Using GADS - I'm trying to keep some OU's in AD from syncing up to GA4E
876 views
Skip to first unread message
Dan Christ
Oct 20, 2011, 10:08:28 AM10/20/11
to k12ap...@googlegroups.com
Hello,
Here is my situation:
Domain Name:panthernation.net
Edition:GA4E
Issue Description: Trying to keep all accounts within an OU from syncing
Steps to Reproduce (if applicable):
I'm trying to keep all elementary school student accounts from syncing to Google apps. Our 4th graders do NOT need GA accounts!
So, how do I keep this OU from syncing (internal domain path in AD) --> domain.local/Students/Elementary School
Basically I'm syncing staff by entering the Base DN's in Google Apps/Users/User Sync in the GADS utility. I have one rule each for staff and students.
OU=Staff,DC=domain,DC=local
OU=Students,DC=manteno,DC=local
This all works fine as the simulations show the number of accounts to sync. The only issue is as stated above, I'm trying to keep some OU's inside the students OU from syncing. I suppose I go sync to a deeper level in the student path above (OU=Students,DC=manteno,DC=local), BUT I'm just trying to not have to go this route if possible.
I've tried these steps in Google Apps Directory sync to fix this:
1. Google Apps/Exclusion Rules ---> Type - Organization complete Path / Match Type Substring (and Exact) - Rule: Elementary School/Students (no go!)
2 Google Apps/Exclusion Rules ---> Type - Organization complete Path / Match Type Substring (and Exact) - Rule: domain.local/Elementary School/Students (no go!)
3. LDAP Settings/OrgUnits/Search Rules/Exclusion Rules: Excluded Type: Org Unit DN / Match Type: Substring Match / Exclusion Rule: OU=Elementary School,OU=Students,DC=manteno,DC=local (still no go)
I posted this on the regular Google Apps help forum and didn't receive any responses. I'm not finding much documentation on this. The Google apps admin pdf doesn't really explain much either.
Any thoughts or ideas on this would be much appreciated!
Thanks,
Dan Christ
Here is my situation:
Domain Name:panthernation.net
Edition:GA4E
Issue Description: Trying to keep all accounts within an OU from syncing
Steps to Reproduce (if applicable):
I'm trying to keep all elementary school student accounts from syncing to Google apps. Our 4th graders do NOT need GA accounts!
So, how do I keep this OU from syncing (internal domain path in AD) --> domain.local/Students/Elementary School
Basically I'm syncing staff by entering the Base DN's in Google Apps/Users/User Sync in the GADS utility. I have one rule each for staff and students.
OU=Staff,DC=domain,DC=local
OU=Students,DC=manteno,DC=local
This all works fine as the simulations show the number of accounts to sync. The only issue is as stated above, I'm trying to keep some OU's inside the students OU from syncing. I suppose I go sync to a deeper level in the student path above (OU=Students,DC=manteno,DC=local), BUT I'm just trying to not have to go this route if possible.
I've tried these steps in Google Apps Directory sync to fix this:
1. Google Apps/Exclusion Rules ---> Type - Organization complete Path / Match Type Substring (and Exact) - Rule: Elementary School/Students (no go!)
2 Google Apps/Exclusion Rules ---> Type - Organization complete Path / Match Type Substring (and Exact) - Rule: domain.local/Elementary School/Students (no go!)
3. LDAP Settings/OrgUnits/Search Rules/Exclusion Rules: Excluded Type: Org Unit DN / Match Type: Substring Match / Exclusion Rule: OU=Elementary School,OU=Students,DC=manteno,DC=local (still no go)
I posted this on the regular Google Apps help forum and didn't receive any responses. I'm not finding much documentation on this. The Google apps admin pdf doesn't really explain much either.
Any thoughts or ideas on this would be much appreciated!
Thanks,
Dan Christ
Schneider, Martin
Oct 20, 2011, 12:06:48 PM10/20/11
to k12ap...@googlegroups.com
Do the fourth graders have email accounts in district? If not you can remove the email address line from your active directory and the students will no longer sync with GA4E.
Sent from my BlackBerry.
--
You received this message because you are subscribed to the Google
Groups "Google Apps K12 Technical Forum" group.
To post to this group, send email to k12ap...@googlegroups.com
To unsubscribe from this group, send email to
k12appstech...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/k12appstech?hl=en?hl=en
Sent from my BlackBerry.
You received this message because you are subscribed to the Google
Groups "Google Apps K12 Technical Forum" group.
To post to this group, send email to k12ap...@googlegroups.com
To unsubscribe from this group, send email to
k12appstech...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/k12appstech?hl=en?hl=en
Dan Christ
Oct 20, 2011, 1:41:16 PM10/20/11
to k12ap...@googlegroups.com
Martin,
Thanks for the response, and I understand exactly what you are saying. And to answer that, they do NOT have email addresses, so that field is not filled in their individual AD accounts. Though I am trying to go the route of syncing using the sAMAccountName in the email address attribute field in GADS. This part is great because then I don't have to run a script to fill in each student with an email address.
If I went the route of email address in that spot, they simply would not get a Google Apps account. So, I'm still looking to block syncing these OU's another way.
I hope that makes sense.
Thanks,
Dan
Thanks for the response, and I understand exactly what you are saying. And to answer that, they do NOT have email addresses, so that field is not filled in their individual AD accounts. Though I am trying to go the route of syncing using the sAMAccountName in the email address attribute field in GADS. This part is great because then I don't have to run a script to fill in each student with an email address.
If I went the route of email address in that spot, they simply would not get a Google Apps account. So, I'm still looking to block syncing these OU's another way.
I hope that makes sense.
Thanks,
Dan
John Dombrowski
Oct 20, 2011, 2:16:20 PM10/20/11
to Google Apps K12 Technical Forum
We have all of our students separated by year of graduation. For
example, ou=2012,ou=students,dc=domain,dc=local. So, I set up a sync
rule for each specific OU instead of our top level "Students" OU.
If you separate your grades by OU, you can simply add a separate sync
rule for the grades that you want to sync.
On Oct 20, 10:08 am, Dan Christ <dchr...@panthernation.net> wrote:
> Hello,
>
> Here is my situation:
>
> Domain Name:panthernation.net
> Edition:GA4E
> Issue Description: Trying to keep all accounts within an OU from syncing
> Steps to Reproduce (if applicable):
> I'm trying to keep all elementary school student accounts from syncing to
> Google apps. Our 4th graders do NOT need GA accounts!
>
> So, how do I keep this OU from syncing (internal domain path in AD) -->
> domain.local/Students/Elementary School
>
> Basically I'm syncing staff by entering the Base DN's in Google
> Apps/Users/User Sync in the GADS utility. I have one rule each for staff
> and students.
> OU=Staff,DC=domain,DC=local
> OU=Students,DC=manteno,DC=local
>
> This all works fine as the simulations show the number of accounts to sync.
> The only issue is as stated above, I'm trying to keep some OU's inside the
> students OU from syncing. I suppose I go sync to a deeper level in the
> student path above (OU=Students,DC=manteno,DC=local), BUT I'm just trying to
> not have to go this route if possible.
>
> *I've tried these steps in Google Apps Directory sync to fix this:*
> 1. *Google Apps/Exclusion Rules* ---> Type - Organization complete Path /
example, ou=2012,ou=students,dc=domain,dc=local. So, I set up a sync
rule for each specific OU instead of our top level "Students" OU.
If you separate your grades by OU, you can simply add a separate sync
rule for the grades that you want to sync.
On Oct 20, 10:08 am, Dan Christ <dchr...@panthernation.net> wrote:
> Hello,
>
> Here is my situation:
>
> Domain Name:panthernation.net
> Edition:GA4E
> Issue Description: Trying to keep all accounts within an OU from syncing
> Steps to Reproduce (if applicable):
> I'm trying to keep all elementary school student accounts from syncing to
> Google apps. Our 4th graders do NOT need GA accounts!
>
> So, how do I keep this OU from syncing (internal domain path in AD) -->
> domain.local/Students/Elementary School
>
> Basically I'm syncing staff by entering the Base DN's in Google
> Apps/Users/User Sync in the GADS utility. I have one rule each for staff
> and students.
> OU=Staff,DC=domain,DC=local
> OU=Students,DC=manteno,DC=local
>
> This all works fine as the simulations show the number of accounts to sync.
> The only issue is as stated above, I'm trying to keep some OU's inside the
> students OU from syncing. I suppose I go sync to a deeper level in the
> student path above (OU=Students,DC=manteno,DC=local), BUT I'm just trying to
> not have to go this route if possible.
>
> 1. *Google Apps/Exclusion Rules* ---> Type - Organization complete Path /
> Match Type Substring (and Exact) - Rule: Elementary School/Students (no
> go!)
> 2 *Google Apps/Exclusion Rules* ---> Type - Organization complete Path /
> go!)
> Match Type Substring (and Exact) - Rule: domain.local/Elementary
> School/Students (no go!)
> 3. *LDAP Settings/OrgUnits/Search Rules/Exclusion Rules*: Excluded Type:
> School/Students (no go!)
Dan Christ
Oct 20, 2011, 5:07:34 PM10/20/11
to k12ap...@googlegroups.com
John,
That is the direction I'm leaning in. I'm working on it now, and that works. Though I was trying to avoid doing this, though it looks like this will be the easier route!
Thanks,
That is the direction I'm leaning in. I'm working on it now, and that works. Though I was trying to avoid doing this, though it looks like this will be the easier route!
Thanks,
Reply all
Reply to author
Forward
0 new messages