The Active Directory User Lifecycle plugin provides valuable support for frequently used functions and procedures, such as creating new users or adapting users when they switch departments. All modifications are logged and thus made transparent. The plugin is especially useful for simplifying legal regulations (like the new European General Data Protection Regulation) and common standards (e.g. ISO 27001, SOX, etc.).
Furthermore, the plugin functions help to improve helpdesk efficiency. By standardizing processes, certain tasks can be executed faster and the number of mistakes is reduced. Users are able to independently execute certain requests – like password-reset – that would normally consume disproportionate amounts of helpdesk time and resources.
- Automatic creation of new user objects in the Active Directory.
- Consistent and automatic setting of attributes in the Active Directory, based on configurable mapping.
- Automatic selection of correct organization units in the Active Directory, according to office, department or other attributes of users.
- Automatic determination of user names, based on configurable rules. The system also scans for name duplicates and generates rule-compliant alternatives where necessary.
- User accounts can be activated immediately or on a set date and time in the future.
- Definition of initial passwords according to Active Directory password guidelines. Initial password is sent to supervisor or other viable e-mail address.
- Automatic assignment of permission groups and distribution groups, based on departments, positions or office locations of users
- User attributes are updated automatically. Changes are logged and access to history is given.
- If user data are modified – e.g. when staff member changes location – user objects that were intended for a specific organization unit in the Active Directory are automatically moved to a different organization unit.
- In the case that first or last names are changed, the system is able to automatically generate a new user name accordingly (if required).
- Permission groups and distribution groups are adapted automatically, based on users’ departments, positions or office locations. Groups that are no longer needed are automatically removed (if required) and it is possible to set a future date or time for the action to be carried out.
Locking and deleting users
- Choice between deleting user account immediately or “soft-delete” (i.e. user account is deactivated and moved to a configurable organization unit)
- Remove groups (“all groups”, “no groups” or “distribution groups only”)
- On arrival of the set leaving date, the user account is locked or deleted.
- Individual assignment or removal of groups for users. This feature can be set to automatic or it can be applied according to staff member attributes.
- Modifications can be implemented either via the administration interface or in the self-service area by users themselves
- Definition of data owners for individual groups. Assigning and removing group memberships is controlled through workflows.
- Support for security groups and distribution groups.
- Option to reset own Active Directory password through web portal.
- Secret questions and/or SMS tokens for user verification.
- End device connected to company network is required (e.g. PC, tablet, kiosk or similar).
- All modifications are controlled through workflows. Administrators can govern these workflows through a graphical editor in the web interface.
- Regular synchronization with current data in the Active Directory in order to record modifications that were not made using tenfold.
The following domain environments are supported:
- Single-Forest / Single-Domain
- Single-Forest / Multi-Domain
The following Windows Server versions are supported for connection to Active Directory:
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Access via LDAPS must be activated on the applied domain-controller. The certificate may have to be configured in tenfold.
- Password-reset through SMS tokens requires an SMS-e-mail-gateway or SMS service with REST-interface.
- Depending on the individual configurations, there may be service accounts with corresponding permissions required to monitor and allow tenfold to modify data in the Active Directory.
Please note: Samba (and Samba-based solutions) are not supported.