syncing groups with GADS

[Patrick Dunford]

Good morning

We are looking at using GADS to sync active directory groups to Google
Apps - at the moment we only sync org units and user accounts.

I want to be able to choose only the specific AD groups that I want from
AD to Google and have it leave all the other groups on Google Apps
alone. We have Hapara installed and I don't want any of the Hapara
groups being affected by the GADS sync.

What I already know from my experience with GADS is if there is a user
account on the Google domain that is missing from the Active Directory
it will suspend or delete that account from the Google domain, by
default. The way around it for user accounts is to put them into a
different org unit path on Google Apps and then write an exclusion rule
to exclude that org unit from the sync. Is there a way to exclude groups
that are on Google only, like all the Hapara groups, from the sync. This
is harder with groups because there is no org unit structure for filing
them in Google Apps.

One of the groups we want to sync to if at all possible is a local
Active Directory group to one of the Hapara groups, we want to be able
to sync it to td students in order that new students get added to that
group on Google Apps automatically when they are enrolled.

TIA

[Andrew Godfrey]

On 14 March 2016 at 11:38, Patrick Dunford <kahuk...@gmail.com> wrote:

exclusion rule to exclude that org unit from the sync

You can also add exclusion rules based on usernames and groupnames (wildcards allowed)

_______________________________________

 

Andrew Godfrey  |  Network Manager

[Alistair Baird]

You can sync an AD group to an organisation unit in Google - we do that for a few. See below how we map ad AD group to a Google OU (Restricted Users). This is done in the GADS User Account Search Rules.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Alistair Baird

IT Manager

St Peters College 

p 06 354 4198

m 021 990 259

e bai...@stpeterspn.school.nz

[Simon - OBHS]

What Andrew said, just add the group(s) as exclusions.

As for the last part, the only way to sync to the hapara group would be to replicate that group in AD. Though if you add a user directly into that group online, then likely it would get removed if not in the AD group.

Though again if you had the hapara group in the exclusions list, i'm unsure if gads will sync it or not. May want to experiment with the test sync.

[Patrick Dunford]

Users will be added to the AD group, and then GADS will add them to the group on GAFE. However there are some groups that we manage only on GAFE that have no AD equivalent.

DISCLAIMER
This e-mail is intended for the addressee only and may contain information which is subject to legal privilege. This e-mail message and accompanying data may contain information that is confidential and subject to privilege. Its contents are not necessarily the official view Otago Boys’ High School or communication of the Otago Boys’ High School. If you are not the intended recipient you must not use, disclose, copy or distribute this e-mail or any information in, or attached to it. If you have received this e-mail in error, please contact the sender immediately or return the original message to Otago Boys’ High School by e-mail, and destroy any copies. Otago Boys’ High School does not accept any liability for changes made to this e-mail or attachments after sending.

[Patrick Dunford]

Sorry can't see that picture at a useful readable size on my computer, can you make it bigger, thanks

[Patrick Dunford]

What I have meant by that is there is no way in the Google Apps admin console, you can organise groups into different org units like you can with users. Because of this, as anyone who has Hapara knows, there are a very large number of groups, created by Hapara, which are only present on Google Apps and are not on the AD server. Whereas I can write one simple exclusion rule to exclude users from one org unit that do not exist in AD, when it comes to groups, the lack of being able to put alll these Google-only groups into an org unit and then exclude that org unit from the sync is a significant issue. I will have to write lots of exclusion rules to match group names for this large number of Hapara groups by the name of each group, instead of the name of one org unit where these groups are.

On 14/03/2016 12:14 PM, Alistair Baird wrote:

[Andrew Godfrey]

On 14 March 2016 at 13:18, Patrick Dunford <kahuk...@gmail.com> wrote:

lots of exclusion rules to match group names for this large number of Hapara groups by the name of each group

With thoughtful naming of groups you can exclude many groups at once using regex expressions. Might require a bit work to rename them all but should be doable. Maybe your Hapara group names have 2016 at the end of the name prior to the @ symbol?

[Julian Davison]

There's no common prefix that lends itself to being used with a wildcard? Or perhaps that's, is there a way to arrange a common prefix for use with a wildcard?

(Not a Hapara user)