Search functionality in Active Directory web queries

Overview

Using the Cayosoft AdministratorWeb Portal, you can search for directory objects (such as users, groups, and computers) through web queries. These queries enable admins to locate resources based on a set of flexible criteria within the Web Portal, streamlining day-to-day administration and delegated tasks.

A key feature of Cayosoft search experience is the Quick Search box found in most web query grids. Whether quick search matches only the start of a value (“starts with”) or any part of a value (“contains”) depends on the target system (Active Directory vs. Microsoft 365) and specific settings described below.

Executing a search in web queries

Every directory search (for users, contacts, groups, etc.) is performed by running a web query. Web queries are configured in the Cayosoft Administratorconsole for specific object types, search scopes, and result filters. Admins and help desk agents use the Web Portal interface to run queries interactively, quickly narrowing down results for directory management and troubleshooting.

Supported search algorithms

• AD web queries support substring (partial name) search and wildcard search algorithms. You can disable the substring search logic to improve performance in your environment; refer to the Notes section for additional information.

• Microsoft 365 web queries always use the "starts with" logic as Microsoft Graph API does not support wildcard or “contains” searches by default. Review the following article for additional information on customizing the behavior: Configuring Microsoft 365 Web Queries for partial name object search.

Quick search logic in Active Directory web queries

Active Directory web queries support substring (partial name) and wildcard search logic. Depending on the context, output may differ:

• When you use Web Portal, results are based on the Ambiguous Name Resolution (ANR) algorithm. Results depend on the specific query as specific AD configurations may include different attributes for ANR. For example, when you run a search in the AD Users web query, Cayosoft Administrator runs a substring search based on the UPNs; in the AD Groups web query, Cayosoft Administrator performs a partial search based on the group names.

• When you use Public API, a DN returns exact matches for DistinguishedName; a UserPrincipalName returns exact matches for UserPrincipalName.

• When you use Public API, a generic string search returns results based on the ANR algorithm; depending on whether substring search is enabled, one of the following options is possible:

  • Partial name search enabled: anr -eq "value" -or Name -like "*value*"

  • Partial name search disabled: anr -eq "value"

For additional information about ANR, refer to the following article: MS-ADTS: Ambiguous Name Resolution | Microsoft Learn.

Quick search input patterns and interpretation

Notes specific to AD web queries:

• ANR is used when you do not specify wildcards. The ANR algorithm targets name-related attributes and verifies if they contain the searched items (e.g., displayName, givenName, sn, samAccountName).

• If partial search is disabled in your environment, entries with asterisks (e.g., "*test", "*test*") will not be applied; only explicit 'starts with' searches ("test*") work.

• Literal asterisks are treated as wildcards. If you need to search for a literal * sign, escape it. It is recommended to use exact filtering in the Cayosoft Administrator console if necessary.

Notes specific to Microsoft 365 web queries:

• Microsoft Graph only supports "starts with" ("test*") searches. "*test" and/or "*test*" searches are not supported. Web Portal may change your input to align with the "starts with" behavior; alternatively, Cayosoft Administrator may throw an exception for invalid wildcard pattern (as described later in the M365 section).

Filtering steps (combined with AND logic)

When a Web Query runs, several layers of filtering are applied in sequence. Understanding these layers helps explain why certain objects appear—or do not appear—in the results.

1. Quick search — the value the user enters in the Web Portal search box. This is applied first and restricts results based on the Quick Search logic described above (ANR for AD, "starts with" for Microsoft 365, etc.).

2. System-native query filter (Query criteria) — the built‑in filter configured on the Web Query itself in the Administrator Console. This defines the base scope of the Web Query, such as “only users,” “only mail-enabled groups,” “only objects in this OU,” etc.

3. Settings — additional filtering options exposed as simple checkboxes or dropdowns in the Web Query configuration (for example: Show only active accounts, Hide guest users, User type = Member, etc.). These are convenience options added to simplify configuration for administrators.

4. Post-filter — an additional filter applied after the main query executes. This is used only when a condition cannot be implemented using Query criteria or built‑in Settings (for example, filtering based on computed values or complex attribute rules).

Objects in the search output must meet all the filter criteria to appear in results (AND logic).

IMPORTANT: Generic web queries (AD Users, Computers, Groups, Contacts) return only in‑scope, non‑deleted objects. Deleted objects are not part of these query result sets. To view deleted objects, use dedicated Recycle Bin web queries with Cayosoft Guardian integration enabled (e.g., Active Directory / Recycle Bin (on‑prem AD), Microsoft 365 / Recycle Bin (Users), Microsoft 365 / Recycle Bin (Groups). If Cayosoft Guardian integration is disabled, Recycle Bin web queries are unavailable; deleted objects will not be shown.

Quick search logic in Microsoft 365 web queries

Microsoft 365 web queries use the same search logic because they rely on Microsoft Graph API, which supports only StartsWith matching and does not support wildcard or “contains” searches. Quick search evaluates the following attributes depending on the object type:

• Users: Username (userPrincipalName), Display name (displayName), First name (givenName), Last name (surname), Mail (mail)

• Groups: Display name (displayName), Mail (mail), Mail nickname (mailNickname)

• Other Microsoft 365 Web Queries: Use the same StartsWith behavior against their object‑specific searchable attributes.

Search behavior rules:

• If the value does not begin with * → Quick Search performs a StartsWith match across the searchable attributes.

• If the value begins with * → the leading * is ignored and the search performs an exact‑equals match to the remaining string.

• If the value ends with * → the pattern is not supported and the search fails with the error: “Error while parsing filter.”

• Wildcard contains patterns (*value*) are not supported by Microsoft Graph and will not work.

• Filtering steps (AND logic) still apply afterward: Quick Search → Query Criteria → Settings → Post Filter.

Notes

• In larger environments with more than 50000 AD user objects, search performance may be affected by the substring search. To improve the performance, disable the substring search feature in the entire AD extension or specific affected web queries. For additional information, refer to the AD extension settings article: Active Directory extension settings.

  NOTE: Disabling the partial name search feature does not affect the asterisk search functionality in Cayosoft Administrator.