The Active Directory User Lifecycle plugin provides support for frequently used functionalities and procedures, such as creating new users or adapting users who change departments. All modifications are well-documented and therefore kept transparent. The plugin is furthermore helpful in complying with legal regulations (such as the European General Data Protection Regulation) and common standards (e.g. ISO 27001, SOX, etc.).
It also boosts helpdesk efficiency. By standardizing processes, certain tasks can be executed faster and the number of mistakes made is thus reduced. Users are able to execute certain requests independently; requests that would normally consume disproportionate amounts of helpdesk time and resources, for instance password reset.
- New user objects are created automatically in the Active Directory.
- Attributes in the AD are set automatically and in a consistent manner, based on configurable mappings.
- The correct organization unit in the AD is selected automatically, according to the user’s office, department or other attributes.
- User names are determined automatically, based on configurable rules. The system also scans for name duplicates and is able to generate alternative user names in compliance with these rules.
- User accounts can be activated immediately or on a set date and time in the future.
- Initial passwords are defined according to Active Directory password guidelines. Initial passwords are sent to the supervisor(s) or any other selected e-mail address.
- Privilege groups and distribution groups are assigned automatically, based on users’ departments, positions or locations.
- User attributes are updated automatically. Changes are logged and access to history is given.
- If user data are modified – e.g. when staff member changes location – user objects that were intended for a specific organization unit in the Active Directory are automatically moved to a different organization unit.
- In the case that first or last names are changed, the system is able to automatically generate a new user name accordingly (if required).
- Permission groups and distribution groups are adapted automatically, based on users’ departments, positions or office locations. Groups that are no longer needed are automatically removed (if required) and it is possible to set a future date or time for the action to be carried out.
Locking and deleting users
- Choice between deleting user account immediately or “soft-delete” (i.e. user account is deactivated and moved to a configurable organization unit)
- Remove groups (“all groups”, “no groups” or “distribution groups only”)
- The user account is locked or deleted automatically on the set leaving date.
- Groups can be assigned to or removed from users individually. This feature can be set to automatic or it can be applied according to staff member attributes.
- Users can implement modifications themselves using the management interface or via the self-service area.
- Definition of data owners for individual groups. Assigning and removing group memberships is controlled through workflows.
- Support for security groups and distribution groups.
- Option to reset own Active Directory password through web portal.
- Secret questions and/or SMS tokens for user verification.
- End device connected to company network is required (PC, tablet, kiosk or similar).
- All modifications are controlled by workflows. Administrators can govern these workflows using a graphical editor in the web interface.
- Regular synchronization with current data in the Active Directory in order to record modifications that were not made using tenfold.
The following domain environments are supported:
- Single-Forest / Single-Domain
- Single-Forest / Multi-Domain
The following Windows Server versions are supported for connecting with the Active Directory:
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Access via LDAPS must be activated on the applied domain-controller. The certificate may have to be configured in tenfold.
- Password-reset through SMS tokens requires an SMS-e-mail-gateway or SMS service with REST-interface.
- Depending on the individual configurations, there may be service accounts with corresponding permissions required to monitor and allow tenfold to modify data in the Active Directory.
Please note: Samba (and Samba-based solutions) are not supported.