<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=569338&amp;fmt=gif">

AUTOMATING LICENSES WITH GOOGLE CLOUD DIRECTORY SYNC

How to Fully Automate Staff and Student License
Assignment and Removal with Google Cloud Directory Sync Release 4.7.12

About this Step by Step Guide

Sometimes Google makes significant changes that can really have an impact on the daily operation of our business or K12 Schools. The 4.7.12 Release of Google Cloud Directory Sync is one of those significant changes. The included the option to automate licensing, but not just the assignment of licenses to new users, but the REMOVAL of licenses that a user should no longer have. This may not seem like much, but this can be HUGE.

What this means for K12 schools is that new staff and students can automatically be assigned the appropriate Google license using the SKU and then when they leave the district this license can be automatically removed all through a normal GCDS sync.

The only catch is that you are connecting the license assignment to membership in a group in Active Directory (or any other ldap compliant directory). If you are no longer using AD, this won’t apply, but you also wouldn’t be using GCDS either. Also, in order for this to be completely hands-off and automated 100%, you need to have automation in place that will add new staff and students to groups when their accounts are created and remove them when they are no longer employed or enrolled in the district.

Group automation can be done rather easily with Microsoft Powershell, which is how Student Provisioning Services currently does this for most of their customers. The districts that have many more groups or more complex groups may find that Condrey Corporations solution called Group Symmetry is the answer. I have implemented this for a number of districts and found it to be very helpful in large or complex environments.

IMPORTANT: Automation is great, but it can also help you to make very big mistakes very quickly.

Before you attempt to make any of these changes to your production environment, make a copy of your production .xml file and experiment with the copy until you are sure that you get the desired results. Then, save this file back over your production copy to put it into production. 

What follows are step by step instructions for how to do this in your district or business. I hope that you will find this useful and will be able to successfully implement this new configuration for your district.

Keith
Founder
SPS-K12 Services

Google Cloud Directory Sync enables administrators to synchronize users, groups and other data from an Active Directory/LDAP service to their Google Cloud domain directory.  To enable the automated removal of accounts, you must be running release 4.7.12, updated on May 3rd, 2021.

GCDC4.7.12-2

 

Next, under General Settings, you must check the licenses option to enable this function and add the item to the list of available options to configure.

GCDS Enable General Settings

 

Next, begin the configuration of the Licenses option by populating the email address attribute field. For Active Directory, the default value will be “mail”.

GCDS Begin Confiruration of Liscenses

 

Select the SKU Management tab to identify the SKU that you purchased from Google for staff and students if appropriate. For the purposes of these instructions, I am going to assign “Google Workspace for Education Plus – Legacy” to all teaching staff and “Google Workspace for Education Plus – Legacy (Student)” to all currently enrolled students.

Identify the SKU

NOTE: It is critical to understand that you must be able to write a single ldap query for each license. When you build a query and assign a license, the process removes that SKU from the list and will not allow you to build a second query for the same SKU. There is a 1:1 relationship between SKU and ldap query.

For my students, I have the following groups automated and I’m going to use the students-all group to assign the Google license SKU. My ldap query will be:

(&(objectClass=person)(mail=*)(memberof=CN=Students-ALL,OU=Groups,OU=Students,OU=Accounts,DC=ad,DC=sps-k12,DC=com))

GCDS Assign the Google Liscense SKU
We take this information and create an ldap license rule in GCDS. Click on “Add Rule”, cut and paste your preformatted ldap query like the one above into the ldap query field, select “Assign licenses to Google domain users”, select the SKU that you want to assign and then check the box “Remove this license from the Google domain users that don’t match this rule”. The screen will look like this:

Remove this license from the Google Domain Users

Before you click OK to save this and put it into effect, make sure that you select “Test LDAP Query” to see if you get any students that match your ldap search. The results should look like this:

Test LDAP Query

For my staff, I have a group for teachers in each building or grade band, so my ldap search query is more complex. I need it to be true if you are in any of four groups, so the query would be:

(&(objectClass=person)(mail=*)(|(memberof=CN=Teachers-PS,OU=Groups,OU=Staff,OU=Accounts,DC=ad,DC=sps-k12,DC=com)(memberof=CN=Teachers-ES,OU=Groups,OU=Staff,OU=Accounts,DC=ad,DC=sps-k12,DC=com)(memberof=CN=Teachers-MS,OU=Groups,OU=Staff,OU=Accounts,DC=ad,DC=sps-k12,DC=com)(memberof=CN=Teachers-HS,OU=Groups,OU=Staff,OU=Accounts,DC=ad,DC=sps-k12,DC=com))

Group Teachers
We take this information and create an ldap license rule in GCDS. Click on “Add Rule”, cut and paste your preformatted ldap query like the one above into the ldap query field, select “Assign licenses to Google domain users”, select the SKU that you want to assign and then check the box “Remove this license from the Google domain users that don’t match this rule”. The screen will look like this:

Add Rule in GCDS

And then when we test the query, the results should look like this:

Returned Users in GCDS

NOTE: If your search results return no users, check the ldap base dn on your ldap configuration page. This search doesn’t have the option to specify its own base dn, so it will use the one defined on the ldap page.

Finally, to see what this would do to your production environment; you must ALWAYS preview the changes first. Go to the sync tab, check “Clear cache” and then click “Simulate sync”. You will get a preview window with results that will look something like this:

Preview Changes-1

I personally have an additional process where I download all users from google and cross-reference this list against current assigned licenses to be sure that I am getting exactly the results that I want. Once I have done that, I can move this .xml file into production use.

Automate Student Account Set Up Today

Student Provisioning Services can help you deliver on the IT demands of K12 classrooms,
faster and more efficiently than ever before. Let us show you how!

Request a Demo