<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=569338&amp;fmt=gif">

The Penalty Box

July 30, 2019 | Keith Larson

The Penalty Box

One of the primary goals in process automation is to put structures in place that require little or no manual intervention. For a large percentage of your students, this is possible, but there are always exceptions to any rule. We need to have a way to allow some flexibility for unique situations. The best example of this is what many Technology Coordinators affectionately refer to as “The Penalty Box”.

There are times when you need to temporarily limit a student’s access to technology. Examples of this include short-term limits like a classroom period or longer-term limits for a pending disciplinary hearing. We will explore several different options and how they interact with the automation of student accounts.

Option 1: Very short-term. If you are using a product like “Go Guardian”, teachers can move students into a different OU that has limits within Google. This move will be temporary because the next time that Google Cloud Directory Sync runs, the student is moved back into the OU where they originated. The caveat is that this option only impacts students that are working on Chrome devices and may or may not have any effect on your web content filter.

Option 2: Longer-term. This method relies on several things being implemented, but the result is a more thorough coverage of your environment for a student that is under some type of disciplinary action.

Step 1: You need a group in Active Directory named “Penalty Box” or something similar. This group can also be synchronized to Google, although it isn’t necessary to do that. Any student that requires restricted internet access is added to this group. This requires manually adding and removing these students from this group. The technology department can perform this task, or it may be delegated to other district staff members.

Step 2: You create a Google OU named “Penalty Box”. This can be a single OU that covers all grade levels or you could have one for each building or grouping of schools (i.e. Middle School or High School).

Step 3: You configure your Google Cloud Directory Sync to use an LDAP query like this to map users into a “Penalty Box” OU:

(&(objectClass=user)(memberof=cn=Penalty Box,ou=students,ou=school,dc=domain,dc=org ))


Looking to take the hassle out of Student Provisioning?

Request a Demo

IMPORTANT NOTE: You must move this rule to the top of your user search rules on your Google Cloud Directory Sync configuration file.

The key to this strategy is to realize that Google User search rules are processed from top to bottom. Once a user is matched with a given rule, that rule applies to that OU and it won’t matter if they match any other rules later in the list. You must prioritize your group matching rules above your OU matching rules. You may even need to consider which group rules should take priority over other rules if that possibility exists. This allows you to manage your minor exceptions with a rule, but have your OU placement rules work in all other cases.

Below is a screenshot of the proper configuration of this rule in Google Cloud Directory Sync:


If your process is not yet automated, Student Provisioning Services can help. Click here to get in touch. We'll review your process to help determine if automation is right for your school.

You may find our blog post: To Delete or Not to Delete helpful as well. 

For additional discussion you can visit the Google Apps K-12 Technical Forum.

New Call-to-action


Subscribe to Blog updates

VOB Badge for Website