Active Directory® User Lifecycle Plugin

The Active Directory User Lifecycle plugin is a great tool to help simplify administrative tasks related to user and group management in the Active Directory. The standard tools provided in the Windows Server package only allow very simple and superficial object administration – many of processes that have been established as best practice must still be carried out manually.

Required license


The Active Directory User Lifecycle plugin provides valuable support for frequently used functions and procedures, such as creating new users or adapting users when they switch departments. All modifications are logged and thus made transparent. The plugin is especially useful for simplifying legal regulations (like the new European General Data Protection Regulation) and common standards (e.g. ISO 27001, SOX, etc.).

Furthermore, the plugin functions help to improve helpdesk efficiency. By standardizing processes, certain tasks can be executed faster and the number of mistakes is reduced. Users are able to independently execute certain requests – like password-reset – that would normally consume disproportionate amounts of helpdesk time and resources.


User creation

  • Automatic creation of new user objects in the Active Directory.
  • Consistent and automatic setting of attributes in the Active Directory, based on configurable mapping.
  • Automatic selection of correct organization units in the Active Directory, according to office, department or other attributes of users.
  • Automatic determination of user names, based on configurable rules. The system also scans for name duplicates and generates rule-compliant alternatives where necessary.
  • User accounts can be activated immediately or on a set date and time in the future.
  • Definition of initial passwords according to Active Directory password guidelines. Initial password is sent to supervisor or other viable e-mail address.
  • Automatic assignment of permission groups and distribution groups, based on departments, positions or office locations of users


  • User attributes are updated automatically. Changes are logged and access to history is given.
  • If user data are modified – e.g. when staff member changes location – user objects that were intended for a specific organization unit in the Active Directory are automatically moved to a different organization unit.
  • In the case that first or last names are changed, the system is able to automatically generate a new user name accordingly (if required).
  • Permission groups and distribution groups are adapted automatically, based on users’ departments, positions or office locations. Groups that are no longer needed are automatically removed (if required) and it is possible to set a future date or time for the action to be carried out.

Locking and deleting users

  • Choice between deleting user account immediately or “soft-delete” (i.e. user account is deactivated and moved to a configurable organization unit)
  • Remove groups (“all groups”, “no groups” or “distribution groups only”)
  • On arrival of the set leaving date, the user account is locked or deleted.

Group management

  • Individual assignment or removal of groups for users. This feature can be set to automatic or it can be applied according to staff member attributes.
  • Modifications can be implemented either via the administration interface or in the self-service area by users themselves
  • Definition of data owners for individual groups. Assigning and removing group memberships is controlled through workflows.
  • Support for security groups and distribution groups.

Password reset

  • Option to reset own Active Directory password through web portal.
  • Secret questions and/or SMS tokens for user verification.
  • End device connected to company network is required (e.g. PC, tablet, kiosk or similar).

Other functions

  • All modifications are controlled through workflows. Administrators can govern these workflows through a graphical editor in the web interface.
  • Regular synchronization with current data in the Active Directory in order to record modifications that were not made using tenfold.

System requirements

The following domain environments are supported:

  • Single-Forest / Single-Domain
  • Single-Forest / Multi-Domain
  • Multi-Forest

The following Windows Server versions are supported for connection to Active Directory:

  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

Further requirements

  • Access via LDAPS must be activated on the applied domain-controller. The certificate may have to be configured in tenfold.
  • Password-reset through SMS tokens requires an SMS-e-mail-gateway or SMS service with REST-interface.
  • Depending on the individual configurations, there may be service accounts with corresponding permissions required to monitor and allow tenfold to modify data in the Active Directory.

Please note: Samba (and Samba-based solutions) are not supported.

Download data sheet

Choose organizational units comfortably

Field mappings between tenfold & Active Directory

Delete user: plain and simple

Request a free trial

It has never been easier to manage and keep track of your users and their access rights in one centralized software. Administrators, managers and your company as a whole will benefit from tenfold, as it provides a transparent overview of all access rights. tenfold can help you comply with standards, like ISO 27000, BSI, etc., and offers worthwhile functions for managing users and access rights.

Request trial