Skip to first unread message
Frank Cusack
Dec 5, 2018, 6:47:37 PM12/5/18
to GAM for G Suite
Anyone using GCDS? My desired workflow is:
1. disable user in AD
2. GCDS syncs disabled->suspended state in G Suite
3. at a convenient time later, transfer ownership of drive files.
This is made inconvenient by the fact that GAM (rather, G Suite) can't transfer ownership of files from a suspended account, because we need to act as the suspended user but the suspended user is ... well, suspended ... and can't access any services. So I have to enable the account, transfer ownership, and re-disable the account. It's doable but I wonder if there's an easier/simpler way.
I prefer not to transfer ownership before step 3, ie before the user becomes suspended, because many times a new user will take over the responsibilities, so it's better just to let the suspended user retain the ownership until the new user is up and running.
+KimNilsson
Dec 6, 2018, 3:19:30 AM12/6/18
to GAM for G Suite
Have you tried using Data Transfer, instead of just transferring ownership of content?
✉ Kevin Melillo
Dec 6, 2018, 8:21:33 AM12/6/18
to google-ap...@googlegroups.com
I don't believe the The Data Transfer Tool requires an account to be unsuspended. (Admin Panel Menu \ Apps \ G Suite \ Drive and Docs \ Transfer Ownership)
On Thu, Dec 6, 2018 at 3:19 AM +KimNilsson <there.is.no...@gmail.com> wrote:
Have you tried using Data Transfer, instead of just transferring ownership of content?
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/5ff86d1b-6d65-4fc6-b5ee-861b45b86f78%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
|
Rance Hall
Dec 6, 2018, 9:48:50 AM12/6/18
to google-ap...@googlegroups.com
An admin can transfer files without between users without pretending to be either one, so I don’t know why you had trouble with step 3.
That being said, could you change your workflow a bit and have step 1) be a password change for the user so that they are effectively locked out but the account is still “active” then suspend the account later.
Rance
--
F: 308-233-9066
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
google-apps-man...@googlegroups.com.
To post to this group, send email to
google-ap...@googlegroups.com.
Visit this group at
https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/a95c11a3-7a84-4d85-b4a4-3fb6a86a5af6%40googlegroups.com.
Frank Cusack
Dec 6, 2018, 12:08:00 PM12/6/18
to google-ap...@googlegroups.com
Thanks all. Data Transfer in the admin console would seem to do the trick, for the use case I mentioned -- transferring all files. I should have gone into a second case though.
Before the time at which a new user is there to take on all the old user's files, I find myself needing to cherry pick a single file or two. I've been using 'gam user $olduser transfer ownership $id $newuser'to do this. Because this involves gam taking on the identity of the suspended user, it doesn't work. I have to unsuspend the user, put them in an OU with drive access, transfer, then resuspend and change OU back.
Changing the password so as to essentially lock them out isn't very appealing because it's not possible for an auditor (me) to know if they are disabled unless I myself did the password change, and remember that I did it. Account suspension makes it obvious and removes possibility of error.
On Thu, Dec 6, 2018 at 6:48 AM Rance Hall <rance...@esu10.org> wrote:
An admin can transfer files without between users without pretending to be either one, so I don’t know why you had trouble with step 3.
Single files?
--
You received this message because you are subscribed to a topic in the Google Groups "GAM for G Suite" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/j_RmCGtXGHY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
Kim Nilsson
Dec 7, 2018, 1:48:18 AM12/7/18
to Google Apps Manager
Why do you disable the Drive service for disabled accounts?
That sounds superfluous, and in your case even counter-productive.
Without that all you would need is a single click to activate account, run GAM ownership transfer of file/folder, and then disable user again.
No, data transfer is always for all content.
On Thu, 6 Dec 2018 at 18:08, Frank Cusack wrote:
Thanks all. Data Transfer in the admin console would seem to do the trick, for the use case I mentioned -- transferring all files. I should have gone into a second case though.Before the time at which a new user is there to take on all the old user's files, I find myself needing to cherry pick a single file or two. I've been using 'gam user $olduser transfer ownership $id $newuser'to do this. Because this involves gam taking on the identity of the suspended user, it doesn't work. I have to unsuspend the user, put them in an OU with drive access, transfer, then resuspend and change OU back.Changing the password so as to essentially lock them out isn't very appealing because it's not possible for an auditor (me) to know if they are disabled unless I myself did the password change, and remember that I did it. Account suspension makes it obvious and removes possibility of error.
Frank Cusack
Dec 7, 2018, 1:52:53 PM12/7/18
to google-ap...@googlegroups.com
From your answer I take it there is no alternate workflow that is going to "solve" this for me. But yeah, perhaps disabling Drive is unnecessary so keeping Drive on will at least help.
thanks
--
You received this message because you are subscribed to a topic in the Google Groups "GAM for G Suite" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/j_RmCGtXGHY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAGPzzFs6grjuHf6v0pWB3L%3DrVQCC1Gen9VcVWUv-yvWa3Usy6g%40mail.gmail.com.
Steve - DynTech
Dec 9, 2018, 9:22:06 AM12/9/18
to GAM for G Suite
Frank - If your workflow also includes moving the user to a new OU then that password change is all part of the actions of deprovisioning which you can correlate in the logs just like you can with a suspension event. Suspending the account also breaks email forwarding that you might want to apply on the user level and the way around that is a manual creation or a routing rule.
Frank Cusack
Dec 20, 2018, 2:57:12 PM12/20/18
to google-ap...@googlegroups.com
Great stuff. Thanks for making this available.
--
You received this message because you are subscribed to a topic in the Google Groups "GAM for G Suite" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/j_RmCGtXGHY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/0da3a79b-a260-4c6e-8a5c-a52559d5162a%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages