Value references

A value reference is a pattern of text that is replaced with the value of the referenced property. For example, value reference %description% will be replaced with the value of the Description property of an Active Directory object. To customize the resulting value, you can use formatting parameters.

General format

Value references have the following format:

 %propertyName[:lower|upper][,count][,char]%

where

  • % - the beginning and the end of a value reference.

  • [] - Specifies optional parameters.

  • propertyName - the LDAP name or alias of the property the value reference refers to.

  • lower|upper - the case of the resulting value.

  • count - the number of characters for the resulting value.

  • char - Specifies a padding character used to fill up the resulting value if its length is less than specified in the count parameter.

    Tip
    To use percent (%) as the padding character, specify it as %% in a value reference (e.g. %department,5,%%%).

Examples

  • Value reference %company% will be replaced with the value of the Company property.

      %company% => Acme
  • Value reference %company:lower,2% will be replaced with the first two characters of the Company property value in the lower case.

      %company:lower,2% => ac
  • Value reference %company,7,#% will be replaced with the value of the Company property. If the value contains less than 7 characters, the required number of # characters will be added to the value.

      %company,7,#% => Acme###

Note

When a property is updated using value references, the resulting value can contain characters illegal for the property. In this case, the characters will be removed from the resulting value. For example, for the sAMAccountName property the resulting value will not contain such characters as semicolon (;), asterisk (*), question mark (?), etc.

Format of date/time value references

Value references that refer to date/time properties (e.g. Account Expires), have the following format:

 %propertyName[:formatdateFormat][[,+/- count y][,+/- count M][,+/- count d][,+/- count h][,+/- count m][,+/- count s]][,HH:MM][,utc]%

where

  • % - the beginning and the end of a value reference.

  • [] - Specifies optional parameters.

  • propertyName - the LDAP name or alias of the property the value reference refers to.

  • <SBL> - the left square bracket (i.e. "[").

  • <SBR> - the right square bracket (i.e. "]").

  • dateFormat - the resulting date format (e.g. yyyy/MMM/dd HH:mm:ss).

    Format strings

    • y - The year, from 0 to 99 (e.g. 7).
    • yy - The year, from 00 to 99 (e.g. 09).
    • yyyy - The year as a four-digit number (e.g. 2020).
    • M - The month, from 1 to 12 (e.g. 3).
    • MM - The month, from 01 to 12 (e.g. 03).
    • MMM - The abbreviated name of the month (e.g. Mar).
    • MMMM - The full name of the month (e.g. March).
    • d - The day of the month, from 1 to 31 (e.g. 9).
    • dd - The day of the month, from 01 to 31 (e.g. 09).
    • ddd - The abbreviated name of the day of the week (e.g. Fri).
    • dddd - The full name of the day of the week (e.g. Friday).
    • h - The hour, using a 12-hour from 1 to 12 (e.g. 4).
    • hh - The hour, using a 12-hour from 01 to 12 (e.g. 04).
    • H - The hour, using a 24-hour from 0 to 23 (e.g. 4).
    • HH - The hour, using a 24-hour from 00 to 23 (e.g. 04).
    • m - The minute, from 0 to 59 (e.g. 8).
    • mm - The minute, from 00 to 59 (e.g. 08).
    • s - The second, from 0 to 59 (e.g. 5).
    • ss - The second, from 00 to 59 (e.g. 05).
    • tt - The AM/PM designator.
    • fff - The milliseconds (e.g. 000).
    • g - The period of era (e.g. A.D.).
    • timestamp - The resulting date will be formatted as timestamp representing the number of 100-nanosecond intervals since January 1, 1601 (UTC) up to the date specified in the property (e.g. 131849585281270650). Value references with this format can be used in LDAP search filters for properties of the timestamp type (e.g. (accountExpires<=%datetime:format[timestamp]%)).
    • yyyyMMddHHmmss.0Z - The resulting date will be converted into the Generalized Time format (e.g. 20201101180611.0Z). Value references with this format can be used in LDAP search filters for properties of the Generalized Time type (e.g. (whenCreated<=%datetime:format[yyyyMMddHHmmss.0Z]%)).
  • count - the number of years (y), months (M), days (d), hours (h), minutes (m) and/or seconds (s) that will be added or subtracted from the date specified in the property.

  • HH:MM - the time for the resulting date (e.g. 11:00).

  • utc - If specified, the resulting date will be converted to UTC, otherwise the date will be converted to the local time.

Examples

  • Value reference %pwdLastSet:format[timestamp]% will be replaced with a timestamp representing the number of 100-nanosecond intervals since January 1, 1601 (UTC) up to the date specified in the Password Last Set property.

      %pwdLastSet:format[timestamp]% => 131849589006564629
  • Value reference %accountExpires:format[yyyyMMddHHmmss.0Z]% will be replaced with the value of the Account Expires property in the Generalized Time format.

      %accountExpires:format[yyyyMMddHHmmss.0Z]% => 20201227000000.0Z
  • Value reference %accountExpires,+1d,,utc% will be replaced with the value of the Account Expires property plus 1 day and converted to UTC.

      %accountExpires,+1d,,utc% => 12/1/2020 4:17:00 PM
  • Value reference %accountExpires:format[/dddd/MMMMyyyy HH:mm:ss],,00:00% will be replaced with the value of the Account Expires property in the given format with time set to midnight.

      %accountExpires:format[dddd/MMMM/yyyy HH:mm:ss],,00:00% => Friday/November/2020 00:00:00

Aliases

Out of the box, Adaxes provides built-in aliases for frequently used Active Directory properties. You can use aliases instead of property LDAP names in value references.

  • Alias

  • Property LDAP name

  • firstname

  • givenName

  • lastname

  • sn

  • fullname

  • cn

  • username

  • samAccountName or uid

  • datetime

  • adm-CurrentDateTime

  • initiator

  • adm-InitiatorUserName

For example, for the value of the cn property, you can use either the %cn% or %fullname% value reference.

Calculated properties

Adaxes defines so called calculated or virtual properties. These properties are not physically stored in Active Directory, but are calculated or derived in one way or another.

Calculated property Description
adm-AccountExpiresDaysLeft The number of days left before the expiration of the account, for which the property is calculated. This property can be used to notify users about their account expiration. For example, you can specify the following pattern in the notification text: You account expires in %adm-AccountExpiresDaysLeft% days.
adm-CanNotChangePassword Specifies whether a user can change the password for their own account.
adm-CurrentDateTime (alias: datetime) The date and time at the moment, when the property is calculated. For example, this property can be used to set the Account Expires value. If you specify the value reference %datetime,+1M% for the Account Expires property, accounts will expire in one month after the date, when the value is set.
adm-InactivityDuration The number of days a user does not log on to the system or computer remains turned off. This property can be used to automate processing of inactive accounts.
The period of inactivity is reliable only if it is more than 7 days.
adm-InitiatorDN The DN of the user, who performed the operation that resulted in the property resolve.
adm-InitiatorGuid The GUID of the user, who performed the operation that resulted in the property resolve.
adm-InitiatorDomainDN The DN of the domain, where the operation initiator is located. For example, if you specify the following value: CN=Users,%adm-InitiatorDomainDN%, the value reference %adm-InitiatorDomainDN% will be replaced with the DN of the domain of the user, who performed the operation that resulted in the property resolve. So, if this user is located in the domain example.com, the resulting value will be CN=Users,DC=example,DC=com.
adm-InitiatorEmail The e-mail of the operation initiator.
adm-InitiatorFirstName The first name of the operation initiator.
adm-InitiatorFullName The full name of the operation initiator.
adm-InitiatorLastName The last name of the operation initiator.
adm-InitiatorManagerDN The DN of the manager of the user who performed the operation resulting in the property resolve.
adm-InitiatorManagerEmail The e-mail of the manager of the operation initiator. This property can be used to send e-mail notifications to the manager of the user, who performs the operation. For this purpose, specify the notification receiver as follows: %adm-InitiatorManagerEmail%.
Manager is specified in the 'Manager' property.
adm-InitiatorManagerFirstName The first name of the manager of the operation initiator.
Manager is specified in the 'Manager' property.
adm-InitiatorManagerFullName The full name of the manager of the operation initiator.
Manager is specified in the 'Manager' property.
adm-InitiatorManagerLastName The last name of the manager of the operation initiator.
Manager is specified in the 'Manager' property.
adm-InitiatorManagerMobile The mobile of the manager of the operation initiator. This property can be used to send SMS messages to the manager of the user, who performs the operation. For this purpose, specify the SMS receiver as follows: %adm-InitiatorManagerMobile%.
Manager is specified in the 'Manager' property.
adm-InitiatorManagerPhone The phone number of the manager of the operation initiator.
Manager is specified in the 'Manager' property.
adm-InitiatorManagerUserName The logon name of the manager of the operation initiator.
Manager is specified in the 'Manager' property.
adm-InitiatorMobile The mobile of the operation initiator. This property can be used to send SMS messages to the user, who performs the operation. For this purpose, specify the SMS receiver as follows: %adm-InitiatorMobile%.
adm-InitiatorParentDN The DN of the OU/container, where the operation initiator is located.
adm-InitiatorSid The SID of the operation initiator.
adm-InitiatorUserName (alias: initiator) The logon name of the operation initiator. This property can be used to insert information about the user, who initiated the operation. For example, you can specify the following pattern Created by: %initiator% for the Description property via a business rule that is triggered after object creation. In this case, the description of new objects will contain logon names of the users, who created these objects ('Created by: johndoe@company.com').
adm-ManagerCanUpdateMembershipViaNativeTools Specifies whether the manager of a group can add and remove members to and from the group using tools like Outlook and Active Directory Users and Computers.
adm-DomainDN The DN of the Active Directory domain of the object for which the property is calculated.
adm-ParentDN The DN of the OU/container that holds the object for which the property is calculated.
adm-ParentName The name of the parent object in the Active Directory hierarchy. For example, if an object is located in the Organizational Unit named MyOU, the value of the adm-ParentName property will be ' MyOU'.
adm-ManagerEmail The e-mail of user's manager. This property can be used to send e-mail notifications to the manager of a user. For this purpose, specify the notification receiver as follows: %adm-ManagerEmail%.
Manager is specified in the 'Manager' property.
adm-ManagerFirstName The first name of user's manager.
Manager is specified in the 'Manager' property.
adm-ManagerFullName The full name of user's manager.
Manager is specified in the 'Manager' property.
adm-ManagerLastName The last name of user's manager.
Manager is specified in the 'Manager' property.
adm-ManagerUserName The logon name of user's manager.
Manager is specified in the 'Manager' property.
adm-ManagerDisplayName The display name of user's manager.
Manager is specified in the 'Manager' property.
adm-ManagerMobile The mobile of user's manager. This property can be used to send SMS messages to the manager of a user. For this purpose, specify the SMS receiver as follows: %adm-ManagerMobile%.
adm-ManagerPhone The phone number of user's manager.
adm-ManagedByEmail The e-mail of the object owner. This property can be used to send e-mail notifications to the owner of an object e.g. group or computer. For this purpose, specify the notification receiver as follows: %adm-ManagedByEmail%.
Owner is specified in the 'ManagedBy' property.
adm-ManagedByFirstName The first name of the object owner.
Owner is specified in the 'ManagedBy' property.
adm-ManagedByFullName The full name of the object owner.
Owner is specified in the 'ManagedBy' property.
adm-ManagedByLastName The last name of the object owner.
Owner is specified in the 'ManagedBy' property.
adm-ManagedByUserName The logon name of the object owner.
Owner is specified in the 'ManagedBy' property.
adm-ManagedByDisplayName The display name of the object owner.
Owner is specified in the 'ManagedBy' property.
adm-ManagedByMobile The mobile of the object owner. This property can be used to send SMS messages to the owner of an object e.g. group or computer. For this purpose, specify the SMS receiver as follows: %adm-ManagedByMobile%.
adm-ManagedByPhone The phone number of the object owner.
adm-MemberEmail Only available in business rules triggering before/after adding/removing a member from a group.
The e-mail of the group member who is being added or removed. This property can be used to send e-mail notifications to new group members. For this purpose, specify the notification receiver as follows: %adm-MemberEmail%.
adm-MemberFirstName Only available in business rules triggering before/after adding/removing a member from a group. The first name of the group member who is being added or removed.
adm-MemberFullName Only available in business rules triggering before/after adding/removing a member from a group.
The full name of the group member who is being added or removed.
adm-MemberLastName Only available in business rules triggering before/after adding/removing a member from a group.
The last name of the group member who is being added or removed.
adm-MemberUserName Only available in business rules triggering before/after adding/removing a member from a group.
The logon name of the group member who is being added or removed.
adm-MemberDisplayName Only available in business rules triggering before/after adding/removing a member from a group.
The display name of the group member who is being added or removed.
adm-MemberMobile Only available in business rules triggering before/after adding/removing a member from a group.
The mobile of the group member who is being added or removed. This property can be used to send SMS messages to new group members. For this purpose, specify the SMS receiver as follows: %adm-MemberMobile%.
adm-MemberPhone Only available in business rules triggering before/after adding/removing a member from a group.
The phone number of the group member who is being added or removed.
adm-MemberObjectType Only available in business rules triggering before/after adding/removing a member from a group.
The object type of the group member that is being added or removed.
adm-OperationDescription The description of the current operation. For example, using this property, you can include the description of the operation that triggered the business rule into e-mail notifications. For this purpose, you need to insert the %adm-OperationDescription% value reference into the template of an e-mail notification. In this case, e-mail messages will contain the detailed description of the operation that triggered the business rule. For example, the description of the telephone change operation will be as follows: Modify 'John Doe (example.com)': set Telephone Number to '555-555-555'.
adm-PasswordExpires The date and time of the password expiration of the account for which the property is calculated. When this property is calculated, the Default Domain Password Policy and Fine-Grained Password Policy are considered.
adm-PasswordExpiresDaysLeft The number of days left before the expiration of the password of the user, for which the property is calculated. This property can be used to notify users about their password expiration. For example, you can specify the following pattern: Your password expires in %adm-PasswordExpiresDaysLeft% days.
adm-ProtectedFromDeletion Indicates whether an object is protected from accidental deletion.
adm-RandomInteger The property returns a random integer.
adm-RandomString The property returns a random text of 256 characters. For example, this property can be used to set the user logon name to a random value as a part of deprovisioning process. If you specify the value reference %adm-RandomString,20% for the user logon name, it will be replaced with a random text of 20 characters in length.
adm-WebInterfaceUrl The URL of the Web interface specified for the Adaxes service. For example, this property can be used in e-mail notifications to insert links to the Adaxes Web interface. If this property returns zero value, you need to specify the Web interface for the Adaxes service.
adm-OperationError The message text of the first error that occurred during operation execution. The property can be used in business rule actions only. For example, you can use the property to include error message into notifications sent to system administrators when an error occurs. To do so, include the following template into the notification: %adm-OperationError%.