The OS ESM module uses the Windows OS as an external security manager. It is quite simple, with only a handful of configuration options (for passtoken support), and it only supports ESF Verify (user signon) requests. It uses the Windows LogonUser function to check whether the user has supplied the correct password and is allowed to log into the system. Windows security policy rules such as restricted logon hours will be applied automatically, and if a user's password has expired and they have not supplied a new password, the request will be rejected with a must-change-password status. In other words, an MSS signon using this ESM will behave much like a conventional Windows login.
If the user requested a password change, the ESM module will call the Windows NetUserChangePassword function to attempt to change the password. Again, this is essentially the same as a conventional Windows login where the user specifies a new password.
Note that currently MSS restricts the length of usernames and passwords (see the ES documentation for details). Also, usernames or passwords that use non-ASCII characters may not work correctly.