TenLensDocsbeta
Search 124 articles: “connect tenant”, “mfa report”, “reclaim license”…⌘K
DocsTenantsBind on-prem Active Directory
Tenants

Bind on-prem Active Directory.

What to prepare before connecting an on-premises Active Directory domain to TenLens, including the service account permissions (read now, write for management soon), Remote Event Log Management firewall rule, and RPC network path the collector needs.

UPDATED · MAY 28, 2026READ TIME · 6 MINAPPLIES TO · beta
TIP· One host, one account

TenLens reaches every domain controller and forwarder from a single domain-joined Windows host (the collector) using one service account. You do not install an agent on each domain controller, and you do not open any inbound ports from the internet.

How collection works

The TenLens collector is a small Windows program that runs inside your network. It does two things:

  • Proxies directory queries over LDAP so the TenLens app never talks to your directory directly.
  • Reads audit events from each domain controller (and any Windows Event Collector you use) by opening a remote session to that machine over RPC and subscribing to its logs.

Both use the same per-domain service account. Because the collector connects out to your domain controllers, only the collector host needs a network path to them. The domain controllers need no inbound connectivity to TenLens and no per-machine software.

NOTE· Read today, read and write soon

Today TenLens uses the service account read-only: it queries the directory and collects audit events without changing anything. Upcoming releases let TenLens manage directory objects (create and modify users, groups, organizational units, and other entities) through the same account. Provision the account with both read and write access now so you do not have to re-permission it when management ships.

Prerequisites at a glance

Before you start the Connect Active Directory wizard, make sure you have:

  • A domain-joined Windows host to run the collector (it does not need to be a domain controller).
  • A domain service account for directory queries, remote event reads, and (soon) directory management writes.
  • The service account added to Event Log Readers, plus the right to read the Security log.
  • The Remote Event Log Management firewall rule enabled on each domain controller and forwarder.
  • A network path from the collector to each source on TCP 135 plus the dynamic RPC ports, and LDAP on TCP 389 (integrated auth, the default) or TCP 636 if you opt into simple bind over LDAPS.

The rest of this page covers each item.

The collector host

Pick one domain-joined Windows machine to run the collector. It opens remote sessions to every domain controller and forwarder you add, so this is the only host that needs the firewall and RPC path described below.

NOTE

The collector acts as the service account you configure, not as its own machine identity. Granting permissions to the service account (next section) is what matters, regardless of which host the collector runs on.

Service account permissions

Create or reuse a domain account for TenLens. Today it is used read-only; upcoming directory management features write through the same account, so grant it both read and write access up front. Provision the following:

  1. 1
    Directory read (LDAP)

    A standard domain user can bind over LDAP and read directory objects. No elevated directory rights are required for reading, which is all TenLens does today. By default the bind is an encrypted integrated (Kerberos/NTLM) bind on port 389, so the account needs no certificate and no special privileges to connect.

  2. 2
    Directory write (management, coming soon)

    For the upcoming management features, delegate write permissions on the organizational units TenLens will manage so the account can create and modify users, groups, OUs, and other objects. Grant only the scope you intend TenLens to manage. You can add this later, but provisioning it now means no change when management ships. TenLens never uses write access until you enable a management feature.

  3. 3
    Event Log Readers

    Add the service account to the built-in Event Log Readers group. On domain controllers this group applies across all controllers in the domain, so you add the account once.

  4. 4
    Read the Security log

    Reading the Security log remotely additionally requires the Manage auditing and security log user right (also called SeSecurityPrivilege). On domain controllers, assign it through the Default Domain Controllers Policy under Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignment.

NOTE· Optional: faster incremental sync

After the first full sync, TenLens keeps each domain current by reading only what changed since the last run (using directory replication). This requires the service account to hold the Replicating Directory Changes right on the domain. It is optional: without it, TenLens automatically falls back to a full read on every scheduled run, so nothing is missed; large domains simply take longer. To enable efficient deltas, delegate Replicating Directory Changes to the account at the domain root (via Active Directory Users and Computers delegation or dsacls).

WARNING· If you skip the Security log right

Without the Security log right, the server's health pill in the wizard shows Access is denied. even though the service account can bind over LDAP. Directory Service and DNS Server logs may still read, but most TenLens audit content comes from the Security log.

Remote Event Log Management

Each domain controller and forwarder must allow the remote Event Log service through its Windows firewall. Enable the built-in rule group on every source. In an elevated PowerShell session on each machine:

POWERSHELL
Enable-NetFirewallRule -DisplayGroup "Remote Event Log Management"

To confirm the rules are enabled:

POWERSHELL
Get-NetFirewallRule -DisplayGroup "Remote Event Log Management" |
  Select-Object DisplayName, Enabled
NOTE

If this rule group is disabled, the server's health pill shows The remote procedure call failed. or The RPC server is unavailable. even though the service account and credentials are correct.

Network and RPC ports

The collector reaches each source over RPC and over LDAP. Make sure the path from the collector host to each domain controller and forwarder is open on:

  • TCP 135 for the RPC endpoint mapper.
  • The dynamic RPC port range (Windows default 49152 to 65535). If your network team restricts RPC to a fixed range, allow that range instead.
  • TCP 389 (LDAP) or 636 (LDAPS) for directory queries and the service account bind.

Only the collector host needs this path. The domain controllers never connect to TenLens.

Verify the connection

After you complete the wizard, the Servers and forwarding step reflects the state of everything above:

  • The read account banner turns green when the service account binds over LDAP.
  • Each server shows a Healthy pill when TenLens can read its logs over RPC.

If a server shows an error, the message names the cause (for example a remote procedure call failure or access denied), which maps directly to the firewall and permission steps on this page. See Connecting Active Directory for the full list of errors and fixes.

← PreviousMulti-tenant managementNext →Permissions & scopes