Define and limit the scope of the web query. Split the entire scope into multiple queries to granularly manage the items.

Use the setting to filter out objects by the property values. Query criteria are sent with the query to the target system; the target system filters data before it returns the resulting set.

The default value for this setting is specified in the Web query default filter field in Active Directory extension settings, set to include all objects by default.

TIP: See How to use Query Builder dialog for Query Criteria and Filter rule settings for use cases.

Each object property defined in this setting matches the column that will be displayed in the Web Portal for this web query.

To display additional columns, add the required properties to the Properties to display list.

To add extension attribute 1 that is synchronized from AD, you need to use a value like:

"OnPremisesExtensionAttributes/extensionAttribute1~Extension Attribute 1"

Define a list of properties required for this rule to be executed correctly; use the list to create advanced filters. Refer to the following article for additional information: Using filters in web queries.

Specify additional filter conditions to hide unwanted data based on criteria not supported by Active Directory query. E.g., use the setting to filter out objects based on their distinguished names.

TIP: For optimal performance, use Query criteria above to filter objects whenever possible.

Specify the Global Search mode:

1. All enabled domains in all forests" (default)

2. All enabled domains in the home forest

Define additional criteria for all object pickers in this query.

IMPORTANT: If the attribute in this criteria does not exist for the picker object type (e.g., user attributes for group pickers), the filter will not work correctly.

If you want these criteria to work with some object pickers but not others, you can disable the use of these additional criteria per picker type in the object picker configuration.

E.g., exclude some users from the search: {-not (<AttributeName> -eq "<Value>" )}

Select the number of objects to display in the web query. By default, the global Web Portal setting from the Web Portal Settings > Default number of objects to show is used.

Specify default OU where new user objects will be created when running the New User or Clone User commands from this web query.

The default AD Users web query, which is included in the built-in Active Directory Admin Unit, has this setting set to the default domain address.

The custom AD Users web query, that is included in the custom Admin Unit, has this setting set to match the Admin Unit scope (Organizational Unit), selected during Admin Unit creation.

NOTE: If you need to get the connected user domain and use it as a default value for Create In field in New objects web actions you should set the Default OU value to the Connected user domain.

This setting defines the default UserPrincipalName suffix. For example, @cayo.com.

The Default Domain value is the default domain suffix for the current forest. It is defined in the Forest Settings in the Active Directory extension settings.

Use this setting in two primary scenarios:

1. Specify additional scopes to search for objects on various Object Picker dialogs when adding new groups, selecting manager, and other scenarios to add a reference to another object.

2. Specified scopes are also used in conjunction with the Allow membership changes for these groups setting on the Properties and Add to Groups web action to restrict groups that can be removed from the selected user account.

Object Picker dialog is used on multiple forms. The Object Picker dialog appears when you need to select an object inside the form. For example, in the Add to Groups form when selecting groups, the Properties form when selecting the user's manager, and so on.

By default, this setting is empty, and only objects from the scope, specified in the Limit scope to this domain or OU setting, would be listed on Object Picker.

To allow delegated administrators to select objects from additional Organizational Units, add those OUs to the Additional Scope(s) for Object Selection setting.

Example: Let the AD Users web query scope is limited by OU=OU1,DC=cayo,DC=com. We need to add User1, located in OU1, to Group1, located in OU3, and to groups, located in OU2.

In the Additional Scope for Object Selection, specify the distinguished names: CN=Group1,OU=OU3,DC=cayo,DC=com and OU=OU2,DC=cayo,DC=com. Both these objects are not included in AD User's web query scope. In this case, when you add a user to a group, you could add this user not only to groups located in OU1 but also to Group1 in OU3 and groups located in OU2. You would be able to find and select these groups in the Object Picker dialog.

Specify additional scopes to search for Organizational Units on the Object Picker dialog. The Object Picker dialog appears when you need to select an object inside the form.

The Object Picker dialog is used on Move forms for Active Directory users, groups, contacts, and computers.

By default, this setting is empty, and only OUs from the scope, specified in the Limit scope to this domain or OU setting, would be listed in the Object Picker.

To allow delegated administrators to move objects to additional Organizational Units, add those OUs to the Move Scope(s) setting.

Example: Let the AD Users web query scope is limited by OU=OU1,DC=cayo,DC=com. We need to move User1, located in OU1, to OU2.

In the Move Scope(s), specify the distinguished name of an additional OU: OU=OU2,DC=cayo,DC=com. This OU is not included in the AD Users web query scope. In this case, when you move a User1 to another OU, you could move this user not only to OUs located in OU1 but also to OU2. You would be able to find and select this OU in the Object Picker dialog.

You can select the depth of the moving scope. There are two options:

1. Scope OU(s) and all sub-OU(s) (Subtree) - Move users to any OUs that are located in the AD Users web query scope and to OUs defined in the Move Scope(s) setting, including its sub-OUs.

2. Scope OU(s) only (Base) - Move users only to OUs specified in the Move Scope(s) setting.

Define a country/region to assign to new users created in the Web Portal. If a cloud user account is provisioned for this user in Microsoft 365, a user country is automatically used as a Microsoft 365 usage location. The default value is set in the Active Directory extension settings > Default country/region setting.

For more information about the Microsoft 365 settings, see the Microsoft 365 extension settings article.

Define the default values for cases when a cloud user account is provisioned for AD users. The default values for these settings are specified in the Microsoft 365 extension settings > Other User Provisioning Settings section.

Values are used in the Regional settings section in New User | Office 365 Mailbox post creation tasks rule.

Cayosoft Administrator allows allocating Office 365 licenses and assigning quota limits by Administrative Units.

For example, having configured an Administrative Unit per department and then configuring License Quota in the AD Users web queries on these Administrative Units, you will prevent local department IT to over-use the Office 365 licenses and will get an overview of over-and under-use across departments.

For step-by-step configuration instructions, please see the Microsoft 365 License Quotas article.

1. Additional query criteria setting has been added.

2. Global search mode setting has been added.

3. Domain Controller and Credentials settings were deprecated.