ManageEngine ADSelfService Plus – Download & License | SSPR, MFA & SSO for Active Directory

Password reset requests and account unlocks are among the most common — and most avoidable — tickets that IT help desks handle every day. Industry estimates consistently show that password-related issues account for 30 to 50 percent of all help desk calls. For a mid-size organization, that translates to dozens of hours of technician time spent on fully repetitive, low-value tasks every month. ManageEngine ADSelfService Plus eliminates this overhead by giving users the tools to reset their own passwords and unlock their own accounts — securely, without any IT involvement — while simultaneously strengthening organizational identity security through multi-factor authentication and enterprise single sign-on.

Developed by ManageEngine (a Zoho Corporation division), ADSelfService Plus brings together three core identity security capabilities in a single platform: Self-Service Password Reset (SSPR), Multi-Factor Authentication (MFA), and Single Sign-On (SSO). The result is less help desk load, stronger security posture, and a better experience for end users across the organization.

What Is ManageEngine ADSelfService Plus?

ADSelfService Plus is an identity security solution built for organizations using Microsoft Active Directory, Azure AD (Entra ID), or hybrid environments combining both. It allows users to reset forgotten passwords, unlock locked accounts, and update their directory profile without waiting for an IT administrator — through a secure web portal, a mobile app (iOS and Android), or directly from the Windows, macOS, or Linux login screen.

Beyond self-service, ADSelfService Plus enforces MFA across a wide range of access points: Windows and macOS logins, VPN access, Outlook Web App, web applications, and cloud services. Adaptive MFA policies allow the platform to adjust authentication requirements based on contextual factors like location, IP address, device, and time of access — supporting a practical Zero Trust architecture without friction for legitimate users.

Key Features of ManageEngine ADSelfService Plus

1. Self-Service Password Reset (SSPR)

Users can reset their Active Directory passwords from anywhere — the web portal, the mobile app, or the Windows/macOS/Linux login screen — without contacting the help desk. Remote users working off the corporate network are fully supported. The process is secured by identity verification through one or more configured MFA methods before the reset is permitted.

2. Self-Service Account Unlock

Account lockouts are one of the most disruptive events for users, particularly in 24/7 environments. ADSelfService Plus lets users unlock their own accounts after passing identity verification, eliminating the wait for an available IT technician regardless of the hour. Organizations running shift-based or round-the-clock operations particularly benefit from this capability.

3. Multi-Factor Authentication (MFA)

ADSelfService Plus supports a broad range of authentication methods, giving administrators flexibility in matching security requirements to user context:

• Authenticator apps (Google Authenticator, Microsoft Authenticator)
• SMS OTP
• Email OTP
• Biometrics (Windows Hello, Apple Face ID/Touch ID, Android fingerprint)
• FIDO2 security keys (YubiKey, Google Titan Key)
• Push notifications
• Duo Security
• Smart cards
• Security questions

MFA can be enforced for self-service actions, endpoint logins (Windows, macOS, Linux), VPN connections via RADIUS, OWA, RDP sessions, and cloud application access. Offline MFA for macOS is supported, allowing authentication even without an internet connection — an important capability for remote or traveling users.

4. Single Sign-On (SSO)

The Professional edition enables users to access more than 100 cloud applications with a single set of Active Directory credentials — no repeated logins across services. SSO uses industry-standard SAML 2.0 and OIDC protocols and works with applications including Microsoft 365, Google Workspace, Salesforce, Slack, Zoom, ServiceNow, Dropbox, and many others. This eliminates password fatigue, reduces shadow IT, and streamlines application onboarding for new employees.

5. Password Synchronization

When a user changes their Active Directory password, ADSelfService Plus automatically propagates that change to connected systems — Microsoft 365, Google Workspace, IBM iSeries, and other configured targets. This keeps credentials consistent across platforms and eliminates the common scenario where a user updates their AD password but is then locked out of their email or other services.

6. Advanced Password Policy Enforcer

ADSelfService Plus extends password policy enforcement beyond what native Active Directory can offer. Administrators can define granular rules such as prohibiting the use of the username in the password, mandating specific character types, setting minimum and maximum lengths, and checking new passwords against the Have I Been Pwned database of compromised credentials. A real-time password strength meter guides users toward stronger choices during the reset or change process.

7. Password Expiry Notifications

ADSelfService Plus sends automated email and SMS alerts to users as their password expiration date approaches. Configurable reminders can be sent days in advance, giving users time to change their password before their account is locked. This proactive approach directly reduces account lockout incidents and related help desk calls.

8. Self-Service Directory Updates & Employee Search

Users can update their own directory attributes — phone number, address, job title, department — directly from the self-service portal. Administrators control which fields are editable. The platform also provides a searchable employee directory and organizational chart, helping users quickly find colleagues and understand reporting structures without requiring IT involvement.

9. Endpoint MFA

The Endpoint MFA module extends identity verification to the operating system login level. Users must verify a second factor in addition to their password when logging into Windows, macOS, or Linux machines. This prevents unauthorized physical access to devices even if a password is known. Endpoint MFA also supports VPN authentication via RADIUS, OWA, and other IIS-hosted web applications.

10. Adaptive MFA & Zero Trust Support

Adaptive MFA evaluates contextual signals — user location, IP address, device type, time of day — to determine the appropriate level of authentication for each access attempt. Users connecting from familiar office IPs during normal hours may face reduced friction, while access from unusual locations or devices triggers stronger verification requirements. This risk-based approach balances security with usability and underpins a practical Zero Trust implementation.

Editions & Pricing

Free Edition

A permanently free edition is available for up to 50 users and supports most core features including SSPR, account unlock, password sync, and expiry notifications. It includes the Standard edition of Endpoint MFA for up to 10 users. This edition never expires and is a genuine option for small organizations or teams looking to evaluate the platform without a time limit.

Standard Edition

Adds full SSPR, account unlock, password sync, password policy enforcement, expiry notifications, self-service directory updates, MFA for self-service actions, and Endpoint MFA. Pricing starts at $595/year for 500 users — approximately $1 per user per year, making it one of the most cost-effective identity security investments available. A perpetual license option is also available.

Professional Edition

Adds SSO for cloud applications, adaptive MFA, advanced endpoint security, and full Zero Trust capabilities on top of all Standard features. Pricing starts at $1,195/year for 500 users. The Professional edition is recommended for organizations with significant cloud application adoption or those pursuing a formal Zero Trust strategy.

Both editions support annual subscription and perpetual license models. For organizations with over 5,000 users, custom quotes are available directly from ManageEngine.

ROI: Quantifying the Cost Savings

The return on investment from ADSelfService Plus is straightforward to calculate. Each password reset handled by the help desk takes 15 to 30 minutes of technician time. An organization with 500 users dealing with 3 password-related tickets per day spends roughly 375 hours per year on this single task. ManageEngine reports that ADSelfService Plus customers typically see a reduction in password-related help desk tickets of up to 70 percent. At the Standard edition price of $595/year for 500 users, the cost savings from reduced ticket volume typically exceed the license cost within the first few months of deployment.

Certifications & Compliance Support

ADSelfService Plus helps organizations meet the MFA and password policy requirements of major compliance frameworks including NIST 800-63, HIPAA, SOX, GDPR, and PCI DSS. The platform provides comprehensive audit trails of all self-service actions, account unlock events, SSO logins, and directory changes — records that are essential for compliance reporting and security investigations.

Integration with ManageEngine Ecosystem

ADSelfService Plus is a natural complement to other ManageEngine identity and access management tools:

• ADManager Plus: Full AD user lifecycle management alongside self-service capabilities
• ADAudit Plus: Extended audit and reporting coverage for all self-service events
• ServiceDesk Plus: Password reset requests can be automatically managed as service desk tickets
• AD360: ADSelfService Plus is a core component of the AD360 unified IAM suite

System Requirements (On-Premises)

• OS: Windows Server 2008 R2 or later (recommended: Windows Server 2016/2019/2022)
• CPU: Minimum 2 cores (4 cores recommended)
• RAM: Minimum 4 GB (8 GB recommended)
• Disk: Minimum 40 GB free space
• Database: Bundled PostgreSQL or Microsoft SQL Server
• Browser: Chrome, Firefox, Edge (latest versions)
• Active Directory: Windows Server 2003 or later

ADSelfService Plus vs. Competitors

In the self-service password management and MFA space, ADSelfService Plus is often compared to Microsoft Entra ID Self-Service Password Reset, Okta, and Cisco Duo. Against Microsoft’s built-in SSPR, ADSelfService Plus offers significantly richer password policy enforcement, on-premises deployment, and deeper reporting without requiring Azure AD Premium licensing. Compared to Okta and Duo, it provides a more integrated on-premises AD experience at a substantially lower price point — approximately $1 per user per year versus $3–6+ for comparable cloud-based identity services.

Frequently Asked Questions (FAQ)

Does ADSelfService Plus require agents on user machines?

For web portal and mobile-based password resets, no agent is needed. A lightweight agent is required on endpoints for login-screen password reset and Endpoint MFA functionality. The agent is deployable via Group Policy or software distribution tools.

Can users reset passwords without being connected to the corporate network?

Yes. Users can reset passwords through the web portal or mobile app without a VPN connection. The login-screen reset feature on Windows also works for domain-joined machines that are not currently connected to the network, using cached credentials validation combined with MFA.

Does ADSelfService Plus support hybrid AD + Azure AD (Entra ID) environments?

Yes. ADSelfService Plus fully supports hybrid environments. Password resets, account unlocks, MFA enforcement, and SSO capabilities extend to both on-premises AD and Azure AD (Entra ID) users from a single management console.

How many MFA methods can be configured simultaneously?

Multiple MFA methods can be enabled simultaneously and made available to users. Administrators can define policies requiring users to register and use specific methods, or allow users to choose from a set of approved options. Different MFA policies can be applied to different AD organizational units or security groups.

Is there a mobile app for end users?

Yes. ADSelfService Plus includes iOS and Android apps that allow users to reset passwords, unlock accounts, approve push notification MFA requests, and access the SSO application dashboard from their mobile devices.

What audit logs does ADSelfService Plus maintain?

The platform logs all self-service actions including password resets, account unlocks, failed MFA attempts, SSO logins, profile updates, and administrative configuration changes. Logs can be exported and integrated with SIEM solutions. Integration with ADAudit Plus provides additional correlation and alerting capabilities.

Is a perpetual license available?

Yes. ADSelfService Plus is available under both annual subscription and perpetual license models. The perpetual license is a one-time purchase; only the annual maintenance and support fee is renewed each year.

Can ADSelfService Plus sync passwords across multiple domains?

Yes. Multi-domain and multi-forest environments are supported. A password change in one domain can be automatically synchronized to other configured domains and connected cloud services simultaneously.

What happens after the 30-day evaluation expires?

After the 30-day evaluation period (which includes all Professional edition features), the installation automatically converts to the Free edition for up to 50 users. No data is lost. To restore full functionality for more users, a Standard or Professional license can be applied at any time.

Does ADSelfService Plus support RADIUS for VPN MFA?

Yes. ADSelfService Plus includes a built-in RADIUS server component, allowing it to act as an MFA layer for VPN solutions that support RADIUS authentication. This enables MFA enforcement for VPN access without requiring changes to the VPN infrastructure itself.

Conclusion

ManageEngine ADSelfService Plus delivers measurable, fast-return value: it reduces help desk overhead from day one while simultaneously hardening the organization’s identity security posture. At a starting price of approximately $1 per user per year for the Standard edition, it is one of the most cost-effective investments an IT team can make. For organizations already using other ManageEngine products, ADSelfService Plus is a natural and tightly integrated addition. For those evaluating standalone identity security tools, it competes effectively against solutions costing three to five times as much. Whether your priority is reducing help desk volume, enforcing MFA across all endpoints, enabling cloud application SSO, or building toward Zero Trust, ADSelfService Plus provides a clear and practical path to each of these goals.

To obtain a genuine ADSelfService Plus license with full support, contact us for pricing and purchasing assistance.

 

---