Welcome
Tenorr SmartAD Documentation
Your complete guide to managing Active Directory users, groups, and dynamic Smart Group memberships with Tenorr SmartAD.
Tenorr SmartAD is an enterprise Identity & Access Management platform that connects to your organization's Active Directory and provides a modern web interface for user and group management — plus a powerful Smart Groups engine that automatically assigns users to groups based on rules you define.
What Can You Do?
👤
Manage Users
Create, edit, enable, disable, and remove users from your Active Directory.
🏷️
Smart Groups
Define dynamic membership rules so users are automatically assigned to groups.
🛡️
Roles & Permissions
Create hierarchical roles and control what each operator can do in SmartAD.
⏪
Activity & Undo
Every change is tracked. Undo any action to roll back mistakes instantly.
🔐
Security
Invite users, manage permissions, and control admin access to the platform.
⚙️
Configuration
Configure email templates, SMTP settings, and system-wide preferences.
How It Works
SmartAD operates as a three-tier system that bridges your on-premises Active Directory with a cloud-hosted management platform:
On-Premises Agent
A lightweight agent installed on your network connects securely to your Active Directory server over LDAPS.
Cloud Backend
Your data is synced to a secure, multi-tenant cloud backend that evaluates Smart Group rules and stores audit history.
Web Application
You access the system through this web application, authenticated via your organization's Azure AD / Microsoft Entra ID credentials.
💡
Changes you make in SmartAD are synced bidirectionally — edits flow from the web app to Active Directory and vice-versa, keeping everything in sync automatically.
Getting Started
Logging In
How to access SmartAD using your organization's Microsoft account.
SmartAD uses Microsoft Azure AD (Entra ID) for authentication. This means you sign in with the same Microsoft account you use for your organization's email, Teams, and other Microsoft 365 apps.
Sign-In Steps
Navigate to SmartAD
Open your browser and go to the SmartAD URL provided by your administrator.
Click "Sign In"
You'll be redirected to the Microsoft sign-in page. Enter your organizational email and password.
Complete MFA (if required)
If your organization requires multi-factor authentication, complete the verification step.
You're In!
After authentication, you'll be taken to the SmartAD Dashboard.
First-Time Users (Invitation)
If you received an invitation link from your administrator, click on it to register your account with SmartAD. The invitation link contains a unique code that authorizes your Microsoft account for access. Once processed, you'll see a confirmation message and can begin using the application.
⚠️
Invitation links expire. If your link no longer works, ask your SmartAD administrator to send a new invitation.
Trouble Signing In?
If you're having trouble, check the following:
I see "Unauthorized" or "Access Denied"
Your Microsoft account may not be authorized in SmartAD. Contact your SmartAD administrator to receive an invitation or verify your permissions.
The page keeps redirecting in a loop
Try clearing your browser cache and cookies, then sign in again. If the issue persists, try using an incognito/private browsing window.
I'm signed in but can't see any data
Your administrator may not have granted you the necessary permissions yet. Contact them and ask for the appropriate access level.
Getting Started
Dashboard
Your central hub for at-a-glance stats and quick navigation.
The Dashboard is the first page you see after logging in. It gives you a high-level overview of your directory and provides shortcuts to common tasks.
Dashboard Overview
Statistics Cards
At the top of the Dashboard, you'll see summary cards showing:
| Card | Description |
|---|
| Total Users | The number of user accounts in your Active Directory. |
| Total Groups | All groups — both Smart Groups and standard AD groups. |
| Smart Groups | The number of dynamically managed Smart Groups you've created. |
| Activities | Total number of tracked changes and actions. |
Quick Actions
Below the statistics, you'll find shortcut buttons for common tasks:
| Action | What It Does |
|---|
| Create User | Jumps directly to the new user form. |
| Create Group | Opens the Smart Group creation page. |
| Manage Roles | Navigates to the role management section. |
| Settings | Opens system configuration. |
Recent Activity
The bottom section shows your most recent actions (user creation, group modifications, etc.) so you can quickly review recent changes or undo them.
Core Features
Managing Users
Create, edit, disable, and manage Active Directory users directly from the web.
The Users section allows you to manage all the user accounts in your organization's Active Directory. Changes made here are synchronized to your AD in real time.
Viewing Users
Navigate to Users in the left sidebar to see a searchable, paginated list of all users. You can search by name, email, or other attributes. Click any user to view their full profile.
Creating a New User
Click "Create User"
From the Users list or the Dashboard quick action, click the Create User button.
Fill In User Details
Enter the user's first name, last name, display name, email, username (SAM account name), and any other required fields.
Select Organizational Unit
Choose the OU (Organizational Unit) where the user should be placed in your AD hierarchy using the OU picker dropdown.
Assign Groups & Roles (Optional)
You can immediately add the user to groups or assign roles. Use the "Add to Group" or "Add Role" buttons in the respective sections.
Save
Click Save to create the user. The account will be provisioned in your Active Directory.
Editing a User
Click on any user from the list to open their profile. You can modify their attributes (name, email, department, etc.), change their OU, add or remove group memberships, and assign or revoke roles. Click Save to apply changes.
Disabling & Removing Users
Rather than permanently deleting user accounts, SmartAD supports two levels of removal:
| Action | What Happens |
|---|
| Disable | The user account is disabled in AD. The user can no longer sign in but their data is preserved. |
| Remove | The user is disabled and moved to a special Z_DELETE organizational unit, effectively soft-deleting them. |
💡
Undo-friendly: Both disable and remove actions are tracked in the Activity log and can be reversed using the Undo feature.
User Profile Details
Each user profile displays their AD attributes, current group memberships (with the ability to see which Smart Group rules caused the membership), assigned roles, and a hover tooltip preview that appears when you hover over a user link anywhere in the app.
Core Features
Groups & Smart Groups
Understand the two types of groups and how dynamic membership works.
SmartAD works with two kinds of groups: Static Groups managed directly in your Active Directory, and Smart Groups whose membership is determined automatically by rules you define.
Static Groups (AD-Managed)
These are regular Active Directory groups that already exist in your organization. SmartAD mirrors them so you can view their members, but their membership is managed by your AD administrators or other tools. SmartAD displays them with their type (Security or Distribution) and scope (Global, Domain Local, or Universal).
Smart Groups
Smart Groups are the core feature of SmartAD. They let you define membership rules — for example, "all users in the IT department" or "all Engineers in Seattle" — and SmartAD will automatically keep the group membership up to date as user attributes change.
Creating a Smart Group
Navigate to Groups and click "Create Group"
Or use the Dashboard quick action shortcut.
Enter Group Details
Give the group a name, choose its scope (Global, Domain, or Universal), type (Security or Distribution), and select an Organizational Unit.
Define Membership Rules
Use the visual rule builder to define who should be in this group. You can combine conditions using AND/OR logic. See Smart Group Rules for details.
Save & Evaluate
Click Save. SmartAD evaluates the rules against all users and populates the group. If the group is set to sync with AD, the membership will be pushed to your Active Directory.
Editing a Smart Group
Open any Smart Group to modify its name, properties, or membership rules. After saving, SmartAD re-evaluates the rules and updates membership. The Members section shows the current list of users who match the rules.
Deleting a Smart Group
At the bottom of the Smart Group edit page, you'll find a Danger Zone section with a Delete button. Deleting a Smart Group removes it and its membership rules. A confirmation dialog will appear before the action is executed. This action can be undone from the Activity log.
⚠️
AD Sync: If the Smart Group was synced to Active Directory, deleting it will also remove the corresponding AD group.
Core Features
Smart Group Rules
How to define membership criteria using the expression engine.
Smart Group membership is determined by expressions — logical rules that match users based on their attributes, identities, or membership in other groups. The rule builder in the web app provides a visual interface, but understanding the underlying logic helps you create powerful rules.
Rule Structure
Every Smart Group expression follows a simple pattern:
condition A
AND
condition B
OR
condition C
A rule is made up of terms joined by OR. Each term is made up of factors joined by AND. A user matches the group if they match any of the terms (i.e., all factors within at least one term).
Factor Types
There are four types of factors you can use in your rules:
| Type | Syntax | Description | Example |
|---|
| Attribute |
@attribute=value |
Match users where a specific AD attribute equals a value. |
@department=Engineering |
| Group Ref |
+groupId |
Include all members of another Smart Group (nesting). |
+42 |
| Keyword |
$keyword |
Special keywords like $all to match all users. |
$all |
| User ID |
:userId |
Include a specific user by their ID. |
:john.doe |
Example Expressions
All users in the IT department
@department=IT
Engineers in Seattle OR all members of the DevOps group
@department=Engineering
AND
@location=Seattle
OR
+42
(where 42 is the ID of the DevOps Smart Group)
All users plus a specific individual
$all
OR
:admin.user
Using the Visual Rule Builder
You don't need to type expressions manually. The Smart Group edit page provides a visual builder where you can:
Add a Rule Row
Each row represents a factor. Choose the type (attribute, group, keyword, or user), then fill in the value.
Group Rows with AND
Factors within the same group (enclosed in brackets) are combined with AND logic — users must match all of them.
Add OR Terms
Separate groups of factors create OR terms — users matching any group will be included.
🔄
Circular References: SmartAD will detect and prevent circular references (e.g., Group A includes Group B which includes Group A). If a circular reference is detected, you'll receive an error and the expression won't be saved.
Core Features
Roles & Permissions
Create role-based access structures for your organization.
The Roles module (available when enabled for your tenant) allows you to create named roles and assign them to users. Roles are built on top of Smart Groups, so role membership follows the same dynamic rules engine.
What Is a Role?
A Role in SmartAD is essentially a Smart Group that is designated as a role. It carries the same dynamic membership capabilities but is displayed separately in the interface under the Roles section, making it easier to manage organizational access levels.
Managing Roles
Navigate to Roles
Click "Manage Roles" in the sidebar or from the Dashboard quick action.
Create a New Role
Give the role a name and optionally define membership rules (just like Smart Groups).
Assign Users
Users can be assigned to roles from the role page or from individual user profiles using the "Add Role" button.
Roles on User Profiles
When viewing or editing a user, the Roles & Permissions section shows all roles the user is currently assigned to. Roles are visually tagged — existing roles appear muted, newly added roles appear highlighted in green, and roles marked for removal appear in red. You can toggle role assignments and save the user to apply changes.
💡
Module-based feature: The Roles module must be activated for your tenant. If you don't see the Roles section, ask your administrator to enable it.
Administration
Activity Log & Undo
Every change is tracked — and most can be reversed.
SmartAD records every significant action performed through the system. This provides a full audit trail and, crucially, the ability to undo actions when mistakes happen.
Viewing the Activity Log
Navigate to Activities in the sidebar to see a chronological list of all actions. Each entry shows the action type, who performed it, when it happened, and its current status.
Action Types
| Action | Description |
|---|
| Create Smart Group | A new Smart Group was created. |
| Modify Smart Group | A Smart Group's expression rules were updated. |
| Delete Smart Group | A Smart Group was deleted. |
| Create User | A new user was provisioned in AD. |
| Edit User | A user's attributes were modified. |
| Disable User | A user account was disabled. |
| Enable User | A previously disabled user was re-enabled. |
| Remove User | A user was soft-deleted (disabled + moved). |
Undoing an Action
Most actions in SmartAD can be undone. To reverse a change:
Find the Action
Browse or search the Activity log for the action you want to undo.
Click Undo
Click the Undo button on the action entry. SmartAD will restore the previous state.
Verify the Reversal
The action's status will change to "Undone". The affected user/group will be restored to their pre-action state, and any AD changes will be reversed.
✅
Redo is also supported. If you undo an action and then change your mind, you can redo it to re-apply the original change.
⚠️
Undo requires permissions. You can only undo actions that your permission level allows. Smart Admin users can undo any action.
Administration
Security & Invitations
Control who can access SmartAD and what they're allowed to do.
The Security page (under Admin in the sidebar) is where Smart Admins manage who has access to the SmartAD platform and what permissions each user has.
🔒
Admin only: The Security section is only accessible to users with the Smart Admin privilege.
Authorized Users
The Authorized Users list shows everyone who currently has access to SmartAD. Each user displays their name, email, and current permission level.
Inviting New Users
Click "Invite User"
Enter the Microsoft email address of the person you want to invite.
Copy the Invitation Link
A unique invitation link is generated. Copy it and send it to the user via email or messaging.
User Clicks the Link
When the user opens the link and signs in with their Microsoft account, their account is registered in SmartAD.
Managing Permissions
Click on any authorized user to open the permissions dialog. You can configure:
| Setting | Description |
|---|
| Smart Admin | Toggle to grant full administrative access. Smart Admins can manage other users, configuration, and bypass action-level permissions. |
| Individual Actions | Fine-grained control: toggle specific actions like "Create Smart Groups", "Edit Users", "Delete Smart Groups", etc. |
| All Actions (__ALL__) | A shortcut that grants permission for all actions without being a Smart Admin. |
Managing Invitations
The Invitations tab shows all pending invitations. You can view the link, copy it again, or delete invitations that are no longer needed.
Removing Access
To remove a user's access to SmartAD, click the delete button next to their name in the Authorized Users list. This does not affect their Active Directory account — it only removes their ability to log in to SmartAD.
Administration
Configuration
System-wide settings for email, notifications, and more.
The Configuration page allows Smart Admins to manage system settings that affect how SmartAD operates. Settings are organized into sections.
🔒
Admin only: Configuration is restricted to Smart Admin users.
Email Settings
Configure how SmartAD sends email notifications. Settings are grouped by section and typically include:
| Setting | Description |
|---|
| SMTP Host | The hostname of your email server. |
| SMTP Port | The port to connect on (typically 587 for TLS). |
| From Address | The email address that notifications are sent from. |
| Email Templates | Rich-text templates for invitation emails and notifications. These support HTML formatting. |
Editing Configuration Values
Each configuration item displays its name, description, and one or more editable values. Some values are simple text fields, while others (like email templates) use a rich-text editor. After making changes, click Save on each section to apply.
💡
Changes take effect immediately. Configuration updates are applied as soon as they're saved — no restart needed.
Help
FAQ & Troubleshooting
Answers to common questions and solutions to known issues.
Frequently Asked Questions
How often does SmartAD sync with Active Directory?
SmartAD syncs with your Active Directory every 5–15 minutes (configurable). The sync uses Microsoft's DirSync protocol for efficiency, meaning only changed objects are transferred. If you need immediate results, ask your administrator about triggering a manual sync.
Can I use SmartAD to reset user passwords?
Password management depends on your deployment configuration. SmartAD focuses on user attribute management, group membership, and role assignment. Password operations may be handled by your organization's existing password management tools.
What happens if I delete a Smart Group that's synced to AD?
When you delete a Smart Group that has been synced to Active Directory, the corresponding AD group is also removed (disabled, renamed, and moved). This action is tracked in the Activity log and can be undone if needed.
Can Smart Groups reference other Smart Groups?
Yes! You can nest Smart Groups by using the group reference factor (+groupId). For example, if Group A's rule is @department=IT, Group B could include +A to include all IT department members plus additional criteria. SmartAD will detect and prevent circular references.
What does the "$all" keyword do?
The $all keyword is a special factor that matches every user in your directory. It's useful for creating groups that should contain everyone, or as one term in a broader expression.
How do I know which Smart Group rule caused a user to be in a group?
When viewing a user's group memberships, SmartAD shows the "reason" for each membership — this indicates which factor type (attribute match, keyword, direct user reference, or nested group) caused the user to be included.
What is the difference between "Disable" and "Remove" for users?
Disabling a user simply sets their AD account to disabled — they can no longer sign in but remain in their current OU. Removing a user disables them AND moves them to a special Z_DELETE organizational unit, making it a soft-delete. Both actions are reversible.
What browsers are supported?
SmartAD works best on modern browsers: Chrome, Firefox, Edge, and Safari. It is a responsive web application that works on both desktop and tablet screens.
Troubleshooting
Users are not appearing in Smart Group results
Check the following:
1. Verify the expression syntax is correct by reviewing the rule builder on the group's edit page.
2. Ensure the user's AD attributes match the criteria (attribute values are case-sensitive).
3. Wait for the next sync cycle — newly changed attributes take a few minutes to propagate.
4. Check that the Smart Group has been saved (unsaved rule changes aren't evaluated).
I made a change but it's not showing up in AD
Changes are pushed to Active Directory through the on-premises agent. If changes aren't appearing, the agent may be offline or experiencing connectivity issues. Contact your system administrator to verify the agent status.
I can't access the Admin or Security sections
Admin and Security sections require the Smart Admin privilege. Only a current Smart Admin can grant this to you. Contact your organization's SmartAD administrator for access.
Error: "The Smart Group Expression has failed the validation test"
This means the expression you entered doesn't match the expected format. Use the visual rule builder rather than editing expressions manually. If the issue persists, check that you're not creating a circular reference (Group A → Group B → Group A).
The invitation link doesn't work
Invitation links expire after a set period. Ask a Smart Admin to generate a new invitation. Also ensure you're opening the link while signed into the correct Microsoft account.
📧
Still need help? Contact your organization's SmartAD administrator or reach out to Tenorr support for assistance.