Google Apps account provisioning

[Patrick Dunford]

Here is a simple Powershell script to provision accounts in Google Apps from Active Directory.

The gShell module is available for download at https://github.com/squid808/gShell

 

The functions of the script are to, firstly, ensure the email address is saved in Active Directory (required to make Google Apps Password Sync work) and then use that email address to provision an account in Google Apps. The script automatically ignores AD accounts that are disabled.

 

The email address is generated from the User Principal Name field or if this is empty then the SamAccountName field in AD. A simple status message is written to the console in relation to each student account found in AD that is being provisioned to Google Apps.

 

-------------

 

import-module ActiveDirectory

import-module gShell

 

#Retrieve all students from Active Directory

$ADStudents = Get-ADUser -Filter * -SearchBase "ou=Students,DC=a,DC=school" -SearchScope Subtree -Properties EmailAddress

foreach ($S in $ADStudents)

{

    # Check account is enabled

    if ($S.Enabled -eq $false)

    {

        continue

    }

 

    #Check for and if necessary set email address in AD for GAPS

    $UPNPre = $null

    $UPN = $S.UserPrincipalName

    $UPNPre = $UPN.SubString(0,$UPN.IndexOf("@"))

    $Logon = $S.SAMAccountName

    If ($UPNPre -ne $null)

    {

        $NewEmail = $UPNPre + "@a.school.nz"

    }

    else

    {

        $NewEmail = $Logon + "@a.school.nz"

    }

    $Email = $S.EmailAddress  

    if ($Email -eq $null)

    {

        $Email = $NewEmail

        Set-ADUser -Identity $Logon -EmailAddress $Email

    }

 

    #Look up in Google Apps

    Write-Host ("Looking up Google Apps for " + $Email + "...") -NoNewline

    $User = $null

    try

    {

        $User = Get-GAUser -UserName $Email -ErrorAction Stop

    }

    catch

    {

    }

    if ($User -eq $null)

    {

        #Add if not there

        New-GAUser -UserName $Email -GivenName $S.GivenName -FamilyName $S.Surname -PasswordLength 8 -IncludeInDirectory $true `

        -OrgUnitPath "/Students" -ChangePasswordAtNextLogin $false

        Write-Host ("Added " + $Email + " to Google Apps")

    }

    else

    {

        Write-Host ""

    }

} 

[Ict Technician]

Thank you for this.

What are the advantages of this script over the GADS software provided by google?

[Patrick Dunford]

My view was GADS is complex to configure and has a preset limited list of options.

An example is it suspends the accounts it can't match up at the local level.

My equivalent deprovision script simply moves the accounts to a different organisation in Google.

It is intended to illustrate that scripting provisioning is quite viable and easy to do with a lot more power than the tools provided by Google.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Craig Knights]

I've been using dito gam for managing Google accounts.

It's a command line interface..

It's not pretty but it does the job.  I just make up the commands in Excel from a csv of the students and paste the list of commands into the cmd window.

ta

Craig

[Patrick Dunford]

Yes I have used it too. However the Powershell extensions have advantages in being a lot easier to get going on our server, plus being integrated into Powershell has made it easier to deal with error handling etc.

The current version of gShell is not as fully featured (yet) as GAM but is working towards it.

[Simon - OBHS]

GADS can be intimidating at first glance, but really its straight forward and works very well.

You can easily add exceptions of accounts stop GADS from suspending them if they don't exist locally.

As for deprovisioning, in case of student i just move them to a leavers OU in AD and GADS then moves them to the corresponding organisation in Google.

You can map local OUs to google organisations, manage groups. Its actually very powerful.