Active Directory extension settings

Overview

Cayosoft Administrator Active Directory extension provides provisioning, update, suspension, and management of accounts and objects stored in the on-premise Active Directory.

To manage objects in Active Directory, the Cayosoft Administrator requires connection settings to be specified. These settings are displayed in the Active Directory extension in the Cayosoft Administrator console. In addition to Active Directory connection settings, there are settings for the Cayosoft Administrator automation rules and Web actions.

Note: To find the Active Directory extension in Cayosoft Administrator Console please navigate to Home > Configuration > Connected Systems Extensions > Active Directory.

Setting name	Description
Extension is enabled	Enable or disable the Active Directory extension. Please, see the Select Extensions article section to determine which extensions could be used in your environment.
Active Directory default credentials	Specify the account to connect to Active Directory Domain Controller(s). Active Directory connection account, specified in the Active Directory domain credentials setting, must have the Domain Admin permissions (or up to the level required for desired tasks to be completed). For more information, please see System Requirements and Permissions required for Active Directory management articles.
Managed domains	Note: Starting from the 8.4.0 version multiple Active Directory forests can be managed with a single installation of Cayosoft Administrator. An administrator can connect Cayosoft Administrator to several Active Directory forests, and then delegate and automate account management in those forests from a single console and web portal. The Managed Domains table has the list of Active Directory domains available for management. All managed domains are grouped by forests: All domains from the forest where the Cayosoft Administrator service is installed. Forests with trusted domains. Trusted domains are the domains that have trust with the domain, where the Cayosoft Administration service is running. Trusted domains are used during operations with Exchange-linked mailboxes and in the AD Users \| Create User Copy in Another Domain automation rule. Forests with untrusted domains. To view or modify Forest settings you should click Configure. Managed domains setting works as follows: Cayosot Administrator service enumerates all domains from the forest where the service is installed and all trusted domains. If the ADWS service is stopped on the selected domain controller when the Cayosoft Administrator service is starting, this domain will not be displayed on the list. In each domain DС is automatically selected during initial discovery, using the DC Auto selection method. You can set Alternative DC to use in case the primary DC is identified as unavailable. Tip: If you select Domain Controller manually, we recommend selecting the one that is close to the Cayosoft Administrator Service and is not under high load by other services. Specify credentials manually for each forest and its domains in the list. Use Default Credential setting uses the credential specified in Active Directory default credentials. If domain credentials are not specified, forest credentials are used. If forest credentials are not specified Active Directory default credentials are used. If there are some domains you don't need to manage, you can uncheck them to disable them. If a domain is disabled, it is not available for management, and the objects from this domain are also excluded from the Global Search. Click Add... to add new trusted or untrusted forests and their' domains for management. If you added a new domain to one of the managed forests or added a new UPN suffix to a domain, you should click Discover to see this domain in the Managed Domains list. After that, you will see a new domain suffix in web actions in the Web Portal and can use it in automation rules in the Administrator Console. If you see the domain name displayed in red, it means this domain is not available for management. At some point in the past, the domain was available, and the Domain Controller or credentials for this domain were specified manually and saved. But now when the Cayosoft Administrator service enumerated domains on start, this domain was not found in the domains list. To remove deleted domains, domains' suffixes, and domains and forests that were added manually click Clear. It will also clear DC credentials and other settings in the table. Then a domain discovery procedure will be run to add the default list of managed domains and trusted forests with default settings.
Forest Settings	You should click Configure to view or modify Forest settings. Default forest credentials - default value is set to <Use Default Credentials>, which points to Active Directory domain credentials. Default domain - It is defined automatically. By default, this setting is set to the domain where the Active Directory connection account is located. The value of this setting is used as the default scope in the Limit scope to this domain or OU setting for Active Directory automation rules. Global Catalog server - it is selected by default. Please, be sure that the correct Global Catalog server was selected. Global Catalog server is used in Global Search functionality and automation rules. Note: If the forest name is displayed in red, it means that the Global Catalog server is unavailable. Alternative Global Catalog server - you can set another Global Catalog to use in case the primary Global Catalog is identified as unavailable. Default domain suffix - specify the default domain suffix to use as a UPN suffix during the creation of new objects. Exchange management - specify the scenario for the Exchange management that you plan to use in your environment: Enabled for all recipients, with Exchange Extension. Enabled for remote recipients only, with direct attributes update in AD. Enabled for remote recipients only, using Exchange Management Tools (This functionality is available starting from the 11.2 version of Cayosoft Administrator). Disabled - no mailbox management actions are available for Active Directory objects. A Delete button on the Forest Settings form if the forest is untrusted allows deleting the forest from the Managed Domains table.
Default country/region	By default, this setting is set to the computer region of the computer running the Administration Service. When a new user is created in the Web portal or by Cayosoft Administrator automation rules, the Default country/region value is set to a user country. Then, if this user is provisioned to Office 365, a user country is automatically used as an Office 365 location. For more information about Office 365 settings, please see Microsoft Office 365 extension settings article.
User Name Generation Rules (Web Interface)
Validate Display Name uniqueness	This setting allows turning on\off the uniqueness check of the Display Name user attribute.
Display Name generation rule Full name (cn) generation rule UserPrincipalName prefix generation rule SamAccountName generation rule Primary email prefix generation rule	Cayosoft Administrator can automatically generate object attributes. Select a generation rule from the list or create your own generation rule to satisfy your organization's requirements and policies. Tip: Use this video guide to learn how to use expression builder https://youtu.be/_og8UkUA5ho
Name conflict resolution	All naming attributes should be unique in Active Directory. Cayosoft Administrator provides automatic name uniqueness check and conflict resolution. A unique name can be generated with alternative generation rules and applying unique counters. Select the desired behavior when a name conflict is identified: Stop and notify the user Continue and suffix the user name with a numeric counter Try the alternative generation rule (see next section), and if fail-stop and notify a user Try the alternative generation rule (see next section), and if fail - continue and suffix the user name with a numeric counter For more information, please see the Name Conflict Resolution and alternative names generation section.
Alternate Name Generation Rules (Web Interface)
Alternate Display Name generation rule Alternate Full Name (cn) generation rule Alternate UserPrincipalName prefix generation rule Alternate SamAccountName generation rule Alternate Primary email prefix generation rule	If the Name conflict resolution option is set to Try alternative generation rule, and if fail-stop and notify a user or Try alternative generation rule, and if fail - continue and suffix the user name with a numeric counter, Cayosoft Administrator will use Alternate Name Generation Rules to generate attributes during user creation or user cloning. Select generation rules from the list or create your own generation rule to satisfy your organization's requirements and policies.
Counter format	If the Name conflict resolution option is set to Continue and suffix the user name with a numeric counter or Try alternative generation rule, and if fail - continue and suffix the user name with a numeric counter, the next available numeric counter will be added to the generated string. By default, the counter starts with 1. If you want to customize the counter format, use this setting to define the new format. For example, if you need to use two digits in the counter, you should enter 00 in the Counter format field.
Other User Provisioning Settings (Web Interface)
Run Mailbox post creation tasks Run Onedrive post creation tasks	The Run post creation tasks settings work as follows: The default value is No. Set this setting to Yes if you want to either create a mailbox or provision to OneDrive after these Web actions are completed: New User (AD), Clone User, Enable-Mailbox, New Linked Mailbox, and New User with Linked Mailbox. To run the post creation tasks, make sure that: Active Directory, Microsoft Hybrid, Microsoft Office 365. A corresponding Office 365 license is assigned to the user at creation, either manually or automatically. Corresponding post-creation rules are configured, see below. For more information, please see the Select Extensions article section to determine which extensions could be used in your environment. Important: The corresponding post-creation rules must be configured: New User \| Office 365 Mailbox post creation tasks New User \| Office 365 OneDrive post creation tasks
(Deprecated) Run Skype post creation tasks	Note: Skype for Business Online has been deprecated by Microsoft and replaced with Teams. The functionality provided by this Web Action does not fully apply to Teams and has also been deprecated. Please use the Teams Policies and Teams Voice Settings web actions to modify Teams properties for users.
Show email prefix and suffix	New User, Clone User, and other web action forms for the user have mailbox control buttons to select the mailbox creation options. These buttons are: No mailbox Exchange On-Premises Exchange Remote button Office 365 The Show email prefix and suffix setting work as follows: Set this setting to Yes if you want to show mailbox controls for email prefixes and suffixes in these Web actions: New User (AD), Clone User, Enable-Mailbox, New Linked Mailbox, and New User with Linked Mailbox. The default value is No. The display of mailbox control buttons depends on enabled Cayosoft Administrator extensions. For more information, please see the Select Extensions article section to determine which extensions could be used in your environment. Cayosoft Attribute policy can control the visibility of these buttons on Web action forms. For more information, please see the Set visibility of Mailbox buttons for New User, Clone User, and Enable-Mailbox Actions and Set the default Mailbox type button for New Shared, Room, and Equipment Mailboxes sections in the Attribute policy documentation.
Customize columns (Web Interface)
Default columns for AD Users query Default columns for AD Groups query Default columns for AD Computers query Default columns for AD Contacts query Default columns for AD Organizational Units query Default columns for AD Group members query	Cayosoft Administrator has centralized columns' settings for Active Directory Web queries shared among all Admin Units. You can customize the following column parameters: change column names, add or remove columns, and define whether each column is visible by default. Important: We recommend saving the default columns set so that you can revert changes to the default column list. For more information about column customization, please see the Web Query columns customization article.
Password Generation Options
Generated password length	When generating a new password, the Cayosoft Administrator will use this value for the new password length. For manually entered passwords, this setting determines the least number of characters that can make up a password for a user account.
Number of non Alphanumeric characters	Specify the number of nonalphanumeric characters the generated or manually entered password must contain.
Password policy	Password policy provides granular control over password complexity rules: Length & Character: Password length Alphabetical characters Numeric characters Special Characters Pattern & Sequence: Note: Prevent sequence of UserID characters in the password policy using the SamAccountName attribute as UserID. If a password policy is specified, the options 'Generated password length' and 'Number of non Alphanumeric characters' are ignored, only the password policy settings are taken into consideration when the Cayosoft Administrator generates new passwords or checks manually entered passwords for complexity. The password policy in Cayosoft Administrator should be at least the same complexity as you have in Active Directory and Microsoft 365 (if you're creating hybrid users). Otherwise, Cayosoft will allow you to create a weak password but then you may receive errors directly from AD or Microsoft 365 that the password does not meet the complexity requirements. Tip: After the password policy is configured, we recommend updating the Password complexity description, so that administrators and end-users can read the password requirements. Please, see the next setting.
Password complexity description	Specify the password complexity description. The description will be displayed on the Reset password form in the Web Portal. You can use HTML tags to format the text. Note: Password complexity description for Self-Service password reset could have its own text. For more information, please see Сonfiguration of Self-Service password & profile management article.
Cayosoft Suspend Policies (Legacy Policies)
Run related Office 365 user suspend and undo suspend	Specify whether to run related Office 365 user suspend and undo suspend actions when the Active Directory user is suspended or unsuspended.
Default user Suspend policy Default user Undo Suspend policy Default group Suspend Policy Default group Undo Suspend policy	Cayosoft Administrator provides suspend capabilities of user and group accounts in both Active Directory and Office 365. You can suspend users or groups manually via Web Portal and automatically with automation rules. Use these settings to specify default suspend policies for users and groups. For more information about suspend automation rules and suspend Web actions configuration, please see these articles: Using suspend policies with Cayosoft Administrator Creating and saving user suspend policies Best practices for suspending settings XML file usage
Cayosoft Suspend Default Configurations
Use modern suspend rules and configurations	Starting from the 10.3 version, Suspend Tool has been migrated to Administrator Service with significantly improved functionality. For details, please see this article about the New Suspend Configuration. For new installations, this setting is set to 'Yes' by default. For installations upgraded to 10.3 or above this setting is set to 'No' by default. If you want to use the New Suspend functionality you should set this setting to 'Yes'.
Default AD user suspend configuration	Specify the suspend configuration that should be applied during the object suspend. Each Suspend Configuration has several settings that are split into sections and should be customized based on your requirements. Here is the list of Active Directory Suspend Configurations with links to corresponding documentation articles: AD User Suspend AD User Undo Suspend AD User Terminate AD Group Suspend AD Computer Suspend (New functionality)
Default AD user undo suspend configuration
Default AD group suspend configuration
Default AD computer suspend configuration
Home Folder Acces Credentials
File shares	By default, Administrator Service uses the Active Directory default credentials to access the shared folders. Click Add Path to specify the SMB root folder (e.g. \\Server\HomeFolders\root) and credentials that will be used to access this folder. Different folders can have different credentials for access. if Active Directory default credentials are empty, and the Administrator Service is running under the Local System account you need to specify the shared folder credentials otherwise you will get the error. Note: Legacy Suspend does not support the new File shares setting. So, if you use the Legacy Suspend and plan to use the Home Folder to transfer the ownership you need to run the Administrator Service under the user account that has full access permissions to the folder as the service account. Please see this article: How to change the Service Account for Cayosoft Administrator – Cayosoft Help Center.
Advanced Settings
Web Portal scope DN (Distinguished Name) Web Portal computers scope DN (Distinguished Name) Web Portal groups scope DN (Distinguished Name)	These settings are deprecated. Use the AD Users, AD Groups, and AD Computers web queries in the Active Directory Administration Unit.
Create Active Directory object cache	If you have groups with large members lists of 8000 members or more, you may start experiencing delays opening the members list for these groups in the Web Portal. In this case, you can turn on AD caching to improve the performance of Membership and group Properties web actions: Set Create Active Directory object cache to Yes Save changes Navigate to Membership web action and group Properties web action and set Resolve and show member display names (legacy) also to Yes. Save Changes Restart the Admin Service When this setting is set to Yes, Admin Service loads and stores Display Name and User Principal Name values in the AD cache for all users from all managed domains in a forest where Cayosoft Admin Service is installed. So, when you click Membership web action group member details are taken from this cache, instead of searching AD.
Web query default filter	If you need to completely exclude certain users, groups, or computers from delegated management with the Cayosoft Administrator Web portal, specify the filter condition that will be applied to all default web queries: AD Users (including queries for inactive and locked out users), AD Groups, AD Computers, AD Contacts.
Disable partial name search	Use this setting to improve search performance by removing part of the filter by name. Disabling partial name search has an impact on user experience, see note below. Important: If you experience delays with queries in Web Portal and you have more than 50K user accounts, disable partial search. Be aware that administrators would have to specify the full user name or the first part of the user name ("starts with") to find an account. When a partial name search is enabled, an administrator can find users by specifying the part of their full name. For example, searching by "mith" would find "John Smith". Active Directory DS is not optimized for such queries. When there are 50K+ users in AD, such a query might take seconds for AD DS to execute.
Map cloud users by UPN	If you configure Azure AD Connect to use any attribute other than UserPrincipalName for the name of the AzureAD user, set this setting to No (try anchor attributes first). For details, see the How to map Active Directory users to Office 365 cloud users article.
DN lookup chunk size	If automation rule or web action uses bulk processing for object management, all objects are split into queries. This setting defines the maximum number of objects in one query. The default value is 500.
Operation timeout (minutes)	This setting defines the client-side timeout, the period the Cayo Administrator waits for Active Directory to respond. The default timeout is 2 minutes. When executing heavy queries against Active Directory, it is recommended to increase the Operation timeout to 10 minutes. An example of such a query could be the use of LDAP_MATCHING_RULE_IN_CHAIN in the AD Users membership rule for Dynamic Group when such a query should result in 20K+ items. Note: It is also recommended to increase the service-side timeout on the ADWS service side: Go to C:\Windows\ADWS Backup Microsoft.ActiveDirectory.WebServices.exe.config Open it for editing Find '<add key="OperationTimeout"' string and update its value, so it should look like this: <add key="OperationTimeout" value="00:10:00" /> Add new a string to a file right after the previous one: <add key="MaxPullTimeout" value="00:10:00" />
Dynamic Group target exclusions	This setting prevents selecting built-in AD groups as Dynamic Group targets to prevent escalation. You can set multiple values separated by ";", each value is a mask for target group DN. Example: CN=Builtin,DC=;CN=Users,DC=

Actions

Command name	Description
Check settings	Validate the specified settings and verifies that the account credentials are correct. Check if the shared folder specified in Home Folder Access Credentials > File shares exists and can be accessed by the specified account. But if the share is located on the same machine where Administrator Service is installed Check Settings command will always return success.
Clear DN Cache	This command clears the objects' Distinguished Name cache. This cache is used to improve the performance of objects' DN lookups.

Troubleshooting Active Directory connection issues

KB20160324-1 Troubleshooting Cayosoft Administrator Active Directory DC Connection Issues

KB20180815-1 Error "The server was unable to process the request..." when Cayosoft Administrator tries to connect to Active Directory

Change History

Version	Notes
11.2.0	'Enabled for remote recipients only, using Exchange Management Tools' has been added to the forest settings in the Managed Domain table.
11.1.0	The Home Folder Access Credentials section has been added.
10.3.0	Settings for the New Suspend functionality have been added.
9.3.0	The Run Skype post-creation tasks setting has been deprecated.
8.4.0	Multi-Forest management has been added.
7.3.1	The Show mailbox controls setting is renamed to Show email prefix and suffix. The Mail attribute generation rule (Primary SMTP) setting is renamed to the Primary email prefix generation rule.
7.3.0	Dynamic Group target exclusions and Map cloud users by UPN settings are added.
7.2.0	Clear DN Cache command is added.
7.1.0	Disable partial name search setting has been added.
7.0.0	Managed Domains setting is modified Forest Settings form is added The Discover button is added
6.3.1	Operation timeout (minutes) setting is added.
6.2.0	Validate Display Name uniqueness setting is added. Run related Office 365 user suspend and undo suspend setting is added.
6.1.0	New settings are introduced: DN lookup chunk size Default columns for AD Group members query

Articles in this section

Active Directory extension settings

Overview