The Benefits of Automated User Management in Active Directory
The Active Directory service is the foundation of all Windows-based corporate networks. However, Windows unfortunately does not provide any good out-of-the-box tools for automating some of the most essential object management tasks. To stick to the recommended best practices using the given standard tools means that many processes still have to be completed manually – usually by some poor admin, whose skills would much better be invested elsewhere.
tenfold’s User Lifecycle Plugin allows users to be created, modified and deleted in the Active Directory automatically. Through regular synchronization with the connected HR system, for example, tenfold is able to recognize when a new employee joins the company and automatically creates a new user object for that person. Based on certain user attributes, such as location and department, tenfold adds new objects automatically to the correct organizational unit.
Automatic creation of new user objects in the Active Directory
Consistent and automatic setting of correct attributes in Active Directory, based on configurable mappings.
Automatic selection of correct organizational unit in AD on the basis of office, department or other user attribute(s).
Automatic selection of user names according to configurable rules. Names are scanned for duplicates and alternative user names are generated in compliance with these rules.
User accounts can be activated, either with immediate effect or on a set date and time in the future.
Initial passwords are defined according to Active Directory password guidelines. tenfold uses one-time secrets (OTS) to ensure initial passwords are transmitted safely.
Automatic assignment of privilege groups and distribution groups, based on user department, position or location.
User attributes are updated automatically, changes logged and historicized.
If user data changes – e.g. when an employee changes location – user objects that were designated for use in a specific organizational unit in the Active Directory are automatically moved to the new appropriate organizational unit.
For name changes (e.g. after marriage), the system can generate a new user name to accommodate the name change.
Automatic adaptation of permission groups and distribution groups, based on user department, position or office. Groups that are no longer needed are removed automatically (if required) and it is possible to schedule a date and time in the future for this action to be executed.
Choice between deleting user account immediately or “soft-delete”, where the user account is deactivated and moved to a configurable organizational unit.
Remove groups (“all groups”, “no groups” or “distribution groups only”).
The user account is locked or deleted automatically on the scheduled leaving date.
Groups can be assigned to or removed from users individually. This feature can be set to automatic or based on user attributes.
Users can request and trigger changes themselves using tenfold’s self-service portal.
Define data owners for individual groups. Group memberships are controlled through workflows.
Support for security groups and distribution groups.
Option for users to reset own Active Directory password through web portal.
Secret questions and/or SMS tokens for user verification.
End device with connection to company network is required (PC, tablet, kiosk or similar).
Changes can always be controlled through workflows. Administrators can govern these workflows using a graphical editor in the web interface.
Regular synchronization with the actual data in the Active Directory to ensure changes that were not made via tenfold but directly in AD are also recognized.