Skip to main content

Articles in this section

See more
Print

AD Users | Set Attributes Value rule

  • Updated

AD Users | Set Attributes Value rule

Rule description

This rule queries the specified Active Directory scope and for each returned user sets or clears the specified Active Directory attribute.

When to use this rule

There is also the AD Users | Copy or Move Attribute Values rule that queries the specified Active Directory scope and for each returned user copies or moves values between the source attribute and the target attribute.

Use this rule when you need:

Rule settings

Query section

Setting name Description
Query section

Limit scope to this domain or OU

 

This setting defines the search query scope. To improve query performance, limit the scope to a specific OU.

IMPORTANT: To test the rule configuration, limit the rule scope to an OU that contains test accounts or objects and use the Preview feature.

Query criteria

Query criteria are sent with the query and may improve query performance.

TIP: For additional information on the criteria builder, see the How to use Query Builder dialog for Query Criteria and Filter rule settings.
Maximum number of users Specify the maximum number of users to modify in the selected scope.
More options

Filter

Set the filtering conditions to hide unwanted data based on criteria not supported in the Query criteria setting.

Example: filter by the found object Distinguished Name.

TIP: For optimal performance, use the Query criteria setting above to filter objects whenever possible.

Properties to display

 

Each object property defined in this setting matches the column that will be displayed in the Web Portal for this web query.

To display additional columns, add the required properties to the Properties to display list.

To add extension attribute 1 that is synchronized from AD, you need to use a value like:

Copy
"OnPremisesExtensionAttributes/extensionAttribute1~Extension Attribute 1"
Sort by Sort result objects list.
Initialization Script

Script

Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule.

Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria.

IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.

Example: Update AD users, created in the last ten days.

  1. Add this initialization script

    Copy
    {$global:DatePeriod = (Get-Date).AddDays(-10)}

  2. Use the $DatePeriod variable in the query criteria builder:

Action section

Setting name Description

Attribute(s)

 

Select an attribute from the list.

You can select multiple attributes. In this case, all these attributes would be cleared or set to the value specified in the Value setting.

Value

 

Set attribute(s) value.

Example 1: Append some text to AD Users DisplayName attribute.

$($FoundObject.DisplayName + "teststring")

NOTE: You must add DisplayName attribute to Returned properties list.

Example 2: Change all phone numbers from this format 111.222.3333 to this format 111-222-3333.

{[String]::Format('{0:###-###-####}',[Int64]($FoundObject.telephoneNumber -replace '\D+(\d+)','$1'))}

NOTE: You must add telephoneNumber attribute to Returned properties list.

Example 3: Disable Active Directory user:

$($FoundObject.userAccountControl -bor 0x2)

NOTE: You must add userAccountControl attribute to Returned properties list.

Example 4: Set accountExpires attribute to expire in 90 days from now.

([DateTime]::Now.Date.AddDays(90))

Example 5: Update multi-valued virtual attribute. 

["val1","val2","val3"]

Update method*:

Select the update method for the attributes value:

  • Always update: Forces the attribute to update regardless of its current value.

  • Only update empty values: Updates the attribute only if it is currently empty.

  • Only update on value difference: Updates the attribute only if the new value differs from the existing one.

Simplified output*:

When set to Yes, the output displays the user attribute values as they were initially queried, providing faster performance.

When set to No, the system re-queries and verifies the values after the update, ensuring the output reflects the true final values. Choosing No may slow performance when handling large datasets due to the additional verification step.

Account

First name Specify the user’s given name (first name).
Initials Set or update the user’s middle initials.
Last name Specify the user’s surname (last name).
Display name The full name as displayed in directory services.
Description Provide a field for entering an optional description for the account.

Settings

Must change password at next logon Determines if the user must change their password upon their next sign-in.
New password Defines if a new password is generated. Select the Generate random password option to generate a new random password for each affected user.
Account enabled Specifies whether the account is active and can be used.
Password is not required Indicates if a password is needed for the account.
User cannot change password Prevents the user from changing their password.
Password never expires Ensures that the password remains valid indefinitely without expiration.
Smart card is required Requires the user to sign in using a smart card.
Account expiration date Specify a date when the account will expire and become disabled.
Do not require Kerberos preauthentication Enables the user to skip Kerberos preauthentication.
Organization
Office Update or set the office location of the user.
Job title Update or set the user's job title.
Department Update or set the department where the user works.
Company Update or set the name of the company the user works for.
Employee number Update or set the user's employee number.
EmployeeID Update or set the user's employee ID.
Division Update or set the division of the company the user is part of.
Manager Update or set the user's manager.
Contact info 
Country Update or set the user's country.
Office phone Update or set the user's office phone number.
Mobile phone Update or set the user's mobile phone number.
Street address Update or set the user's street address.
City Update or set the user's city.
State Update or set the user's state or region.
Postal code Update or set the user's postal code.
Other properties
Select columns from the source data and matched attribute Select additional properties based on the source data and corresponding matched attributes.
Other properties script Allows configuring advanced property matches using a script.
More options
Write Change History

Define logging behavior when you use the rule:

  • Always. Log changes to objects every time you run the rule.

  • For post-action scenarios only. Log changes to objects every time the rule is used as a post-action rule.

  • Never. Do not log changes to objects made using the rule.

The default behavior is defined in Configuration > Settings > Change History.

Output Section

This section defines the output format of this rule.

To get more information about this section, please see the Rule Output section article.

Enforce/Schedule Section

This section defines the schedule for how often to run the rule.

To get more information about this section, please see the Rule Enforce/Schedule section article.

Change history

Version Notes
13.1 The Write Change History setting has been added.
11.3.1 The Action section has been updated.
7.3.1 The Initialization Script section has been added.
5.4.0 The rule can be linked to web actions in Rules to run after this rule section.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.