EULA Regulations

The tenfold End User License Agreement (EULA) stipulates that all physical, active IT users who are to be managed via tenfold must be licensed. Strictly speaking, this licensing policy applies independently of Active Directory, even though, in most cases, licensing is based on Active Directory since it is used to manage all employees.
Example of exception: An employee is logged on to the client via a permanently logged in collective user. The employee then boots the SAP-GUI and logs on with a personalized SAP user, which is managed via tenfold. The employee must be licensed, even if he or she does not have an AD account.
Deactivated user accounts or accounts which cannot be assigned to a person (system accounts, service accounts) do not have to be licensed.

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up for free

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up now

Partial Licensing of Active Directory

We are often asked whether tenfold has to be licensed for the entire Active Directory infrastructure. The simple answer is: no. But it’s not quite that simple.
On a technical level, it is indeed possible to exclude certain Active Directory objects from being managed via tenfold:

  • The scope within a domain can be limited to certain organizational units (OUs).
  • In multi-domain environments, it is possible to exclude certain domains from being connected to tenfold and thus exclude them from being managed all together.

However, whether this is a wise or potentially dangerous decision must be assessed individually for each case.

Consequences of Partial Licensing

There are consequences to partial licensing. Objects (users, groups and computers) which are located in areas (OUs or domains) that are not managed by tenfold will not be imported and will thus remain unknown to tenfold.
If these objects are then used in other objects which tenfold is aware of (such as users, groups, computers, file servers, Exchange or SharePoint), the objects not known to tenfold will not appear while you are managing objects.
Example 1: The group “g-citrix-excel” inside an OU that has been scanned into tenfold contains a group member, “mschwarz”, who is from an OU which has not been licensed and thus has not been scanned into tenfold. When viewing the group “g-citrix-excel”, the user “mschwarz” does not show up because tenfold does not recognize him.
Example 2: The user “kmayer” from an OU that has not been scanned has privileges for a directory that is managed by tenfold. tenfold reads the directory during the scan, but is unable to model the user ID (SID; Security Identifier) behind the privileges, as the associated user is not known. The user therefore does not appear on the report for the directory.


One of tenfold’s main objectives is to provide users with reliable and clear evaluations of the set access rights.
As illustrated by the examples above, an incomplete licensing of tenfold leads to considerable problems regarding the reliability and authenticity of reports.
Although it is technically possible, we advise against using tenfold in environments where the intention is not to license the entire scope of the AD infrastructure.

Note: The license agreement is subject to change without notice. This guideline regarding tenfold licensing is not part of any existing or future license agreements.