+ Post New Thread
Results 1 to 11 of 11
Cloud Services Thread, Google Apps GADS sync and exclusions in Technical; we have a OU similar to this ou=toplevel --ou=networkusers -----ou=staffusers ----------ou=staffleavers In staff users are OU according to department, e.g. ...
  1. #1

    Join Date
    May 2010
    Posts
    1,176
    Thank Post
    113
    Thanked 104 Times in 79 Posts
    Rep Power
    52

    Google Apps GADS sync and exclusions

    we have a OU similar to this

    ou=toplevel
    --ou=networkusers
    -----ou=staffusers
    ----------ou=staffleavers

    In staff users are OU according to department, e.g. senior teaching etc.

    There is also an OU called staff leavers, which we move staff into when they leave (sometimes they come back) I should fix this by proposing they are perm deleted really.

    I set this OU as a Org Unit exclusion rule except the users still get imported and the group isn't created in the dashboard - only the users still get imported into the root OU.

    I guess this is by design, or a limitation of the tool.

    I can fix this by removal of the email field in the user properties in the AD.

    Or I could just move the OU out of the scope of the Base DN I'm using.

    Or I could sit and add all the OUs in User Account search rules on the GADS utility - quite a lot to do but perfectly possible.

    How is everyone else doing it? Are you finding you need to modify your OU for GAPPS?

  2. #2
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,497
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    We don't keep leavers on the system. Files are either moved to departmental areas or other colleagues, or get deleted. A bit brutal, perhaps, but SLT approved it. This also solves the problem of leavers continuing to appear in the global address list.

  3. #3

    Join Date
    May 2010
    Posts
    1,176
    Thank Post
    113
    Thanked 104 Times in 79 Posts
    Rep Power
    52
    I agree with doing that too i'll make the proposal, I think to save time I'll move them into another OU outside of the Base DN.
    Other issue is test accounts etc., plus I have an Exams OU for exam accounts and some other random ones that I don't want in gapps.
    Last edited by caffrey; 27th February 2013 at 02:04 PM.

  4. #4

    Join Date
    May 2010
    Posts
    1,176
    Thank Post
    113
    Thanked 104 Times in 79 Posts
    Rep Power
    52
    Actually I've managed to figure it out so ignore me, just create a search rule under user accounts with "suspend these users in google apps" and Base DN as the OU you don't want.
    Last edited by caffrey; 27th February 2013 at 02:19 PM.

  5. #5
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,497
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    Careful with that - I believe that suspended users are deleted after 30 days.

    As for your exam accounts, you have several options - 1) delete their email addresses from Active Directory (Bulk AD Users from WiseSoft can assist you with that if you have lots); 2) create an exclusion rule in the Org Units section of GADS to omit either OU; 3) move the exams accounts OU to one which is not a sub-OU of the Pupils OU

    I also have a couple of test accounts which have caused confusion when they appeared in the global list, so either change their name so that it is very obvious they are test accounts or manually hide them from the address list (go into the user in Dashboard and untick "share contact information" or something like that).

  6. Thanks to enjay from:

    caffrey (27th February 2013)

  7. #6

    Join Date
    May 2010
    Posts
    1,176
    Thank Post
    113
    Thanked 104 Times in 79 Posts
    Rep Power
    52
    Thanks enjay for all the help,
    The suspended account thing is fine here, next thing to wrap my head around is getting our mail distribution lists sorted

  8. #7
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,497
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    Distribution lists are also fairly straightforward, as you can use your existing AD groups. In Active Directory Users & Computers, open your "All Staff" group, and give it the email address allstaff@schoolname.co.uk; repeat for all the other distribution lists you need, creating AD groups for them where one doesn't already exist, and GADS will create Groups for you.

    It does take some time to get GADS up and running, I won't lie, but once it is done, you can schedule it and then walk away.

    I hardly ever go into the Google Apps Dashboard now - I do everything in AD and let GADS sync it across. GADS creates users, groups, membership, passwords for new users; Password Sync then synchronises password changes.

    I actually have GADS and PS handling passwords, as it allows me to change a user's password so I can log in to their email and then have GADS change it back without them knowing I was ever in it - useful when configuring things for staff members, checking mail of an absent staff member and also cyber-bullying issues.

  9. #8

    Join Date
    May 2010
    Posts
    1,176
    Thank Post
    113
    Thanked 104 Times in 79 Posts
    Rep Power
    52
    Time is something I seem to lack lately
    I started playing with Distribution lists using existing ones in our OU, problem is our mail distribution groups (we have quite a few) are mostly populated from a security group OU so I had a problem with the base DN, only had a quick look but I'll play around with it some more. To be honest i'm sure the OU mail distribution lists could do with an overhaul.
    I eventually want to end up with a system like yourself with minimal admin needed on the dashboard, the sync schedule can easily just be weekly as users rarely change.
    Thanks again.

  10. #9
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,497
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    I can email you our XML config file if that would help...

    Our mailing lists are populated from "Security Groups" too, so that can't be an issue.

    I agree re weekly or even monthly sync once it is running, and then run it manually should you need to change something quicker, but decided to keep it daily because a) I could then forget about it, rather than have to remember to run it if I made an important change to email groups, b) for the password syncing allowing me to access users' mailboxes if I need.

  11. Thanks to enjay from:

    caffrey (28th February 2013)

  12. #10

    Join Date
    May 2010
    Posts
    1,176
    Thank Post
    113
    Thanked 104 Times in 79 Posts
    Rep Power
    52
    No its fine, thanks for the offer your xml file, haven't had chance to look at it today avahi is taking up my time!

    Problem with the OUs is they are in the root
    so :-
    Mail distribution OU, which are populated from
    Security OU

    Like I said, not had much time today - think I'll leave it for tomorrow!

    cheers for the help

  13. #11
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,497
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    Don't think it matters where your mail distribution groups are, so long as you specify the OU. On the Groups page of the Config Manager, create a search rule as follows:

    Scope: sub-tree
    Rule: (objectclass=group)
    Base DN: CN=blah,DC=blah,DC=blah

    Group email address attribute: mail
    Group display name attribute: name

    Member reference attribute: member



SHARE:
+ Post New Thread

Similar Threads

  1. Google Apps AD Sync
    By richbrowncardiff in forum Cloud Services
    Replies: 1
    Last Post: 27th January 2013, 08:33 PM
  2. Google Apps Password Sync GAPS Oauth question
    By IT_Man_Dan in forum Cloud Services
    Replies: 1
    Last Post: 6th December 2012, 11:40 AM
  3. Google Apps and sync with AD
    By rama1712 in forum Cloud Services
    Replies: 9
    Last Post: 6th December 2012, 11:39 AM
  4. Moodle/Google Apps User Sync module
    By localzuk in forum Virtual Learning Platforms
    Replies: 0
    Last Post: 8th November 2011, 09:43 AM
  5. New version of the Google Apps Directory Sync tool
    By ianniow in forum General Chat
    Replies: 3
    Last Post: 12th May 2011, 01:52 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •