for following types of machines:

This guide walks you through the steps to enable and configure local user MFA.

Configuration Steps

1. Enabling local user MFA

To get started, you must first enable local user MFA. To do this:

  1. Log in to the ADSelfService Plus admin portal.
  2. Navigate to Configuration > Self-Service > Multi-Factor Authentication..
  3. Click on Local User MFA settings at the top-right of the page..
  4. In the pop-up that appears, check the box next to Enable local user MFA.
  5. Click Save
Enable local user MFA

This creates a virtual domain within ADSelfService Plus called LocalUser.domain, into which local users and Workgroup (local) Windows computers on which the agent is installed are grouped.

Note:
  • Local User MFA is available only with the Professional edition of ADSelfService Plus with Endpoint MFA.
  • It is currently supported only on Windows machines.

2. Configuring MFA for local users

After enabling local user MFA, follow these steps to configure authenticators:

Step 1: Choose the local user policy

  1. Navigate to Configuration > Self-Service > Multi-factor Authentication select LocalUsers.domain from the Choose the Policy drop-down.
  2. Enable the required authenticators: Click on the Authenticators Setup tab and set up the authenticators required for local user MFA.
Enable local user MFA
Supported authenticators for Online MFA: Supported authenticators for Offline MFA:

Step 2: Assign MFA methods for local logins

Navigate to MFA for Endpoints > MFA for Machine Logins .

  1. Specify which authenticators local users must verify with during Windows machine logins. If needed, you can configure offline MFA as well. Learn more
    2. configuring-local-user-mfa-in-adselfservice-plus.jpg
  2. Go to Advanced to protect the following login scenarios with the configured MFA methods:
    • Machine unlocks
    • RDP logins
    • UAC prompts
  3. You can also navigate to Configuration > Administrative Tools > GINA/mac/Linux Installation > Installed Machines > Advanced Machine MFA settings to configure device-based machine MFA to protect the Windows machine regardless of whether the user attempting to log into the machine is enrolled or not. This setting takes precedence over other machine login configurations on both domain and workgroup machines.
    4. Advanced Machine MFA settings in ADSelfService Plus
Note: If device-based MFA is enabled on domain-joined machines, it will take precedence over local user MFA settings.

Step 3: Installing the login agent

Local user MFA works by linking the Windows machine with the ADSelfService Plus server via the ADSelfService Plus Windows login agent. You must install this agent on every (domain-joined or Workgroup) machine where MFA is needed.

Note: To use Local User MFA, the Windows login agent must be version 6.12 or later. If an earlier version is already installed on domain-joined machines, it must be updated to version 6.12.
Installation options:

On domain-joined machines: You can install the ADSelfService Plus login agent on domain-joined Windows machines manually, via a GPO , or through tools like Microsoft Configuration Manager or ManageEngine Endpoint Central .

On Workgroup machines: The login agent cannot be installed or managed on Windows workgroup machines from ADSelfService Plus. You will need to perform these actions manually, or through tools like Microsoft Configuration Manager or ManageEngine Endpoint Central .

Note: The login agent cannot be installed or managed remotely on local (non-domain) machines from within ADSelfService Plus.

Step 4: Enrolling and Managing Local User Accounts

After the login agent is installed on the relevant Windows machines, you need to import and enroll local user accounts. To do so:

    1. Go to Configuration > Administrative Tools > Quick Enrollment.
    2. From the Select the policy drop-down, choose LocalUsers.domain.
    3. You can enroll users using:
      • CSV Import: Navigate to Quick Enrollment > Import enrollment data from CSV file. Learn more
        • csv-enrollment-local-user-mfa-in-adselfservice-plus.jpg

      • External Database: Navigate to Quick Enrollment > Import enrollment data from external database. Learn more

      • Users imported via either method will be listed under localusers.domain.
Note:

Self-enrollment is currently not supported for Windows local users. Only the admin can enroll local users and manage their enrollment information.

A local user cannot be enrolled if their username is the same as another local user's who is already enrolled.

If the username of a local user who has already been enrolled is changed on the machine, the user must be re-enrolled in the product using the new username.

Manage Enrolled Users

Admins can track enrollment, activity, failures, agent deployment, and authenticator usage from the following reports:

Manage agent-installed machines

Once deployed, view all systems with the login agent installed under:Configuration > Administrative Tools > GINA/mac/Linux Installation > Installed Machines.

Machines on which the login agent is installed for local user MFA in ADSelfService Plus

This report can be viewed for both domain-joined and Workgroup Windows machines.

Workgroup machines on which the agent is installed will appear under localusers.domain.

Navigate to home Navigate to previous Navigate to next

Copyright © 2025, ZOHO Corp. All Rights Reserved.