Enable or disable the Active Directory extension.

See the Initial configuration wizard article section to determine which extensions could be used in your environment.

Specify the account to connect to Active Directory Domain Controller(s).

Active Directory connection account, specified in the Active Directory domain credentials setting, must have the Domain Admin permissions (or up to the level required for desired tasks to be completed).

For more information, see the Cayosoft Administrator System Requirements and articles.

Multiple Active Directory forests can be managed with a single installation of the Cayosoft Administrator. An administrator can connect Cayosoft Administrator to several Active Directory forests, and then delegate and automate account management in those forests from a single console and Web Portal.

The Managed Domains table has the list of Active Directory domains available for management.

All managed domains are grouped by forests:

1. All domains from the forest where the Cayosoft Administrator Service is installed.

2. Forests with trusted domains. Trusted domains are the domains that have trust with the domain, where the Cayosoft Administrator Service is running. Trusted domains are used during operations with Exchange-linked mailboxes and in the AD Users | Create User Copy in Another Domain rule.

3. Forests with untrusted domains.

4. To view or modify Forest settings you should click Configure.

Managed domains setting works as follows:

1. Cayosoft Administrator Service enumerates all domains from the forest where the service is installed and all trusted domains.

2. If the ADWS service is stopped on the selected domain controller when the Cayosoft Administrator Service is starting, this domain will not be displayed on the list.

3. In each domain DС is automatically selected during initial discovery, using the DC Autoselection method.

4. You can set Alternative DC to use in case the primary DC is identified as unavailable.

   If you select Domain Controller manually, we recommend selecting the one that is close to the Cayosoft Administrator Service and is not under high load by other services.

5. Specify credentials manually for each forest and its domains in the list. Use Default Credential setting uses the credential specified in Active Directory default credentials. If domain credentials are not specified, forest credentials are used. If forest credentials are not specified Active Directory default credentials are used.

6. If there are some domains you don't need to manage, you can uncheck them to disable. If a domain is disabled, it is not available for management, and the objects from this domain are also excluded from the Global Search.

7. Click Add... to add new trusted or untrusted forests and their domains for management.

8. If you added a new domain to one of the managed forests or added a new UPN suffix to a domain, you should click Discover to see this domain in the Managed Domains list. After that, you will see a new domain suffix in web actions in the Web Portal and can use it in automation rules in the Cayosoft Administrator.

9. If you see the domain name displayed in red, it means this domain is not available for management. At some point in the past, the domain was available, and the Domain Controller or credentials for this domain were specified manually and saved. But now when the Cayosoft Administrator Service enumerated domains on start, this domain was not found in the domains list.

10. To remove deleted domains, domains' suffixes, and domains and forests that were added manually click Clear. It will also clear DC credentials and other settings in the table. Then a domain discovery procedure will be run to add the default list of managed domains and trusted forests with default settings.

1. Default forest credentials - default value is set to

   <UseDefaultCredentials>, which points to Active Directory domain credentials.

2. Default domain - It is defined automatically. By default, this setting is set to the domain where the Active Directory connection account is located. The value of this setting is used as the default scope in the Limit scope to this domain or OU setting for Active Directory automation rules.

3. Global Catalog server - it is selected by default. Please, be sure that the correct Global Catalog server were selected. Learn more in Global Virtual Admin Unit for Global Search

   If the forest name is displayed in red, it means that the Global Catalog server is unavailable.

4. Alternative Global Catalog server -you can set another Global Catalog to use in case the primary Global Catalog is identified as unavailable.

5. Default domain suffix - specify the default domain suffix to use as a UPN suffix during the creation of new objects.

6. Exchange management -specify the scenario for the Exchange management that you plan to use in your environment:

   1. Hybrid Exchange - Enabled for all recipients, with Exchange Extension.

   2. Serverless Hybrid Exchange - Enabled for remote recipients only, with direct attributes update in AD.

   3. Exchange Management Tools - Enabled for remote recipients only, using Exchange Management Tools.

   4. Disabled -no mailbox management actions are available for Active Directory objects.

7. The Delete button on the Forest Settings form if the forest is untrusted allows deleting the forest from the Managed Domains table.

By default, this setting is set to the computer region of the computer running the Cayosoft Administrator Service. When a new user is created in the Web Portall or by Cayosoft Administrator automation rules, the Default country/region value is set to a user country. Then, if this user is provisioned to Office 365, a user country is automatically used as an Office 365 location.

For more information about Office 365 settings, please see Microsoft 365 extension settings article.

User Name Generation Rules (Web Portal)

This setting allows turning on\off the uniqueness check of the Display Name user attribute.

Cayosoft Administrator can automatically generate object attributes.

Select a generation rule from the list or create your own generation rule to satisfy your organization's requirements and policies.

Use this video guide to learn how to use expression builder Expression Builder for Generating UserNames

All naming attributes must be unique in Active Directory.

Cayosoft Administrator provides automatic name uniqueness check and conflict resolution. A unique name can be generated with alternative generation rules and applying unique counters.

Select the desired behavior when a name conflict is identified:

1. Stop and notify the user

2. Continue and suffix the user name with a numeric counter

3. Try the alternative generation rule (see next section), and if fail-stop and notify a user

4. Try the alternative generation rule (see next section), and if fail- continue and suffix the user name with a numeric counter

   For more information, review the following article: Uniqueness names generation in Attribute Policy .

If the Name conflict resolution option is set to Try alternative generation rule, and if fail -stop and notify a user or Try alternative generation rule, and if fail - continue and suffix the user name with a numeric counter, Cayosoft Administrator will use Alternate Name.

If the Name conflict resolution option is set to Continue and suffix the user name with a numeric counter or Try alternative generation rule, and if fail - continue and suffix the user name with a numeric counter, the next available numeric counter will be added to the generated string. By default, the counter starts with 1.

Alternate Name Generation Rules (Web Portal)

Select generation rules from the list or create your own generation rule to satisfy your organization's requirements and policies.

If you want to customize the counter format, use this setting to define the new format. For example, if you need to use two digits in the counter, you should enter 00 in the Counter format field.

Other User Provisioning Settings (Web Portal)

1. The default value is No.

2. Set this setting to Yes if you want to either create a mailbox or provision to OneDrive after these Web actions are completed: New User (AD), Clone User, Enable -Mailbox, New Linked Mailbox, and New User with Linked Mailbox.

3. To run the post-creation tasks, make sure that:

   • Active Directory, Microsoft Hybrid, Microsoft Office 365.

   • A corresponding Office 365 license is assigned to the user at creation, either manually or automatically.

   • Corresponding post-creation rules are configured, see below.

   For more information, please see Initial configuration wizard article section to determine which extensions could be used in your environment.

   The corresponding post-creation rules must be configured: New User | Office 365 Mailbox post creation tasks rule.

New User, Clone User, and other web action forms for the user have mailbox control buttons to select the mailbox creation options. These buttons are:

• No mailbox

• Exchange On-Premises

• Exchange Remote button

• Office 365

The Show email prefix and suffix setting work as follows:

1. Set this setting to Yes if you want to show mailbox controls for email prefixes and suffixes in these Web actions: New User(AD), Clone User, Enable-Mailbox, New Linked Mailbox, and New User with Linked Mailbox.

2. The default value is No.

   The display of mailbox control buttons depends on enabled Cayosoft Administrator extensions. For more information, please see Initial configuration wizard article section to determine which extensions could be used in your environment.

   The Cayosoft attribute policies can control the visibility of these buttons on Web action forms. For more information, see the following article: Use cases of attribute policies

Cayosoft Administrator has centralized column settings for Active Directory web queries shared among all Admin Units. You can customize the following column parameters:

• Add and remove columns.

• Name the columns.

• Define the column visibility.

IMPORTANT: It's recommended to hide the default columns instead of removing them to be quickly revert changes to the default column list.

For more information about column customization, see the How to customize columns in Web Portal article.

Password policy provides granular control over password

complexity rules:

1. Length & Character:

   1. Password length

   2. Alphabetical characters

   3. Numeric characters

2. Special Characters

3. Pattern & Sequence:

   NOTE: Prevent sequence of UserID characters in the password policy using the SamAccountName attribute as UserID.

   If a password policy is specified, the options 'Generated password length' and 'Number of non Alphanumeric characters' are ignored, only the password policy settings are taken into consideration when the Cayosoft Administrator generates new passwords or checks manually entered passwords for complexity.

   The password policy in Cayosoft Administrator should be at least the same complexity as you have in Active Directory and Microsoft 365 (if you're creating hybrid users).

   Otherwise, the product will allow you to create a weak password but then you may receive errors directly from AD or Microsoft 365 that the password does not meet the complexity requirements.

   TIP: After the password policy is configured, we recommend updating the Password complexity description, so that administrators and end-users can read the password requirements. Please, see the next setting.

Specify the password complexity description. The description will be displayed on the Reset password form in the Web Portal.

You can use HTML tags to format the text.

NOTE: Password complexity description for Self-Service password reset could have its own text. For more information, see the article.

Use these settings to specify default suspend policies for users and groups.

For more information about suspend automation rules and suspend Web actions configuration, please see these article: Best practices for suspending settings XML file usage.

For new installations, this setting is set to 'Yes' by default. For installations upgraded to 10.3 or above this setting is set to 'No' by default. To use the New Suspend functionality, set this setting to 'Yes'.

requirements. Here is the list of Active Directory Suspend Configurations with links to corresponding documentation articles:

1. AD user Suspend (default configuration) overview

2. AD user Undo Suspend (default configuration) Overview

3. AD group Suspend (default configuration) Overview

4. AD computer Suspend (default configuration) Overview

Home Folder Access Credentials

1. By default, the Cayosoft Administrator Service uses the Active Directory default credentials to access the shared folders.

2. Click Add Path to specify the SMB root folder (e.g. \\Server\HomeFolders\root) and credentials that will be used to access this folder.

3. Different folders can have different credentials for access.

4. ​if Active Directory default credentials are empty, and the Cayosoft Administrator Service is running under the Local System account you need to specify the shared folder credentials otherwise you will get the error.

   NOTE: Legacy Suspend does not support the new File shares setting. So, if you use the Legacy Suspend and plan to use the Home Folder to transfer the ownership you need to run the Cayosoft Administrator Service under the user account that has full access permissions to the folder as the service account.

These settings are deprecated.

Use the AD Users, AD Groups, and AD Computers web queries in the Active Directory Administration Unit.

If you have groups with large members lists of 8000 members or more, you may start experiencing delays opening the members list for these groups in the Web Portal.

In this case, you can turn on AD caching to improve the performance of and group Properties web action (Active Directory users) web actions:

1. Set Create Active Directory object cache to Yes.

2. Save changes.

3. Navigate to the Membership web action and group Properties web action and set Resolve and show member display names (legacy) also to Yes.

4. Save changes.

5. Restart the Cayosoft Administrator Service.

   When this setting is set to Yes, Cayosoft Administrator Service loads and stores Display Name and User Principal Name values in the AD cache for all users from all managed domains in a forest where Cayosoft Administrator Service is installed. So, when you click Membership web action group member details are taken from this cache, instead of searching AD.

If you need to completely exclude certain users, groups, or computers from delegated management with the Cayosoft AdministratorWeb Portal, specify the filter condition that will be applied to all default web queries: AD Users (including queries for inactive and locked out users), AD Groups, AD Computers, AD Contacts.

Disable the substring search functionality to improve the search performance in Active Directory web queries. This settings does not affect the ability to use the wildcard in Active Directory web queries (i.e., the asterisk operator). Disabling the substring search functionality has a direct impact on the user experience, refer to the following note for additional information.

IMPORTANT: If you experience delays with queries in Web Portal and you have more than 50K user accounts, disable partial search. Be aware that administrators would have to specify the full user name or the first part of the user name ("starts with") to find an account. When a partial name search is enabled, an administrator can find users by specifying the part of their full name. For example, searching by "mith" would find "John Smith". Active Directory DS is not optimized for such queries. When there are 50K+ users in AD, such a query might take seconds for AD DS to execute.

List the protocols separated by commas to look up existing 'mail'/'upn' values in the 'proxyAddresses' or 'targetAddress' attributes (e.g., 'SMTP,SIP,SPO').

IMPORTANT: Leave the field empty to increase the lookup scope to all mail protocols. This will affect the performance of Cayosoft Administrator.

If you configure Azure AD Connect to use any attribute other than User Principal Name for the name of the Entra ID user, set this setting to No (try anchor attributes first) . For details, see the How to map Active Directory users to Office 365 cloud users

If automation rule or web action uses bulk processing for object management, all objects are split into queries.

This setting defines the maximum number of objects in one query.

The default value is 500.

This setting defines the client-side timeout, the period the Cayosoft Administrator waits for Active Directory to respond. The default timeout is 2 minutes.

When executing heavy queries against Active Directory, it is recommended to increase the Operation timeout to 10 minutes.

An example of such a query could be the use of LDAP_MATCHING_RULE_IN_CHAIN in the AD Users membership rule for Dynamic Group when such a query should result in 20K+ items.

NOTE: It is also recommended to increase the service-side timeout on the ADWS service side:

1. Go to C:\Windows\ADWS

2. Backup Microsoft.ActiveDirectory.WebServices.exe.config

3. Open it for editing

4. Find '<add key="OperationTimeout"' string and update its value, so it should look like this: <add key="OperationTimeout" value="00:10:00" />

5. Add new a string to a file right after the previous one:

   <add key="MaxPullTimeout" value="00:10:00" />

1. Validate the specified settings and verifies that the account credentials are correct.

2. Check if the shared folder specified in Home Folder Access Credentials > File shares exists and can be accessed by the specified account. But if the share is located on the same machine where Cayosoft Administrator Service is installed Check Settings command will always return success.

1. The Show mailbox controls setting is renamed to Show email prefix and suffix.

2. The Mail attribute generation rule (Primary SMTP) setting is renamed to the Primary email prefix generation rule.

1. Managed Domains setting is modified

2. Forest Settings form is added

3. The Discover button is added

1. Validate Display Name uniqueness setting is added.

2. Run related Office 365 user suspend and undo suspend setting is added.