Give members of a specific ou admin role of a different ou

[Bryan Guidroz]

I'm looking to allow all teachers at a specific school to reset the passwords of all students at their school.

So, teachers are in an OU /School Staff/School 123

Students are in an OU /Students/School 123

Every night, the membership of the /School Staff/School 123 OU is updated.

Now, I'd like to give these teachers permission to reset their students' passwords.

I've got a User Created Role set up as I need it.  It's called School Admin.

So, nightly, I'd like to give all members of /School Staff/School 123 the School Admin role to OU /Students/School 123

Any suggestions on how to achieve this?

It's important that I keep them in sync... meaning the School Admin role is added AND REMOVED for users as the /School Staff/School 123 OU is updated.

[Bryan Guidroz]

Any suggestions on this?

[Kevin Melillo]

Quick comment:  It would be easier to arrange it as /School 123/Teachers   and then /School 123/Students

Or even simpler

/School 123

/School 123/Students

You could then assign admin permissions on an OU level.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/3924b5d3-3830-4d7b-9fc1-31565f996abd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Kevin Melillo

Electronic Communications Analyst

Information Technology

445 Hoes Lane

Piscataway, NJ 08854

Phone:732-465-6609 | Mobile: 732-609-4331

E-mail: k.me...@ieee.org

[+KimNilsson]

$ gam print adminroles

This will list the available admin roles.

$ gam create admin user adminrole org_unit OU

This will set the specified admin role to the specified user in the specified OU.

So to make it automatic you need to list the users in the specific OU and push them through the admin role command.

The gam csv command is made for receiving that.

[Ross Scroggs]

Bryan,

Here is a template, test very carefully.

Get all current staff members with Student Admin role covering the specific students OU and delete them

Get everyone with Student Admin role

gam print admins role "Student Admin" > Roles.csv

Now, get only those admins covering the specific students OU

echo "roleAssignmentId" > Deletes.csv

grep "/Students/School 123" Roles.csv >> Deletes.csv

(PowerShell equivalent: sls "/Students/School 123" .\Roles.csv -ca | select -exp line >> .\Deletes.csv)

gam csv Deletes.csv gam delete admin "~roleAssignmentId"

Update OU membership however you do it now

Add School Admin to updated OU

gam print users query "orgUnitPath='/School Staff/School 123'" > Adds.csv

gam csv Adds.csv gam create admin "~primaryEmail" "School Admin" org_unit "/Students/School 123"

Ross

--

You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/29541959-8474-4d22-a808-319fc830701c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Ross Scroggs

ross.s...@gmail.com

[Bryan Guidroz]

Yes, that would be simpler and is on my list to clean some of this up.

That still wouldn't really solve my problem.

I'd still need to be able to keep the members of the School Admin role in sync with the members of theOU.

It's gonna take some playing with grep to get it to do what I want.

Thanks

On Tuesday, January 24, 2017 at 9:46:06 AM UTC-6, k.melillo wrote:

Quick comment:  It would be easier to arrange it as /School 123/Teachers   and then /School 123/Students

Or even simpler

/School 123

/School 123/Students

You could then assign admin permissions on an OU level.

On Tue, Jan 24, 2017 at 10:38 AM, Bryan Guidroz <bryang...@tpsdonline.org> wrote:

Any suggestions on this?

On Saturday, November 19, 2016 at 3:34:49 PM UTC-6, Bryan Guidroz wrote:

I'm looking to allow all teachers at a specific school to reset the passwords of all students at their school.

So, teachers are in an OU /School Staff/School 123

Students are in an OU /Students/School 123

Every night, the membership of the /School Staff/School 123 OU is updated.

Now, I'd like to give these teachers permission to reset their students' passwords.

I've got a User Created Role set up as I need it.  It's called School Admin.

So, nightly, I'd like to give all members of /School Staff/School 123 the School Admin role to OU /Students/School 123

Any suggestions on how to achieve this?

It's important that I keep them in sync... meaning the School Admin role is added AND REMOVED for users as the /School Staff/School 123 OU is updated.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/3924b5d3-3830-4d7b-9fc1-31565f996abd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Bryan Guidroz]

Thanks Ross.  I think that's exactly what I'm looking for.

On Saturday, November 19, 2016 at 3:34:49 PM UTC-6, Bryan Guidroz wrote: