Working with Classrooms where Staff and Classes are in Different Domain to Students

[Robin Wilson]

Hello

I have been trying to integrate Classrooms using the GAM tool and this went well with a test domain and has also worked well for classes and teachers on the live domain.

However students are on a different domain so any attempts to add them to the existing classes results in a not found error or if we reverse it and add the classes to the student domain with a teacher email it says the caller does not have permission.

Research I have done seems to suggest the Google API (upon which GAM is built) does not support this but it was a bit inconclusive.

Please can someone confirm if this is possible. We have thousands of students and don't want to have to make them all enrol to the groups manually.

So I can use GAM to create classes in the COLLEGE.ac.uk domain and attach existing teachers to these classes as their accounts also reside on COLLEGE.ac.uk.

However the student accounts are in STUDENTS.COLLEGE.ac.uk so any attempt to add them to the classes using GAM in the STUDENTS.COLLEGE.ac.uk domain reports that the classes don't exist (as presumably it is only searching for classes in STUDENTS.COLLEGE.ac.uk and not COLLEGE.ac.uk). If I instead run the GAM script against the COLLEGE.ac.uk domain then it just says that the caller does not have permission (presumably due to the email address I am trying to add being @students.college.ac.uk)

We have whitelisted the domains and waited over 24 hours but still cannot get this to work.

At the moment the student domain is a totally separate GSuite account. Would it help if it was made into a sub-domain of the other one and if so is this even possible to do?

I believe most colleges have their student accounts on a separate domain/sub-domain so how do others get around this?

I have already spoken to GSuite support but they were unable to help.

Thanks

Robin

[+KimNilsson]

Hi, Robin!

This may sound completely wrong, but I first have to make one thing clear. I am guessing, but I'm fairly sure I'm right.

You keep saying that your staff and students are on different domains, but the issue you are describing must be because they are actually on different G Suite Accounts.

Now, don't freak out, because this is just how Google defines things.

A domain is only what the user account looks like. You mention your users have different email addresses (domains).

That means you have staff.user @college.ac.uk and student.user @students.college.ac.uk. (The space is only to avoid masking the addresses in this forum.)

But, I think your users are actually in completely different G Suite Accounts, meaning you, as the superadmin, have to log into two completely different places to access staff and students?`

Because, if your staff and students were in different domains but within the same G Suite Account, then this shouldn't be a problem, since all users would be in the same place!

And as such the APIs can rarely help you, since you aren't ever allowed to act on users which aren't part of the same G Suite Account.

You should've added students.college.ac.uk as a secondary domain on the G Suite Account where you have your staff domain, college.ac.uk.

This also means that there would be no domain to "whitelist", since they would be in the same account, and manageable by the same admin.

Now, you have two options, both equally good, but one requires a massive amount of work for everyone, while the other requires no work at all, on your part, and basically no effort for anyone else.

1. Rename the current students-account domain so you can re-use the @students.college.ac.uk, and add it as a proper secondary domain to the college.ac.uk account. Yes, this requires reprovisioning all students inside the proper G Suite account, and migrating all necessary data from the old soon-to-be-dead accounts. Alternatively, create a new secondary domain called @edu.college.ac.uk, so you don't have to touch the old account, and do the provisioning of your students to @edu instead. They will still have to migrate their data, but there's no rush.

2. Let your students join all their Classrooms themselves. It requires zero effort on their part, and takes less than 30 seconds for each student per Classroom, and is done the first time they are present in their physical classroom, and see their teacher has written the join code on the whiteboard. Or have the teachers email the code to their students. Minimal effort on their part.

[+KimNilsson]

lol, and now I see that those were the last words of your post! :-)

Yes, that's what you should do, and No, I don't think that's what everyone does, because it's a really bad idea.

[+KimNilsson]

I mean, keeping students on a completely separate G Suite account.

Using separate domains is smart; makes it really easy to visually separate staff and students.

/Kim

[Robin Wilson]

Hello Kim

Thanks for the reply and sorry for the delay getting back to you but notifications were going to the wrong email account.

Yes the students are on a totally separate GSuite account rather than just a sub-domain.

If we move the students to being on a sub-domain of the main GSuite account then would this solve the issues and would I be able to auto-join them to their classes the same way I am doing with teachers using the GAM tool?

Is there any downside or security risk to moving them to the same GSuite account?

Is there a cost implication? I believe student GSuite for Education is free for students but don't think the staff one is?

How would we go about moving the students. There are about 50,000 I think. Is it just a switch or would all their data need migrating which could take a very long time?

I really would rather automate this if possible as we have all kinds of courses and not all are in a classroom where the tutor can go through the join process. There is distance learning and also learners are constantly changing courses and courses can be very large etc. Also we don't want their "inability" to join the class a reason for them not doing any of the assigned work. I just want a way of keeping everything in sync like we can with various other systems the college uses.

Thanks for the help
Robin

[+KimNilsson]

Hi again, Robin!

I'll answer your questions in parts, and inline below.

On Thursday, 6 December 2018 10:50:22 UTC+1, Robin Wilson wrote:

Hello Kim

Thanks for the reply and sorry for the delay getting back to you but notifications were going to the wrong email account.

Yes the students are on a totally separate GSuite account rather than just a sub-domain.

If we move the students to being on a sub-domain of the main GSuite account then would this solve the issues and would I be able to auto-join them to their classes the same way I am doing with teachers using the GAM tool?

Yes, user accounts in the same G Suite Account, regardless of domain, will be manageable with GAM.

 

Is there any downside or security risk to moving them to the same GSuite account?

IMHO, there are only advantages. All your users will be in the same directory, so emailing and sharing is much easier.

One possible downside is if you use firstname.lastname@domain for both students and staff, there's a risk of confusion. That is easily remedied by using firstname...@student.domain or by (or and) changing the student syntax to somethi...@student.domain. Students really don't need their useraccounts to be their name. Their name is still visible and searchable in the Directory (in Gmail/Drive). Also, most organisations have waaaay many more students than staff, so using a more structured syntax for students is smarter than first.last@.

 

Is there a cost implication? I believe student GSuite for Education is free for students but don't think the staff one is?

That depends. For schools/school districts you should be using G Suite for Education for both your G Suite Accounts. If the staff account currently isn't, you should begin with "upgrading" to a GSFE account to make staff accounts free, before considering migrating.

Do note, that you could also go the other way around, and add your staff to the student domain instead. :-) Technically, the idea and process would be the same.

 

How would we go about moving the students. There are about 50,000 I think. Is it just a switch or would all their data need migrating which could take a very long time?

There are several ways to migrate data, and as many consultants that, for a lot of cash, would be happy to help you do it.

But, I have for my last two migrations put it in the hands of the users.

Google Takeout Transfer will copy a single user's content into a new account. All sharing will of course be broken (this is something some vendors could be paid to include in their migration). So instead I just told all users to migrate their own content!

 

Again, this is less work if you instead move the staff to where your students are. :-)

Be aware that certain content will not migrate. It's listed in the support pages about Takeout Transfer.

I really would rather automate this if possible as we have all kinds of courses and not all are in a classroom where the tutor can go through the join process. There is distance learning and also learners are constantly changing courses and courses can be very large etc. Also we don't want their "inability" to join the class a reason for them not doing any of the assigned work. I just want a way of keeping everything in sync like we can with various other systems the college uses.

Yeah, once again it feels like it would require the least amount of work to migrate your staff to the students G Suite Account. Of course with their own domain, so they are easily distinguishable from students.

All migration can/should be done while keeping the old accounts alive.

So, for a while those that are migrating will have access to two accounts, but all new work is to be done in the new account.

[Robin Wilson]

Hello Kim

Thanks for the information.

I believe IT are now looking at a mass move of the student accounts so they become a sub-domain within the staff GSuite account. In terms of account conflicts it shouldn't be an issue as students would have robin....@college.DOMAIN.ac.uk whereas staff would be robin....@DOMAIN.ac.uk. As staff are already top-level and students are already on a sub-domain (even though it isn't in reality) we thought going that way would be best.

Also I have confirmed both staff and student accounts are currently free under the educational licence so at least I don't need to worry about the cost side of things.

It does look like Google have a mass migration tool for moving from one GSuite to another here:

https://support.google.com/a/answer/1041297?hl=en

https://support.google.com/a/answer/6351475?hl=en

However it looks like it only does Gmail and not all Google services. Is that why Google Takeout Transfer is better? I know I tried the mass migration tool for an Office 365 move to Google but it would always get stuck about half way through.

Did all users manage to migrate using the Google Takeout Transfer tool and was this done whilst keeping the original email address intact and just moving it to sit under the new GSuite account? Do you know how I would set this up as presumably the sub-domain would already show as allocated under the old account and I don't want people losing emails until switched (and presumably I would need to wait for everyone to make the switch before turning off the old one)? Also, if possible to have an old and new account active at the same time, when signing in, how would Google know which one to sign them into?

It does seem surprising there are not better, first party, tools for managing Google Services at a large scale.

Robin

On Thursday, 6 December 2018 11:56:06 UTC, +KimNilsson wrote:

Hi again, Robin!

I'll answer your questions in parts, and inline below.

On Thursday, 6 December 2018 10:50:22 UTC+1, Robin Wilson wrote:

Hello Kim

Thanks for the reply and sorry for the delay getting back to you but notifications were going to the wrong email account.

Yes the students are on a totally separate GSuite account rather than just a sub-domain.

If we move the students to being on a sub-domain of the main GSuite account then would this solve the issues and would I be able to auto-join them to their classes the same way I am doing with teachers using the GAM tool?

Yes, user accounts in the same G Suite Account, regardless of domain, will be manageable with GAM.

 

Is there any downside or security risk to moving them to the same GSuite account?

IMHO, there are only advantages. All your users will be in the same directory, so emailing and sharing is much easier.

One possible downside is if you use firstname.lastname@domain for both students and staff, there's a risk of confusion. That is easily remedied by using firstname.lastname@student.domain or by (or and) changing the student syntax to somethingrandom@student.domain. Students really don't need their useraccounts to be their name. Their name is still visible and searchable in the Directory (in Gmail/Drive). Also, most organisations have waaaay many more students than staff, so using a more structured syntax for students is smarter than first.last@.

[Kim Nilsson]

Alright, that's a first step.

I'll answer inline below.

/Kim

--

There is No Substitute!

google.com/+KimNilsson

On Mon, 17 Dec 2018 at 00:45, Robin Wilson <robinw...@gmail.com> wrote:

Hello Kim

Thanks for the information.

I believe IT are now looking at a mass move of the student accounts so they become a sub-domain within the staff GSuite account. In terms of account conflicts it shouldn't be an issue as students would have robin....@college.DOMAIN.ac.uk whereas staff would be robin....@DOMAIN.ac.uk. As staff are already top-level and students are already on a sub-domain (even though it isn't in reality) we thought going that way would be best.

Also I have confirmed both staff and student accounts are currently free under the educational licence so at least I don't need to worry about the cost side of things.

It does look like Google have a mass migration tool for moving from one GSuite to another here:

https://support.google.com/a/answer/1041297?hl=en

https://support.google.com/a/answer/6351475?hl=en

However it looks like it only does Gmail and not all Google services. Is that why Google Takeout Transfer is better? I know I tried the mass migration tool for an Office 365 move to Google but it would always get stuck about half way through.

Yes, there are several Drive Migration tools, but not free ones. There are a number of consultants that will gladly take your money, and relieve you of the migration work. That's why we delegated it to the users themselves. Takeout for everything but Gmail and Drive, and Takeout Transfer for those two.

 

Did all users manage to migrate using the Google Takeout Transfer tool and was this done whilst keeping the original email address intact and just moving it to sit under the new GSuite account? Do you know how I would set this up as presumably the sub-domain would already show as allocated under the old account and I don't want people losing emails until switched (and presumably I would need to wait for everyone to make the switch before turning off the old one)? Also, if possible to have an old and new account active at the same time, when signing in, how would Google know which one to sign them into?

Most certainly you will have problems if you wish to keep both domains alive at the same time if you insist on having the names be exactly the same. If you instead name the new domain to something different (I think I suggested @edu...), then there will be no conflict. I'm fairly sure not even Google can help you with keeping the domains exactly the same. The email address is their login username, and there can be no duplicates ever.

 

It does seem surprising there are not better, first party, tools for managing Google Services at a large scale.

Robin

Well, there wouldn't be a need for it, if organisations would not create separate G Suite accounts, against best practice. ;-)

/Kim 

[Pravesh Waghmare]

Hi Robin,

Thanks for the prompt reply.

However i am not looking for migration of accounts or two separate domains.

What i am trying to work out is, I have an ERP system from where i extract the student profile details with first name and last name into a CSV file.

Now this CSV file is stored at my Server and I am executing a GAM command from my System, where i am also providing the server path for the file and i get an error message while doing so.

regards

Pravesh

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAGPzzFuPQe02fFZcWakWzyP-XCz5sQVD9OStCAkmBg4CumobBw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Kim Nilsson]

Hi Pravesh!

I think you are responding to the wrong post.

Your problem has nothing to do with the current thread.

/Kim

--

There is No Substitute!

google.com/+KimNilsson