This setting defines the search query scope. To improve query performance, limit the scope to a specific OU.

IMPORTANT: To test the rule configuration, limit the rule scope to an OU that contains test accounts or objects and use the Preview feature.

Query criteria are sent with the query and may improve query performance.

TIP: For additional information on the criteria builder, see the How to use Query Builder dialog for Query Criteria and Filter rule settings.

Defines the attribute in the AD LDS to which the Active Directory anchor attribute is to be compared.

When a new AD LDS account is created this value also specifies the Active Directory attribute into which the AD LDS anchor is written for comparison the next time the rule is executed.

Defines the attribute in Active Directory that will be used to determine if the AD LDS account already exists.

This value is compared to the AD LDS Anchor Attribute.

Other Query Settings

To display additional properties for each object found by the query, add those properties to the list.

List of properties required to this rule to be executed correctly.

Set the filtering conditions to hide unwanted data based on criteria not supported in the Query criteria setting.

Example: filter by the found object Distinguished Name.

TIP: For optimal performance, use the Query criteria setting above to filter objects whenever possible.

Sort result object list.

Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule.

Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria.

IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.

Example: Update AD users, created in the last ten days.

1. Add this initialization script

   Copy

   {$global:DatePeriod = (Get-Date).AddDays(-10)}

2. Use the $DatePeriod variable in the query criteria builder:

Connection Settings

Specify an application partition container where AD LDS accounts will be created.

The default value is defined in the Web Portal Settings section in AD LDS extension.

Populate AD LDS user properties from the selected AD master user account.

The default mapping is defined in the User Accounts section in AD LDS extension.

When set to Yes, the created AD LDS account is linked to the AD account using the objectSID attribute.

If AD account has a Linked Mailbox type, the link is established to the mailbox master AD account from the account forest.

Specify object class that is derived from the organizationalPerson class.

The default value is defined in the User Accounts section in AD LDS extension.

Settings for User Object Class

This setting defines the password for the new AD LDS account. This value can be a static text, can be taken from linked AD account or set to Generate Random Password.

These settings enable/disable the standard user object settings. 

Other Properties

Use this setting for a custom modification of AD LDS account attribute values.

Add to AD LDS groups