Overview
AD Users web query displays Active Directory user objects, located in the domain or OU selected as a scope for the query. Default AD Users web query is included in the built-in Active Directory Admin Unit, and a custom copy of the AD Users web query is copied to every new custom Admin Unit.
Web queries in a custom Admin Unit are used as a scope for role delegation and attribute policy. When limiting the scope of web queries to a specific OU, you limit the scope of objects available for management to delegated administrators.
For more information, please see the New Virtual Admin Units article.
Active Directory Users query settings
Setting name | Description |
---|---|
Limit scope to this domain or OU |
This setting defines the scope of objects to include in the Admin Unit. The scope for the default AD Users web query, which is included in the built-in Active Directory Admin Unit, is set to the default domain. Thus, the default AD Users web query enumerates all objects in the default domain, including system and built-in Active Directory accounts. The scope for the custom AD Users web query, which is included in the custom Admin Unit, is defined as the Admin Unit scope during Admin Unit creation. |
Query criteria |
Use Query criteria to filter out particular objects by their property values. Query criteria are sent with the query to the target system, so filtering is done by the target system before it returns the result set. The default value for this setting is specified in the Web query default filter in Active Directory extension settings, where it is set to include all objects by default.
Tip: For different samples on the criteria builder, see KB20180410-1.
|
More Options |
|
Properties to display |
Specify properties to display as columns in the web query result grid. The default columns set for the web query are defined in the Active Directory extension Customize Columns section. To display additional columns, add the required properties to the Properties to display list. |
Other required properties |
Advanced setting to define the list of properties required for this rule to be executed correctly. |
Filter |
Specify additional filter conditions to hide unwanted data based on criteria, not supported by Active Directory query. For example, to filter out objects by the part of their Distinguished Name.
Tip: For optimal performance, use the Query criteria above to filter objects whenever possible.
|
Domain Controller |
Note: Starting from the 8.4.0 version this setting was deprecated.
This setting defines the domain controller to run the AD Users web query.
|
Credentials |
Note: Starting from the 8.4.0 version this setting was deprecated.
This setting defines the credentials for the domain controller defined in the previous setting.
|
Sort by |
Specify property to sort the result object list. |
Disable partial name search |
Use this setting to improve search performance by removing part of the filter by name. |
Global search mode |
Specify the Global Search mode:
|
Additional query criteria |
If set, these additional criteria will be used with all object pickers used with this query. Note that if the attribute in this criteria does not exist for the picker object type (e.g. user attributes for group pickers), the filter will not work correctly. If you want these criteria to work with some object pickers but not others, you can disable the use of these additional criteria per picker type in the object picker configuration. Example: Exclude some users from the search. |
Default number of objects to show |
Specify the number of objects to display in this web query in the Web Portal. The global Web Portal setting from the Web Portal Customization > Default number of objects to show is used by default. |
Action and Picker Scopes |
|
Default OU for the new user |
Specify default OU where new user objects will be created when running New User or Clone User commands from this web query. The default AD Users web query, which is included in the built-in Active Directory Admin Unit, has this setting set to the default domain address. The custom AD Users web query, that is included in the custom Admin Unit, has this setting set to match the Admin Unit scope (Organizational Unit), selected during Admin Unit creation. Note: If you need to get the connected user domain and use it as a default value for Create In field in New objects web actions you should set the Default OU value to the Connected user domain.
|
Default OU for new group Default OU for new computer Default OU for new object |
Each web query has the same settings that define default OUs for new objects. But in fact only one of these settings matters that match the web query object type: for AD Users query - Default OU for a new user, for AD Groups query - Default OU for a new group, etc.
|
Default Domain |
This setting defines the default UserPrincipalName suffix. For example, @cayo.com. The Default Domain value is the default domain suffix for the current forest. It is defined in the Forest Settings in the Active Directory extension. |
Additional Scope(s) for Object Selection |
Use this setting in two primary scenarios:
Object Picker dialog is used on multiple forms. Object Picker dialog appears when you need to select an object inside the form. For example, in Add to Groups form when selecting groups, the Properties form when selecting the user's manager, and so on. By default, this setting is empty, and only objects from the scope, specified in the Limit scope to this domain or OU setting, would be listed on Object Picker. To allow delegated administrators to select objects from additional Organizational Units, add those OUs to the Additional Scope(s) for Object Selection setting. Example: Let the AD Users web query scope is limited by OU=OU1,DC=cayo,DC=com. We need to add User1, located in OU1, to Group1, located in OU3, and to groups, located in OU2. In Additional Scope for Object Selection specify the distinguished names: CN=Group1,OU=OU3,DC=cayo,DC=com and OU=OU2,DC=cayo,DC=com. Both these objects are not included in AD User's web query scope. In this case, when you add a user to a group, you could add this user not only to groups located in OU1 but also to Group1 in OU3 and groups located in OU2. You would be able to find and select these groups in the Object Picker dialog. |
Move Scope(s) |
Specify additional scopes to search for Organizational Units on the Object Picker dialog. Object Picker dialog appears when you need to select an object inside the form. Object Picker dialog is used on Move forms for Active Directory users, groups, contacts, and computers. By default, this setting is empty, and only OUs from the scope, specified in the Limit scope to this domain or OU setting, would be listed on Object Picker. To allow delegated administrators to move objects to additional Organizational Units, add those OUs to the Move Scope(s) setting. Example: Let the AD Users web query scope is limited by OU=OU1,DC=cayo,DC=com. We need to move User1, located in OU1, to OU2. In Move Scope(s) specify the distinguished name of an additional OU: OU=OU2,DC=cayo,DC=com. This OU is not included in the AD Users web query scope. In this case, when you move a User1 to another OU, you could move this user not only to OUs located in OU1 but also to OU2. You would be able to find and select this OU in the Object Picker dialog. |
Move Scope(s) Search Depth |
You could select the depth of the moving scope. There are two options:
|
Suspend Configration |
|
AD User Suspend configuration | Specify AD User Suspend configuration. By default, it is taken from the Admin Unit settings. |
Microsoft 365 User Suspend configuration | Specify Microsoft 365 User Suspend configuration. By default, it is taken from the Admin Unit settings. |
AD User Undo Suspend configuration | Specify AD User Undo Suspend configuration. By default, it is taken from the Admin Unit settings. |
Microsoft 365 User Undo Supend configuration | Specify Microsoft 365 User Undo Suspend configuration. By default, it is taken from the Admin Unit settings. |
Regional Settings |
|
Default Country/region |
The default value for this setting is specified in the Default country/region setting in the Active Directory extension and set by default to the computer location where Administration Service is running. When a new Active Directory user is created in the Web Portal, the Default country/region value is set to a user country. Then, if a cloud user account is provisioned for this user in Office 365, a user country is automatically used as Office 365 usage location. For more information about Office 365 settings, please see Microsoft Office 365 extension settings article. |
Default user language Time zone |
The default values for these settings are specified in corresponding settings in Microsoft Office 365 extension, Other User Provisioning Settings section. The values of Default User Language and Time zone settings will be used as default in the Regional settings section in New User | Office 365 Mailbox post creation tasks rule. |
Office 365 License Quota |
|
Enable quota management Licenses list with settings Licensing quota notification contacts
|
Cayosoft Administrator allows allocating Office 365 licenses and assigning quota limits by Administrative Units. For example, having configured an Administrative Unit per department and then configuring License Quota in AD Users web queries on these Administrative Units, you will prevent local department IT to over-use the Office 365 licenses and will get an overview of over-and under-use across departments. For step-by-step configuration instructions, please see Office 365 License Quotas article. |
Web Actions tab
For details please see this article: Re-arranging Web Queries actions – Cayosoft Help Center.
General settings
Setting name | Description |
---|---|
Replace Web UI Help URL |
In Cayosoft Web Portal each web query has a help link that opens the corresponding section in Cayosoft documentation. If you need you can replace the default link with your custom link to your intranet portal, for example. |
Change History
Version | Notes |
---|---|
11.3.0 | The Default number of objects to show setting has been added. |
10.3.0 |
|
8.4.0 |
|
7.1.0 |
Disable partial name search setting is added. |
Comments
0 comments
Please sign in to leave a comment.