<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=569338&amp;fmt=gif">

HOW TO: SYNC ACTIVE DIRECTORY GROUPS WITH GOOGLE 

 

Syncing AD with Google (1)

Introduction

Why automate?

Google Cloud Directory Sync is a very helpful tool that allows you to automatically synchronize information from your local directory to Google so that account information doesn’t have to be manually duplicated in Google.

One of the primary goals in process automation is to put structures in place that require little or no manual intervention. We want to scrutinize any tasks that we need to do repeatedly and see if they can be automated. This is especially true of things that can be very time consuming. The amount of savings for your organization will depend on several factors. One of those is the level of turnover that you have within your organization. A school district that has a very transient student population will have a much harder time keeping up with the changes than a small private school. Google Cloud Directory Sync is a very helpful tool that allows you to automatically synchronize information from your local directory to Google, so that account information doesn’t have to be manually duplicated in Google

Groups

What is the best way to group students?

One of the important commonalities between Active Directory and Google is their heavy reliance on groups. While groups in each environment play a different role, they can be created in a way that they can be leveraged in both without creating additional work. Groups in Active Directory are primarily used for group policy association, assigning file permissions, deploying applications and grouping users for external applications like web content filtering. Typically, with Active Directory, creating groups by grade band is all that is necessary. This is used most frequently for content filtering rules and group policy management. You may need to do things differently between Elementary and High School students, but you would rarely need to distinguish between 9th grade and 10th grade in these areas. Groups in Google serve multiple functions. They can be used for sharing resources like folders or printers, but they can also be used as email distribution lists to make it easier to communicate quickly with a larger group of students. In Google, it can be more meaningful to have this broken down to individual grades instead of just grade bands or buildings. It is very common to have email rules that only allow 2nd-grade students to email other second grade students and staff or something similar. It is also very common to have a paid application that is specific to all incoming freshman or all seniors. 

OU's

Leveraging Google Functions with OU's 

There are some functions in Google that can be associated with an OU, but others can only be associated with a group. It can be very helpful to have both, but it is very important that this happens automatically and not be manually maintained by someone. 2 First, I suggest that you take advantage of an option in your Google admin console to add a suffix to all groups that are created by users. These will not be removed when GADS synchronizes from Active Directory. You can find this under Apps > G Suite > Settings for Groups for Business > Advanced settings. You need to decide if you want your groups to be external distribution lists or internal use only. 

Syncing AD Groups with Google image 1

Then, you can control who can create groups and how they are named when they are created. Here is an example of this setting.

Syncing AD Groups with Google Image 2

Make sure that you Apply this new setting. Then, we need to adjust the settings in Google Apps Directory Sync. To configure this, you need to run config-manager.exe and open your existing xml file that you use to sync users. Under the General settings tab, if you check the groups checkbox, this will expose the group configuration settings.

Syncing AD Groups with Google Image 3

Define LDAP Search Rule

Then, under the Groups tab you must define an ldap search rule by clicking on the “Add Search Rule” button.

Syncing AD Groups with Google image 4

The ldap query that we use can be configured to filter groups so that everything that exists in active directory doesn’t automatically sync to Google. Because all Google resources must have an email address, anything that doesn’t have the mail attribute populated will not be sync’d. It still may be helpful to filter on a particular prefix or suffix for your groups. You can also filter groups that only use a particular domain name in the mail attribute.

The following are some possibilities and variations that you might choose to use:

A simple filter with any group that has the domain portion of the email address that is equal to @school.org &objectClass=group)(mail=*@school.org))

A simple filter with any group that has either of two domains in the email address(&objectClass=group)(|(mail=*@school.org)(mail=*@student.school.org)))

Adding and addition requirement that the group have a prefix of “grp-“(&objectClass=group)(mail=grp-*@school.org))

Adding and addition requirement that the group have a suffix of “grp-“(&objectClass=group)(mail=*-grp@school.org))

Completing the remainder of the screen results look like this:

Syncing AD Groups with Google Image 5 Search Rule Filter

 

At this point we should save our settings, but it is important that we save this with a different file name while we are working on a new configuration. Once we have completed everything and are sure that we are getting the desired results, we can save this back into our production file name.

Testing the new configuration with GADS

Now we are ready to test our new configuration and see what GADS (or GCDS Google Cloud DirectorySync) would do to our groups in Google if we ran it. 

It is EXTREMELY important that we always preview changes before actually running a new configuration. Under the Sync tab, check the box to “ClearCache” and then click the “Simulate Sync” button. This will run a preview and show you everything that GADS would do if it ran now.

Syncing AD Groups with Google GADS image 6

The results dialog will analyze the number of local groups that match the ldap search criteria and the number of Google groups that also apply. It will list proposed changes and show how many groups will be deleted, how many will be created and how many will be modified. Pay particular attention to the groups that will be DELETED. You will have to decide if any groups that would be deleted are necessary. If they are, they need to exist in Active Directory to be able to remain in Google. You may choose to rename groups to make them match properly. Continue to make adjustments on either end until the preview gives you the exact results that you want. Then, you can overwrite your production xml file so that this is run through your normally scheduled process. This is typically a scheduled task that either runs synccmd.exe directory or runs a batch file that executes this command within it.You will need to make a minor adjustment to your command line and remove the -g switch that excluded groups before. Your resulting command line will be something like this:

C:”\Program Files\Google Apps Directory Sync\sync-cmd.exe” -o -a -c c:\gads\school.xml

For more on check out our blog post about Google OU Structure and Automation.

Download this content here.
"I use Keith Larson's Student Provisioning Services (SPS). It saves me a ton of time and I don't have to enter a single account in AD or Google Admin. Clever syncs with Sycamore, then SPS picks up in Clever to add the accounts in AD and then GADS to create them in Google." 

Private School IT Coordinator IT Coordinator

"We added this service to our existing automated AD student account creation from service this year.   Makes sense to try and get as much data in the 'source', imo.   Keith and company got it going very quickly, and it was very reasonably priced."      

Shawn Bristow

Jeff Breckner Systems Administrator