Customize Windows Login Screen with Hyprlink for self service

Hello,

I have  Web Applications for reset passwords and unlock accounts ( self service). i need to integerate this solution with the users login screen inside the organizations.

by letting the users press on Forgot Password or Self Service link under the login screen then it will open web browser with predefined page for our solution.

is this doable or no ? we have WIndows 10 & Windows 8.1 Machines in the channel.

Regards,
LVL 2
fadyazAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
I don't think it's doable for the following reason:
The logon screen is shown without anyone being logged on. Any application that you try to integrate into that screen will be launched without authentication, so it will run with system permissions (highest local permissions) which is a potential security risk.

It would be better to  setup something like an assigned access user that may only start a browser. Are you familiar with assigned access? That would be suitable and that could be deployed.
0
fadyazAuthor Commented:
Thanks for your reply McKnife. can you please explain more about the assigned access and suggested steps ?
0
McKnifeCommented:
For a test: create a weak local user account "testuser".
As Administrative user, open an elevated powershell and launch
Set-AssignedAccess -UserName testuser -AUMID Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge

Open in new window

Now logon as testuser and see if edge starts and if you can reach your self service page.

(tested here on win10 v1709)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

fadyazAuthor Commented:
Amazing idea but does it work with windows 8.1 ?
0
McKnifeCommented:
I don't know, I tested only with 10. Assigned access had bugs on previous versions of win10 - no idea whether it is fixed on 8.1. But assigned access did already exist on 8.1 - try it out.
0
Ajay ChananaMCSE-2003/08|RHCSA| VCP5/6 |vExpert2018Commented:
thought the above cannot customised , windows has already given you provision to create password recovery disk/usb

for the self service portal user can access that from any other system or login to local user guest account and can access it.

above are workaround I hope that helps
0
fadyazAuthor Commented:
McKnife thanks alot it is worked for me fine but is there a way to run it with out the web bar and for it to open a specific web page ??

or found a way to run internet explorer in kiosk mode but can i force intenet explorer to run  instead of Edge ?
0
McKnifeCommented:
The idea was: don't open a security hole just for a password reset. So I voted for assigned access which, as far as I know and heard, is flawless when it comes to security. If you wanted to use internet explorer, you cannot use assigned access, since IE is not a modern app and ass. access is limited to modern apps. So please decide what is more important, security or comfort.

I have no idea how to set a start page on edge inside of assigned access, but let me try. Hang on.
0
McKnifeCommented:
Ok, tested.
You can set a start page as you always would: using GPOs for edge. Make a user GPO apply to that reset user (testuser) that sets it. Works.
0
McKnifeCommented:
You should also disable that reset user when other accounts are logged on so that it cannot be used for anything but assigned access.
That can be achieved by deploying a scheduled task that disables the account whenever someone logs on.
0
fadyazAuthor Commented:
Apperciate your help on this .
0
McKnifeCommented:
Welcome.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.