<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=569338&amp;fmt=gif">

How to Manage Google OU Exceptions

November 7, 2018 | Keith Larson

SM how to manage google OU EXCEPTIONS

One of the primary goals in process automation is to put structures in place that require little or no manual intervention.  For a large percentage of your students, this is possible, but there are always exceptions to any rule.  That is why we need to have a way to allow some flexibility for special situations.  As we continue to work with schools across the country, we are seeing this type of situation arise more often.

When a student is officially withdrawn from school their account would normally be made inactive. There are however, times when but the student still needs access to their Google Drive and Gmail account and in some scenarios, teachers still need to interact with the student while they are away.

We can set up a structure that will allow this to happen without breaking the other automation that we have in place and without creating complex rules for handling student accounts.

  1. You can have a group in Active Directory named “Out of District” or something similar. This group can also be synchronized to Google, but it really isn’t necessary to do that.  Any student that is inactive, but still needs access to Google will be added to this group.  This requires manually adding and removing these students from this group.  This can be the technology department or this can be delegated to other district staff members. 
  2. You can create a Google OU named “Out of District”. This can be a single OU that covers all grade levels or you could have one for each building or grouping of schools (i.e. Middle School or High School). 
  3. You configure your Google Cloud Directory Sync to use an LDAP query like this to map users into a “Out of District” OU:

(&(objectClass=user)(memberof=cn=Out of District,ou=students,ou=school,dc=domain,dc=org ))

 

NOTE: You must move this rule to the top of your user search rules on your Google Cloud Directory Sync configuration file.

The key to this strategy is to realize that Google User search rules are processed from top to bottom.  Once a user is matched with a given rule, that rule applies to that you and it won’t matter if they match any other rules later in the list.  You must prioritize your group matching rules above your OU matching rules.  You may even need to consider which group rules should take priority over other rules if that possibility exists.

This allows you to manage your minor exceptions with a rule, but have your OU placement rules work in all other cases.

Here is an example of the proper configuration of this rule in Google Cloud Directory Sync.

 add LDAP USER SYNC

For more helpful information about Google OU's and automation visit our resource page, HOW TO: SYNC ACTIVE DIRECTORY GROUPS WITH GOOGLE.

SPS-K12 enables students across the United States to modern their student provisioning and data management.

 

 

Would you like to automate provisioning for your district?

Request a Demo

Subscribe to Blog updates

VOB Badge for Website