AD Users | Suspend rule
This rule suspends the specified Active Directory users according to the selected AD User Suspend™ Configuration. It could also suspend the linked Microsoft 365 account if a Microsoft 365 user suspend configuration is specified.
NOTE: This rule works only if 'Use modern suspend' is set to 'Yes' in the Cayosoft Administrator Console in the Active Directory extension settings.
NOTE: Privileged accounts that are the members of privileged groups, such as Domain Admins, Enterprise Admins, or Schema Admins, are excluded from the scope of this rule automatically. The AdminCount attribute is set to 1 for accounts that are members of a privileged group.
When to use this rule
You can use this rule to suspend the Active Directory user accounts. You should limit the maximum number of users to suspend in the selected scope.
Rule settings
Query section
| Setting name | Description |
|---|---|
| Limit scope to this domain or OU |
This setting defines the search query scope. To improve query performance, limit the scope to a specific OU. IMPORTANT: To test the rule configuration, limit the rule scope to an OU that contains test accounts or objects and use the Preview feature. |
| Query criteria |
Query criteria are sent with the query and may improve query performance. TIP: For additional information on the criteria builder, see the How to use Query Builder dialog for Query Criteria and Filter rule settings. |
| Filter |
Set the filtering conditions to hide unwanted data based on criteria not supported in the Query criteria setting. Example: filter by the found object Distinguished Name. TIP: For optimal performance, use the Query criteria setting above to filter objects whenever possible. |
| Properties to display |
Each object property defined in this setting matches the column that will be displayed in the Web Portal for this web query. To display additional columns, add the required properties to the Properties to display list. To add extension attribute 1 that is synchronized from AD, you need to use a value like:
Copy
|
| Maximum number of users | Specify the maximum number of users to suspend in the selected scope. |
| Other Query Settings | |
| System properties | List of properties required for this rule to be executed correctly. |
| LDAP filter |
Set the filtering conditions to only return objects or data that need to be processed by the rule. This filter overrides the Query criteria setting. |
| Sort by | Sort result object list. |
| Map to Text File | |
| Select data source |
Specify the text file to be imported. The […] (three dots) button allows the user to browse for the file and the Create/Edit button allows the creation or editing of the existing file in the built-in Data Source editor. |
| Separator used in file | Specify the separator used in the source CSV file. |
| Data source anchor attribute | Select a column in the data source that contains the attribute value for identifying and mapping a computer. |
| Inactive Users Filters | |
| Account status |
Specify user account status:
|
| Expired accounts only | Specify if only expired accounts should be included. |
| Days since expiration |
Specify the number of days since expiration. NOTE: The Days since expiration option works only if the Expired accounts only is set to Yes. |
| Days since last logon | Specify the number of days since the last logon. |
| Days since password last set | Specify the number of days since the password was last set. |
| Days since account creation | Specify the number of days since the account creation. |
| System anchor attribute | Specify user anchor Active Directory attribute. |
| Initialization Script | |
| Initialization script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: Example: Update AD users, created in the last ten days.
|
Action section
| Settings name | Description |
|---|---|
| AD Suspend configuration |
Specify the existing AD users suspend configuration to be applied during the computer suspend. You can use the default suspend configuration or create a custom one. Learn more in: |
| Microsoft 365 Suspend configuration | Select an existing Microsoft 365 Suspend configuration that will be used to suspend related Microsoft 365 user accounts. |
| Additional Related Accounts | |
| Suspend related admin account |
Employees may have secondary AD user accounts, linked to their primary AD user accounts by an anchor attribute. These accounts are called related admin accounts.
|
|
NOTE: If the Suspend related admin account setting is No, anchor attribute settings are ignored. If you need to suspend the related admin account, specify the primary and secondary AD account anchor attributes to link these accounts. |
Output section
This section defines the output format of this rule.
To get more information about this section, please see the Rule Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Rule Enforce/Schedule section article.
Change History
| Version | Notes |
|---|---|
| 10.3.0 | The rule has been introduced in the product. |
Comments
0 comments
Please sign in to leave a comment.