Partial Licensing of Active Directory
We are often asked whether tenfold has to be licensed for the entire Active Directory infrastructure. The simple answer is: no. But it’s not quite that simple.
On a technical level, it is indeed possible to exclude certain Active Directory objects from being managed via tenfold:
- The scope within a domain can be limited to certain organizational units (OUs).
- In multi-domain environments, it is possible to exclude certain domains from being connected to tenfold and thus exclude them from being managed all together.
However, whether this is a wise or potentially dangerous decision must be assessed individually for each case.
Consequences of Partial Licensing
There are consequences to partial licensing. Objects (users, groups and computers) which are located in areas (OUs or domains) that are not managed by tenfold will not be imported and will thus remain unknown to tenfold.
If these objects are then used in other objects which tenfold is aware of (such as users, groups, computers, file servers, Exchange or SharePoint), the objects not known to tenfold will not appear while you are managing objects.
Example 1: The group “g-citrix-excel” inside an OU that has been scanned into tenfold contains a group member, “mschwarz”, who is from an OU which has not been licensed and thus has not been scanned into tenfold. When viewing the group “g-citrix-excel”, the user “mschwarz” does not show up because tenfold does not recognize him.
Example 2: The user “kmayer” from an OU that has not been scanned has privileges for a directory that is managed by tenfold. tenfold reads the directory during the scan, but is unable to model the user ID (SID; Security Identifier) behind the privileges, as the associated user is not known. The user therefore does not appear on the report for the directory.
One of tenfold’s main objectives is to provide users with reliable and clear evaluations of the set access rights.
As illustrated by the examples above, an incomplete licensing of tenfold leads to considerable problems regarding the reliability and authenticity of reports.
Although it is technically possible, we advise against using tenfold in environments where the intention is not to license the entire scope of the AD infrastructure.
Note: The license agreement is subject to change without notice. This guideline regarding tenfold licensing is not part of any existing or future license agreements.