The Active Directory User Lifecycle plugin provides support for frequently used functionalities and procedures, such as creating new users or adapting users who change departments. All modifications are well-documented and therefore kept transparent. The plugin is furthermore helpful in complying with legal regulations (such as the European General Data Protection Regulation) and common standards (e.g. ISO 27001, SOX, etc.).
It also boosts helpdesk efficiency: Standardizing processes enables certain tasks to be executed faster, which in turn reduces the number of mistakes made. Furthermore, users can independently execute requests that would normally consume disproportionate amounts of helpdesk time and resources (e.g. password reset).
- Automatic creation of new user objects in Active Directory.
- Attributes in the AD are set automatically and in a consistent manner, based on configurable mappings.
- Automatic selection of the correct organizational unit in AD on the basis of user’s office, department or other attribute(s).
- Automatic selection of user names according to configurable rules. The system also scans for name duplicates and will generate alternative user names in compliance with these rules.
- User accounts can be activated either with immediate effect or on a set date and time in the future.
- Initial passwords are defined according to Active Directory password guidelines. Initial passwords are sent to the supervisor(s) or any other selected e-mail address.
- Automatic assignment of privilege groups and distribution groups, based on user’s department, position or location.
- Automatic update of user attributes. Changes are logged and can be accessed historically.
- If user data are modified – e.g. when an employee changes location – user objects that were designated for use in a specific organizational unit in the Active Directory are automatically moved to a different organizational unit.
- If the user’s first or last name is changed, the system is able to generate a new fitting user name (if needed).
- Automatic adaptation of permission groups and distribution groups, based on user’s department, position or office. Groups that are no longer needed are removed automatically (if required) and it is possible to schedule a date or time in the future for this action to be executed.
Locking and deleting users
- Choice between deleting user account immediately or “soft-delete” (where the user account is deactivated and moved to a configurable organizational unit)
- Remove groups (“all groups”, “no groups” or “distribution groups only”)
- The user account is locked or deleted automatically on the scheduled leaving date.
- Groups can be assigned to or removed from users individually. This feature can be set to automatic or it can be applied according to employee attributes.
- Users can implement modifications themselves via the user interface or self-service interface.
- Definition of data owners for individual groups. Assigning and removing group memberships is controlled through workflows.
- Support for security groups and distribution groups.
- Option to reset own Active Directory password through web portal.
- Secret questions and/or SMS tokens for user verification.
- End device with connection to company network is required (PC, tablet, kiosk or similar).
- All modifications are controlled by workflows. Administrators can govern these workflows using a graphical editor in the web interface.
- Regular synchronization with current data in the Active Directory to keep a record of modifications that were not made using tenfold.
The following domain environments are supported:
- Single forest / Single domain
- Single forest / Multi-domain
The following Windows Server versions are supported for connection to Active Directory:
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Access via LDAPS must be activated on the applied domain-controller. The certificate may have to be configured in tenfold.
- Password-reset through SMS tokens requires an SMS-e-mail-gateway or SMS service with REST-interface.
- Depending on the individual configurations, service accounts with corresponding permissions may be required to allow tenfold to monitor and modify data in the Active Directory.
Please note: Samba (and Samba-based solutions) are not supported.