Published: 07/05/2018
Applies to: Cayosoft Administrator 5.2.0 or later.
Summary: User naming attributes such as UserPrincipalName, Full name (cn), samAccountName must be unique among all security principal objects within a directory forest. Cayosoft Administrator provides automatic names generation when creating a new user in Web Interface based on its first and last names (and any other attributes if you need so).
These name generation settings can be defined on Active Directory extension, New User/Clone User web actions and Attribute Policy.
In this article:
- Name Generation overview
- Example: create an attribute policy for Display Name with alternate names resolution and counter
About generation rules
Generation rules in Web Interface
Cayosoft Administrator facilitates user creation by autogeneration naming attributes. After the admin enters First and Last Names on New User form other attributes are automatically populating based on generation rules configured in Administrator Console.
Default name generation rules are configured for Display Name, Full name (cn), UserPrincipalName prefix, SamAccountName, and Mail properties on Active Directory extension settings and you can easily customize these rules so they will correspond your organization requirements and policies. These defaults applied when user using New User and Clone User actions. Name generation rules can also be controlled on a web action level, for most advanced scenarios and edge cases. Out of the box, name generation settings on web actions (New User and Clone User) are set to use default rules from the AD Extension.
So, if you want to use different generations for New User and Clone User rules you can change 'Use default generation rule' setting by any other from predefined values in drop down menu or even create your own rules in Expression builder (to do this, click on [...] button near desired attribute). To turn autogeneration off, you need to select 'No Generation' value.
If there is a need to use different generation rules in different locations, account types or other scopes, an Attribute Policy can be used.
So, on New User and Clone User actions for any specific attribute generation rules are applied in the following order:
- Attribute Policy
- Web Action
- AD extension.
For example, this is how our program will look for the generation rule for Display Name: first, it will check if there is an appropriate Attribute Policy for current scope and trustee (user logged in to Web Interface), if there is no such policy it will look into the New User action settings, and if the action settings say to use defaults, it will look into the Active Directory extension settings.
In addition, some naming attributes (UserPrincipalName, Full name (cn), samAccountName) must be unique within Active Directory forest, and Cayosoft Administrator can also simplify names validating and will automatically create a unique name in the environment (please see Name conflict resolution and alternative names generation section below in this article).
Generation rules in templates
Our template rules (for example 'Text file | Create AD Users', 'Import SQL Data | Create AD Users' or 'Import Oracle Data | Create AD Users') has very similar functionality for new users naming attributes generation.
The only difference is that autogeneration can be set only directly in the rule settings, it is not affected either by the Active Directory extension settings or by the Attribute Policies.
Name conflict resolution and alternative names generation
As it was mentioned above, naming attributes should be unique in Active Directory. By default Cayosoft shows an error if generated value already exists in the environment and you need to correct the name manually to continue user account creation. Instead of manual resolving such errors you can use Name conflict resolution option.
This option is also available in Active Directory extension, New User/Clone User web actions and Attribute Policy.
There are 4 settings for name conflict resolution:
-
Stop and notify user - the default value of this setting. This means that if one of naming attributes (Display Name, Full name (cn), UserPrincipalName prefix, SamAccountName, Mail) is already exists in Active directory wizard stops and shows an error massage. You need to go back to the first page on the form and correct the duplicate value manually.
For example, you have common generation rule for Display name as 'FirstName LastName' and trying to create user to create user with First name: 'John', Last name: 'Brown'. Cayosoft Administrator will automatically generate display name 'John Brown' and if it already exists - you will see an error after click on Create button on the form and you'll need to return to the first page and correct the Display Name value.
-
Continue and suffix the user name with a numeric counter. If you select this option, the numeric counter will be added to the duplicated naming attribute automatically, no errors will appear on the wizard. By default counter starts with 1.
If you want to customize format (start from specific number or use 2 digits) you need to specify format in Alternate Generation Rules > Counter format field.
For example, you have common generation rule for Display name as 'FirstName LastName' and trying to create user to create user with First name: 'John', Last name: 'Brown'. Cayosoft Administrator will automatically generate display name 'John Brown'. After you click on Create button if a user with this display name already exists, the user will be created automatically with counter: 'John Brown1', no error appears on the form.
-
Try alternative generation rule on fail stop and notify user. In this case, if user with naming attribute already exists in AD, Cayosoft will try alternative generation rule, and show error only if alternatively generated name attribute also exists in the system. The alternative generation rules should be configured in Alternate Generation Rules section and they should be different then common generation rules.
For example, you have common generation rule for Display name as 'FirstName LastName', and alternative generation 'FirstName FirstInitial. LastName' and trying to create user with First name: 'John', Last name: 'Brown', Initials: 'T'. After you click on Create button if user with name 'John Brown' already exists in AD, Cayosoft will try to create 'John T. Brown'. And if this user also present in AD - if will show error on the wizard and you have to go back to the first page and fix names manually.
-
Try alternative generation rule on fail continue and suffix the user name with a numeric counter. If this option selected and user already exists in the system, Cayosoft will try an alternative generation, and if such user also exists will add numeric counter to common generated rule.
If you want to customize format (start from specific number or use 2 digits) you need to specify format in Alternate Generation Rules > Counter format field.
For example, you have common generation rule for Display name as 'FirstName LastName', and alternative generation 'FirstName FirstInitial. LastName' and trying to create user with First name: 'John', Last name: 'Brown', Initials: 'T'. After you click on Create button if user with name 'John Brown' already exists in AD, Cayosoft will try to create 'John T. Brown'. And if this users also present in AD - it will create user with name 'John Brown1', no error appears on the form.
Name conflict resolution option is common for all naming attributes in Active Directory extension and New/Clone User settings, and it also can be granularly applied in Attribute Policy for naming attributes (Display Name, Full name (cn), UserPrincipalName prefix, SamAccountName, Mail).
Example: create an attribute policy for Display Name with alternate names resolution and counter
Creating an Attribute Policy with proper scope
- Open Cayosoft Administrator console.
- Navigate to Configuration > Web Interface > Attribute Policies
- Click Add Attribute Policy at the top right
- Enter a name for the New policy, for example Sales Department Name Generation
- Expand the Policy Details of the new policy
- If you need the policy to be applied to everyone who is using Cayosoft Web Interface leave radio button ‘Policies Applied to everyone’ selected. Overwise, select ‘Policies applied only to specific Trustees’, then click Add button and select required users or groups
- Click Add scope at the bottom right of the Policy Scope section
- In Specify Policy Scope dialog do the following:
- Select the Active Directory admin unit in the first column
(you can select any other AD units if needed) - Select the AD Users Web Query in the second column
Note: You can select additional web queries if needed like AD User Templates, AD Users (Inactive), or AD Users (Locked out) - Select Properties in the third column
- Select the Active Directory admin unit in the first column
- Click OK
Add name generation rules to the Attribute Policy
In this example we will create a generation rule Surname + ', ' + GivenName for Display Name. Steps to create a rule for other naming attributes such as Full name (cn), UserPrincipalName prefix, SamAccountName, and Mail are the same.
- Click the scope in the policy to select it
- In the Attribute policy settings section, select the Display Name attribute (you can use search to find it)
- Click Edit Policy
- Select the "Generation value" checkbox and click the […] button to open Expression Builder
- In 'Join tokens method' section select 'With custom delimiter' radio button and enter ', ' (without quotes)
- In 'Tokens' section click 'Add...' button, select property 'Surname' in the opened dialog and click OK
- In 'Tokens' section click 'Add...' button again, select property 'GivenName' in the opened dialog and click OK
Note: SamAccountName and UserPrincipalName do not allow some special characters, so you also need to select radio button 'Characters prohibited for SamAccountName/UserPrincipalName' for these properties to avoid errors on creation.
Note 2: SamAccountName is limited to 20 characters in Active Directory, so you need to select checkbox Limit Length at very bottom of the dialog and ensure that value is set to 20
- Click OK to close Expression Builder dialog
- Click OK to close Attribute Policy editor
- Save Changes
Add alternative name generation rule to Attribute Policy
In the example below we will add alternative name generation rule that will continue on fail with numeric counter to created before attribute policy for Display Name.
- Click the scope in the policy to select it
- In the Attribute policy settings section, select the Display Name attribute (you can use search to find it)
- Click Edit Policy
- Select checkbox Name conflict resolution and choose 'Try alternative generation rule on fail continue and suffix the user name with a numeric counter' option in drop down list.
- Click the […] button to open Expression Builder
- In 'Join tokens method' section select 'With space character' radio button
- In 'Tokens' section click 'Add...' button, select property 'Surname' in the opened dialog and click OK
- Repeat this action to add Initials and GivenName properties
- Click OK to close Expression Builder dialog
Note: If you want Counter to start with the specific number, for example 5, you should enter 5 in Counter format field.
Note 2: If you need to use 2 digits in the counter you should enter 00 in the Counter format field
- Click OK to close Attribute Policy editor
- Save Changes
Related Articles
Comments
0 comments
Please sign in to leave a comment.