Syncing staff accounts (GADS)
105 views
Skip to first unread message
James Rawlyk
Mar 1, 2012, 10:40:48 AM3/1/12
to Northcentral Apps Users
Hi - I'm hoping someone has been down this road and can offer advice.
I apologize in advance for the lengthy post in order explain things.
We are syncing our students accounts with AD using GADS and all is
working well. We took out a new domain that is different than the
domain used by our staff. Staff accounts still use Exchange for e-
mail under our existing domain. At the backend of our infrastructure,
we use ILM to synchronize data from our student information system to
AD and from our HRIS to AD. Staff and Students are in two different
OU's in our AD structure. The 'mail' attribute is populated
accordingly and the students receive the new domain name and staff
receive Exchange accounts using the existing domain. When the
decision was made to migrate students to Google Apps, staff was not
supposed to be involved (famous last words....)
That's brings us to now. Staff have decided that they want in on
Google Apps so I've been manually setting up accounts but then I have
to enter an exclusion in GADS so they don't get removed when syncing
occurs. Ideally, I would like to have the staff accounts synchronized
but since they will still have Exchange accounts that use the 'mail'
attribute, I've come up with as a solution and want to see if this
sounds reasonable.
1. Have the powers that be in our organization change ILM so that it
populates the 'otherMailbox' attribute in AD for new staff and
students.
2. Run a script to remove the 'mail' attribute addresses for students
and populate the 'otherMailbox' attribute.
3. Run a script to copy staff's e-mail prefix and append it to the
new domain used for Google Apps and then populate the 'otherMailbox'
attribute for staff.
4. Redo my GADS xml file to sync based on the 'otherMailbox'
attribute for all staff and students.
If this sounds correct, what will happen to existing student accounts
since I will be using a new attribute or will the system recognize
that it's the same account? I'd appreciate any thoughts on this and
again, I apologize for the rather lengthy post. Also, since this is
my first post, please let me know if this goes beyond the intended
scope of this forum.
Thank you,
James Rawlyk
Duluth Public Schools
I apologize in advance for the lengthy post in order explain things.
We are syncing our students accounts with AD using GADS and all is
working well. We took out a new domain that is different than the
domain used by our staff. Staff accounts still use Exchange for e-
mail under our existing domain. At the backend of our infrastructure,
we use ILM to synchronize data from our student information system to
AD and from our HRIS to AD. Staff and Students are in two different
OU's in our AD structure. The 'mail' attribute is populated
accordingly and the students receive the new domain name and staff
receive Exchange accounts using the existing domain. When the
decision was made to migrate students to Google Apps, staff was not
supposed to be involved (famous last words....)
That's brings us to now. Staff have decided that they want in on
Google Apps so I've been manually setting up accounts but then I have
to enter an exclusion in GADS so they don't get removed when syncing
occurs. Ideally, I would like to have the staff accounts synchronized
but since they will still have Exchange accounts that use the 'mail'
attribute, I've come up with as a solution and want to see if this
sounds reasonable.
1. Have the powers that be in our organization change ILM so that it
populates the 'otherMailbox' attribute in AD for new staff and
students.
2. Run a script to remove the 'mail' attribute addresses for students
and populate the 'otherMailbox' attribute.
3. Run a script to copy staff's e-mail prefix and append it to the
new domain used for Google Apps and then populate the 'otherMailbox'
attribute for staff.
4. Redo my GADS xml file to sync based on the 'otherMailbox'
attribute for all staff and students.
If this sounds correct, what will happen to existing student accounts
since I will be using a new attribute or will the system recognize
that it's the same account? I'd appreciate any thoughts on this and
again, I apologize for the rather lengthy post. Also, since this is
my first post, please let me know if this goes beyond the intended
scope of this forum.
Thank you,
James Rawlyk
Duluth Public Schools
James Rawlyk
Mar 6, 2012, 9:32:02 AM3/6/12
to Northcentral Apps Users
Not trying to bump my own post but either no one has experience with
this issue or the depth of the answer goes beyond the time that any
reasonable person would want to spend for something that is not their
own. Having said that, does anyone have suggestions on consultants
who have specific experience with GADS and could help solve this
problem? Likewise, are there any products that anyone is using
instead of GADS to do all of their account synchronization?
James
this issue or the depth of the answer goes beyond the time that any
reasonable person would want to spend for something that is not their
own. Having said that, does anyone have suggestions on consultants
who have specific experience with GADS and could help solve this
problem? Likewise, are there any products that anyone is using
instead of GADS to do all of their account synchronization?
James
Jordan Pedraza
Mar 6, 2012, 11:14:33 AM3/6/12
to James Rawlyk, Northcentral Apps Users, northa...@appsusersgroup.com
+North America for broader reach
--
You received this message because you are subscribed to the Google Groups "Northcentral Apps Users" group.
To post to this group, send email to northc...@appsusersgroup.com.
To unsubscribe from this group, send email to northcentral...@appsusersgroup.com.
For more options, visit this group at http://groups.google.com/a/appsusersgroup.com/group/northcentral/?hl=en.
James Rawlyk
Mar 7, 2012, 9:21:42 AM3/7/12
to Northcentral Apps Users
Thank you for the many replies yesterday! William, I appreciate your
very detailed explanation and Tony, I'm going to keep your contact
information close by. It's good to know that folks like you are out
there!
After I posted here yesterday, I basically told everyone in my office
that I would be unavailable and hung the "do not disturb" sign, closed
out my e-mail and shut off my phone. I actually got in about 6 hours
of relatively uninterrupted work which is exactly what I needed. I
thought I would give a detailed explanation here in case someone has
this problem in the future.
I had a breakthrough of sorts in the fact that I found out that I had
been making a dumb mistake all along with regards to exclusions.
First off, I created a separate xml file for only syncing staff that
uses the 'otherMailbox' attribute for syncing. Then in GADS, under
the Google Apps --> Exclusion Rules, I clicked on Add Rule and chose
the 'Organization Complete Path' option but I was incorrectly entering
'domain/students' for my filter when all I needed to do was enter
'students' and so now I can completely exclude students from my staff
sync and staff in my student sync by only entering 'staff'. The
instructions are not entirely clear for using this exclusion so I was
entering the complete path like the title states (sometimes I get
things stuck in my head wrong...) and this was indeed wrong. You only
need the suborganization name and to give credit where credit is due,
the picture on this post made things click for me (http://
blog.interlockit.com/2011/04/google-apps-directory-sync-tips.html)
This was a major hurdle.
The next hurdle for our staff sync was to populate the otherMailbox
attribute in Active Directory so that GADS could sync based on this
attribute. We keep all of our staff in one OU in AD so I ended up
writing a powershell script that creates the appropriate address
(firstname.lastname@domain) in the otherMailbox attribute since they
are still going to be using the email attribute for their exchange
accounts. Here is the powershell script:
Get-QADUser -SearchRoot "OU=Users,OU=organization,DC=domain,DC=domain"
-sizeLimit 0 | Where-Object {$_.email -ne $null} | foreach{
Set-QADUser $_ -ObjectAttribute @{otherMailbox=($_.FirstName + '.' +
$_.LastName) + "@domain"}
}
Again, I appreciate the replies I received. I think I'm in a good
position now! Unfortunately the cart got put way before the horse in
our organization with regards to the staff rollout of Google Apps but
I'm narrowing the gap and the cart is getting closer to where it
should be! If I run across any other issues, I will be sure to post
them for others.
Thanks - James
very detailed explanation and Tony, I'm going to keep your contact
information close by. It's good to know that folks like you are out
there!
After I posted here yesterday, I basically told everyone in my office
that I would be unavailable and hung the "do not disturb" sign, closed
out my e-mail and shut off my phone. I actually got in about 6 hours
of relatively uninterrupted work which is exactly what I needed. I
thought I would give a detailed explanation here in case someone has
this problem in the future.
I had a breakthrough of sorts in the fact that I found out that I had
been making a dumb mistake all along with regards to exclusions.
First off, I created a separate xml file for only syncing staff that
uses the 'otherMailbox' attribute for syncing. Then in GADS, under
the Google Apps --> Exclusion Rules, I clicked on Add Rule and chose
the 'Organization Complete Path' option but I was incorrectly entering
'domain/students' for my filter when all I needed to do was enter
'students' and so now I can completely exclude students from my staff
sync and staff in my student sync by only entering 'staff'. The
instructions are not entirely clear for using this exclusion so I was
entering the complete path like the title states (sometimes I get
things stuck in my head wrong...) and this was indeed wrong. You only
need the suborganization name and to give credit where credit is due,
the picture on this post made things click for me (http://
blog.interlockit.com/2011/04/google-apps-directory-sync-tips.html)
This was a major hurdle.
The next hurdle for our staff sync was to populate the otherMailbox
attribute in Active Directory so that GADS could sync based on this
attribute. We keep all of our staff in one OU in AD so I ended up
writing a powershell script that creates the appropriate address
(firstname.lastname@domain) in the otherMailbox attribute since they
are still going to be using the email attribute for their exchange
accounts. Here is the powershell script:
Get-QADUser -SearchRoot "OU=Users,OU=organization,DC=domain,DC=domain"
-sizeLimit 0 | Where-Object {$_.email -ne $null} | foreach{
Set-QADUser $_ -ObjectAttribute @{otherMailbox=($_.FirstName + '.' +
$_.LastName) + "@domain"}
}
Again, I appreciate the replies I received. I think I'm in a good
position now! Unfortunately the cart got put way before the horse in
our organization with regards to the staff rollout of Google Apps but
I'm narrowing the gap and the cart is getting closer to where it
should be! If I run across any other issues, I will be sure to post
them for others.
Thanks - James
Reply all
Reply to author
Forward
0 new messages