The Manage Domains page contains options to configure accounts, mailing, and generic resources.


The list of all account in the domain is present here, along with information on their type and status.

The list can be filtered using the text field above the list, while a new account can be created using the + button.

A click on any account will open a new panel that contains a number of information and options, including the name and aliases, if present, its status (see below), and creation date. The aliases can be easily managed by clicking the MANAGE ALIAS button: in the opening dialog window, select a domain and a new alias, then click + to add the alias to the user.

On the panel’s top right corner, buttons allow to edit or delete the user, and also to redirect to the user’s mailbox.

When editing a user’s account, most of the option are the same that can be found in the Create New Account section and are organised in tabs. Options defined in the user’s COS are inherited, but can be modified for any individual user.


The values that have been modified are accompanied by a circular arrow icon. If you hover on that icon, you will see the inherited value, while if you click on it you will restore the COS value.

This tab contains all the options provided during the account creation, plus other options, including:

  • The ability to prevent the user from changing the password


    An Admin can not change the password of a user, only wipe it, so the user is forced to change it on the next login attempt.

  • To remove the user’s password from LDAP

  • The Distribution List memberships

  • To move a user to another domain, which must be defined on the same server, by writing the new one in the Domain Name

  • The ABQ status: Strict, Permissive, Interactive, or Disabled (see ABQ Modes for details)

  • How many OTP devices the user has.

At the bottom, it is possible to see all the user’s open sessiona, which can be terminated by selecting one and clicking END SESSION button on the top right of the list.

Data in this tab represent the user’s phones, company, and address. They can be managed by both the user and the Administrators.

The options listed here allows to specify forwarding addresses, to prevent e-mail messages to be saved locally, and to enable ActiveSync, if these operations are allowed by the administrator. Values for these options can be set from the CLI: please refer to section Setting Features from CLI for more information.

The preferences in this tab concern how a user sees or interacts with the e-mails (receive, sending, composing, adding a signature) and are mostly inherited from the COS.


Signatures can not be assigned to Resources.

Options present here allow to manage the account security: OTP and policies for password and failed login. New application passwords and OTP tokens can be created to allow the user to login by using a QR Code; a policy can set to force the user to select a secure password and the type of characters to be chosen. Forgotten password, if enabled, allows a user to receive a token to temporarily access the webmail, by sending a token to the recovery address specified in the textfield next to the option. The Failed login policy determines how the system behaves when a user fails too many consecutive logins.

In this tab it is possible to define which other accounts or groups have access to the account and which permissions (“Rights”) are granted. The first setting allow to define whether to save or not a copy of the sent messages and where: only in delegated account’s folder or also in the delegate’s folder.

To add delegation Rights to an account, please refer to the dedicated section, Create New Shared Account.

By toggling the Global Administration switch you can promote or demote the user to Global Administrator or vice versa.

At the bottom of the panel, a list of the active sessions appears: for example, if a user has logged in from three different devices and never logged out, three sessions will appear. When selecting one of them, clicking the END SESSION button will close that session.

Account statuses

A user account can be in one of the following statuses.

  1. Active. The account is enabled and ready for everyday operations: the user can log in and send and receive e-mails.

  2. Under Maintenance. This state occurs during maintenance operations on the domain or account: backup, import, export, restore. The user can not login, e-mails are queued on the MTA.

  3. Locked. The account can not be accessed by the user, but incoming e-mails are still delivered. This status can be set for example if the user violates the terms of service or if the account has been cracked

  4. Closed. The user is not allowed to log in, incoming e-mails are rejected.

  5. Pending. This status is usually seen during the account creation, when it is not yet active. User can not log in, incoming e-mails are rejected.

  6. LockOut. This is the only status that can not be set. It is applied automatically when the log in attempts fail for a given number of times. It is a preventive measure to avoid unauthorised access of brute force attacks. The account will not be accessible for a given interval (“lockout period”)


    Both the number of failed attempts and the lockout period can be configured.

Create New Account#

In order to create a new account, click the + button: a dialog window opens and allows you to set up the basic configuration of the new account.

Step 1: Create New Account John Smith

We create the first account for the CEO of ACME Corporation and provide the following data.

  • Name, Middle Name Initials, and Surname will be used to define the user name. We use only Name (John) and Surname (Smith), which result in the JohnSmith username.

    If the name or surname contain non-ASCII characters, an automatic mapping will be enforced: for example, ä, à will become a. When there is no mapping available, message Auto fill user is disabled will be displayed: in this case, the username must be filled manually. This is the case for example, for letters using diacritics, cedillas or German’s ß.


    You can change the automatically generated username at will, for example to match company policies.

  • Password is the one used by John for the first login only

  • User will change password on the next login requires that John, after the first log in (and before accessing his mailbox) must change the password.

We also explicitly configure the Account Status (see the list of possible values), but do not change the Default COS. Click the CREATE WITH THESE DATA button to create the account


When assigning a COS to a user, all the values defined in that COS will be inherited by the user. They can be later changed on a user basis later, when editing the account.

(Optional) Step 2: Send OTP or grant rights to John Smith

Once the account has been created, you can optionally create an OTP code for John Smith, that he can use to quickly access his account.

You can also give the account administrative rights, that you can customise. In this case, the account creation procedure continues and allow to grant Global Administration Rights (see Section Create New Global Admin) or Delegated rights (see Section Administrative Roles Explained.


Create New Shared Account#

In order to create a new Shared Account, first create a new account, then select the account and click the EDIT button. In the DELEGATES tab you can configure who has access to the account and assigned rights in two ways: a Simplified and an Advanced View. There are small differences in the two views, the most relevant is how to set the permission.


Details on the rights that can be granted can be found in the box.

Simplified View

In the Simplified View, select a user or group, then the permission and click the ADD THE ACCOUNT button to add it as a delegate. The delegated accounts will appear at the bottom of the tab.

Advanced View

In the Advanced View, click ADD NEW +, then select an existing user or group (Distribution List). Proceed to the next tab (SET RIGHTS) and select the right to be assigned to the user or group from the drop-down menu.


The user who delegates and the user who is the delegated can not share the same account; in other words, it is not possible to add as a delegated user the same account of the user who is delegating.

Available Delegate’s Rights

The Rights that can be granted to a user are basically to read, write, and send emails, and to access e-mails folders. Rights can be granted when editing an account, in the dedicated Delegates tab. Rights can be granted using a Simplified or an Advanced method.

The Simplified method permissions are granted using checkboxes:

  • read, access with no permission to change

  • read/write, full read and write permission

  • send, the recipient will see as sender the selected user

  • send on behalf, similar to the previous. the recipient will see the the sender’s e-mail preceded by the string On behalf of

In the Advanced method, rights are given in a slight different way and can be defined in a more granular way. In the SET RIGHTS step it is possible to grant the following rights: Send Mails only, Read Mails only, Send and Read Mails, Manage and Send, Read, and Manage Mails (all of the above). Depending on the choice, the bottom part will show additional options, according to the following table.


Additional options

Send Mails only

Send, Send on Behalf of

Read Mails only

folders to share

Send and Read Mails

Send, Send on Behalf of; folders to share


Folders to share

Send, Read, and Manage Mails

Send, Send on Behalf of; folders to share

Create New Global Admin#

To create a new Admin, create the account, as explained in the previous section, and on Step 2 enable option Add administration rights

We give this account the acme_admin name.

Then, from the account list, select the new account, then click the pencil icon to edit it.


Fig. 5 Create a new Global Admin.#

To make acme_admin a Global Admin, in the Admnistration tab and click the switch with label Global administration, then save. The acme_admin user is now able to access the Carbonio Admin Panel.

Delegated Domain Admins#

This page shows all the accounts with some administration rights on the domain. To enable delegations on the domain, click the INIT DOMAIN button.

Distribution List#

Distribution lists can be simply created by clicking the + button to open a tabbed modal dialog in which to configure it.

In the first tab you can give a name, an address, and a description to the distribution list; if you want a dynamic mode, that automatically populates the list’s members, refer to section Dynamic Mode.

In the second add Members by simply writing the e-mail addresses in the test field.


E-mail addresses are auto-completed while typing.

In the third tab, advanced settings can be configured, including the option to notify new members that they have been added to the list and the presence of the distribution list in the GAL. Owners can be added to the list: they will see the lists of which they are owners in a dedicated menu item, where they can edit some details and the members (see Section Distribution lists).

The last tab recaps the settings: now you can either go back to any of the previous tabs and change some of the settings, or proceed to create the distribution list.

Once a distribution list has been created, it can be further configured by adding aliases, which work like e-mail accounts, changing the description, notes, and members, and granting selected users the permission to send e-mails to the distribution list or making them Owners

Dynamic Mode#

Distribution list’s Dynamic Mode allows the automatic management of members. Indeed, each Dynamic Distribution List is identified by a name and by a unique Distribution List URL, which is an LDAP query that automatically populates the members of the Distribution List.

To create a Dynamic Distribution List, the procedure is similar to the normal Distribution Lists: click the + button and provide a Displayed Name name and list Name, then click the Dynamyc Mode switch to access more options, including the Distribution List URL, which is mandatory. You can also make the list Hidden from GAL and add owners to the list, who can manage the configuration of the list.

Advanced options, like subscription and unsubscription options are available after the creation of the Dynamic Distribution List, when editing it.


A Resource is a generic object that can be assigned an e-mail address, but, unlike other regular accounts, they do not need any signature, so you can not specify one. A typical example of a Resource is a meeting room: to reserve the room, send an e-mail to the room’s e-mail address.

A policy can be assigned to Resource, to determine how to react to the booking request, either a manual or automatic acceptance or rejection.

Additional e-mail addresses can be added to the resource, for example to notify the company’s facility manager which meeting rooms are reserved and which are free.


This page gives information about all accounts connected using the ActiveSync protocol. For each connected device, some information is shown, including its unique Device ID and the time when it last connected. Clicking any of the connections will show additional information, including client data and the device’s ABQ status (see ABQ - Allow/Block/Quarantine device control)

The following actions can be carried out: WIPE DEVICE (bring the connected device back to factory settings), to RESET DEVICE (log out the device from the account), and SUSPEND the connection.

Restore Account#

The Restore Account procedure allows you to restore the contents and preferences of a mailbox in the exact status when it was deleted.

When a Restore Account starts, a new account is created (the Destination Account), and all the items existing in the source account at the moment of the deletion are recreated in the destination account, including the folder structure and all the user’s data. All restored items will be created in the current primary store unless the Apply HSM Policy after the restore box is checked.


When restoring data on a new account, shared items consistency is not preserved. This is because the original share rules refer to the original account’s UUID, not to the Destination Account, which has a completely different UUID.

To start the procedure, type an e-mail address in the text-field or select an account from the list.

Then, click on the CONFIG tab and select the options to apply for the Restore:

  • To which date and time to restore the account

  • On which domain the account should be restored

  • Whether to use the last available status of the account

  • If External Data Sources should be restored

  • Select an e-mail to which send a notification of the successful restore.


    This could be the alternate e-mail of the user whose account is being restored.