Active Directory® User Lifecycle Plugin

The standard tools provided by the Windows Server package for managing Active Directory permissions, users and groups are very rudimentary, which is why admins are still forced to carry out many of the involved processes and tasks manually. The Active Directory User Lifecycle Plugin automates processes and simplifies the tasks involved in managing the Active Directory and those hard-to-track user lifecycles that make admin life so difficult.

Required license


The Active Directory User Lifecycle plugin provides support for frequently used functionalities and procedures, such as creating new users or adapting users who change departments. All modifications are well-documented and therefore kept transparent. The plugin is furthermore helpful in complying with legal regulations (such as the European General Data Protection Regulation) and common standards (e.g. ISO 27001, SOX, etc.).

It also boosts helpdesk efficiency: Standardizing processes enables certain tasks to be executed faster, which in turn reduces the number of mistakes made. Furthermore, users can independently execute requests that would normally consume disproportionate amounts of helpdesk time and resources (e.g. password reset).


User creation

  • Automatic creation of new user objects in Active Directory.
  • Attributes in the AD are set automatically and in a consistent manner, based on configurable mappings.
  • Automatic selection of the correct organizational unit in AD on the basis of user’s office, department or other attribute(s).
  • Automatic selection of user names according to configurable rules. The system also scans for name duplicates and will generate alternative user names in compliance with these rules.
  • User accounts can be activated either with immediate effect or on a set date and time in the future.
  • Initial passwords are defined according to Active Directory password guidelines. Initial passwords are sent to the supervisor(s) or any other selected e-mail address.
  • Automatic assignment of privilege groups and distribution groups, based on user’s department, position or location.


  • Automatic update of user attributes. Changes are logged and can be accessed historically.
  • If user data are modified – e.g. when an employee changes location – user objects that were designated for use in a specific organizational unit in the Active Directory are automatically moved to a different organizational unit.
  • If the user’s first or last name is changed, the system is able to generate a new fitting user name (if needed).
  • Automatic adaptation of permission groups and distribution groups, based on user’s department, position or office. Groups that are no longer needed are removed automatically (if required) and it is possible to schedule a date or time in the future for this action to be executed.

Locking and deleting users

  • Choice between deleting user account immediately or “soft-delete” (where the user account is deactivated and moved to a configurable organizational unit)
  • Remove groups (“all groups”, “no groups” or “distribution groups only”)
  • The user account is locked or deleted automatically on the scheduled leaving date.

Group management

  • Groups can be assigned to or removed from users individually. This feature can be set to automatic or it can be applied according to employee attributes.
  • Users can implement modifications themselves via the user interface or self-service interface.
  • Definition of data owners for individual groups. Assigning and removing group memberships is controlled through workflows.
  • Support for security groups and distribution groups.

Password reset

  • Option to reset own Active Directory password through web portal.
  • Secret questions and/or SMS tokens for user verification.
  • End device with connection to company network is required (PC, tablet, kiosk or similar).

Other functions

  • All modifications are controlled by workflows. Administrators can govern these workflows using a graphical editor in the web interface.
  • Regular synchronization with current data in the Active Directory to keep a record of modifications that were not made using tenfold.

System requirements

The following domain environments are supported:

  • Single forest / Single domain
  • Single forest / Multi-domain
  • Multi-forest

The following Windows Server versions are supported for connection to Active Directory:

  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

Further requirements

  • Access via LDAPS must be activated on the applied domain-controller. The certificate may have to be configured in tenfold.
  • Password-reset through SMS tokens requires an SMS-e-mail-gateway or SMS service with REST-interface.
  • Depending on the individual configurations, service accounts with corresponding permissions may be required to allow tenfold to monitor and modify data in the Active Directory.

Please note: Samba (and Samba-based solutions) are not supported.

Download data sheet

Choose organizational units comfortably

Field mappings between tenfold & Active Directory

Delete user: plain and simple

Request free trial

It has never been easier to manage and keep track of users and access rights in one centralized software, meaning that everyone at your company, from admins to managers to users, will benefit from tenfold. Our software provides excellent features that will help you maintain a transparent overview of all access rights, while also ensuring you adhere to common standards, such as ISO 27000 or BSI.

Request trial