Active Directory® User Lifecycle Plugin


The standard tools provided by the Windows Server package for managing Active Directory permissions, users and groups are very basic. Admins are  still doing a large number of the required tasks manually – even though these tasks have long been established as best practices and therefore must be completed.


The Active Directory User Lifecycle Plugin assists you with the following tasks:

  • Frequent processes, such as creating new users or adapting users who switch departments.

  • All changes are recorded automatically and can be tracked. The plugin helps comply with legal regulations, such as the GDPR, and common standards, such as ISO 27001 or SOX.

  • Through process standardization, certain processes can be completed more quickly and fewer errors occur. One such process is resetting user passwords. This usually consumes disproportionate amounts of time, considering that it is, in fact, a very simple procedure. Thanks to the AD User Lifecycle plugin, users can complete this process without needing the help from helpdesk staff.

Select organizational units

Required License

System Requirements

The following domain environments are supported:

  • Single forest / Single domain
  • Single forest / Multi-domain
  • Multi-forest

The following Windows Server versions are supported for connection to Active Directory:

  • Windows Server 2016
  • Windows Server 2019

Additional Requirements

  • Access via LDAPS must be activated on the applied domain-controller. The certificate may have to be configured in tenfold.
  • Password-reset through SMS tokens requires an SMS-e-mail-gateway or SMS service with REST-interface.
  • Depending on the individual configurations, service accounts with corresponding permissions may be required to allow tenfold to monitor and modify data in the Active Directory.

Please note: Samba (and Samba-based solutions) are not supported.

Field mappings between & Active Directory

Delete user


  • Automatic creation of new user objects in Active Directory.
  • Attributes in the AD are set automatically, based on configurable mappings.
  • Automatic selection of correct organizational unit in AD on the basis of user office, department or other attribute(s).
  • Automatic selection of user names according to configurable rules. The system also scans for name duplicates and will generate alternative user names in compliance with these rules.
  • User accounts can be activated either with immediate effect or on a set date and time in the future.
  • Initial passwords are defined according to Active Directory password guidelines. tenfold uses one-time secrets (OTS) to ensure initial passwords are transmitted safely.
  • Automatic assignment of privilege groups and distribution groups, based on user department, position or location.
  • Automatic update of user attributes. Changes are logged and change histories are maintained.
  • If user data changes – e.g. when an employee changes location – user objects that were designated for use in a specific organizational unit in the Active Directory are automatically moved to a different organizational unit.
  • For users who change their names (after being wed, for instance), the system can generate a new user name to accommodate the name change.
  • Automatic adaptation of permission groups and distribution groups, based on user department, position or office. Groups that are no longer needed are removed automatically (if required) and it is possible to schedule a date or time in the future for this action to be executed.
  • Choice between deleting user account immediately or “soft-delete” (where the user account is deactivated and moved to a configurable organizational unit)
  • Remove groups (“all groups”, “no groups” or “distribution groups only”)
  • The user account is locked or deleted automatically on the scheduled leaving date.
  • Groups can be assigned to or removed from users individually. This feature can be set to automatic or it can be applied according to employee attributes.
  • Users can make changes themselves via the self-service portal.
  • Data owners for individual groups can be defined. Group memberships are controlled through workflows.
  • Support for security groups and distribution groups.
  • Option to reset own Active Directory password through web portal.
  • Secret questions and/or SMS tokens for user verification.
  • End device with connection to company network is required (PC, tablet, kiosk or similar).
  • Changes are always controlled through workflows. Administrators can govern these workflows using a graphical editor in the web interface.
  • Regular synchronization with Active Directory to ensure changes that were not made via tenfold but in the AD directly are also recognized.

Want to learn more?

Our video demo covers the full range of features
included in our powerful IAM solution.

View Demo

Want to learn more?

Our video demo covers the full range of features
included in our powerful IAM solution.

View Demo

Visit our blog for more tips & tricks on cyber security!