| Author |
 Topic  |
|
|
bgetreu
Seasoned But Casual Onlooker
USA
36 Posts
Status: offline |
 Posted - 05/15/2012 : 10:13:37 AM
|
I consult for a school district with a single AD domain. The domain is a mixture of 2003 and 2008 DC's and the FFL is 2003. All faculty and students in grades 3-12 have Google Apps accounts (e-mail for HS students). We are able to add students to AD from our Student Information System and to take those AD changes to create accounts in Google. However, after the accounts are created, we cannot sync password changes between AD and Google. We have looked at two different tools - one requires adding an attribute to the User Class to store the password. I have looked into the procedure for adding an attribute and, frankly, it scares me quite a bit. I am particularly concerned about creating an x500 OID. Microsoft has a script to help calculate what the OID should be, but I can't seem to find out what to do with that information once I get it.
Any insight into the perils of adding attributes to AD would be greatly appreciated.
|
|
|
NMDANGE
Honorable But Hopeless Addict
USA
2054 Posts
Status: offline |
Posted - 05/15/2012 : 1:27:11 PM
|
You don't sync your passwords to Google Apps. You use SAML, Shibboleth, ADFS or some other form of single sign on or federation to allow Google to pass authentication requests to AD.
I would very very much recommend against doing this.
If you do need to "sync" passwords, MS Forefront Identity Manager allows you to do this. It installs an agent on every domain controller which will pass changes to the FIM server. It isn't exactly the easiest system to implement though, if that's all you want it for. It does a lot more. |
Michael D'Angelo
(former)MVP-MIIS, Pace University Senior Systems Administrator (Windows)
(MS)NMDANGE
PhoeniX WorX Systems Administrator. If you play Total Annihilation, please join us. http://www.phoenixworx.org |
 |
|
|
aval
Honorable But Hopeless Addict
USA
3273 Posts
Status: offline |
Posted - 05/15/2012 : 6:42:26 PM
|
quote:
We have looked at two different tools - one requires adding an attribute to the User Class to store the password. I have looked into the procedure for adding an attribute and, frankly, it scares me quite a bit. I am particularly concerned about creating an x500 OID. Microsoft has a script to help calculate what the OID should be, but I can't seem to find out what to do with that information once I get it.
I share your concern about modifying the schema and would avoid if possible - although adding a single attribute is probably less invasive than what some apps would do.
Given the significant increase in data stored on school servers (I also work in the academic field), I am interested in students using Google Apps for all or some of their projects.
But it looks like you'd either have to let the students create their own Google account (over which the school would have no control) or create an account for each student, which could represent hundreds or thousands for some school districts and then, apparently, have to manage two sets of passwords.
But it looks like you've made more progress than I have.
Would you mind if I asked some questions - off line perhaps? |
|
|
|
NMDANGE
Honorable But Hopeless Addict
USA
2054 Posts
Status: offline |
Posted - 05/16/2012 : 10:25:42 AM
|
FYI I work for a university and we've implemented Google Apps for Education, using the Google Sync tool to create accounts, and custom SAML code for single sign on. (I did not write it, though) A starting point is here: https://developers.google.com/google-apps/sso/saml_reference_implementation
We are going to be switching to Office 365 for Education in the near future though. |
Michael D'Angelo
(former)MVP-MIIS, Pace University Senior Systems Administrator (Windows)
(MS)NMDANGE
PhoeniX WorX Systems Administrator. If you play Total Annihilation, please join us. http://www.phoenixworx.org |
|
|
|
bgetreu
Seasoned But Casual Onlooker
USA
36 Posts
Status: offline |
Posted - 05/17/2012 : 08:40:14 AM
|
| I have requested permission to look at an SSO tool from a third-party. If you have any suggestions about software vendors who provides these type of tools, please advise. |
|
|
|
NMDANGE
Honorable But Hopeless Addict
USA
2054 Posts
Status: offline |
|
|
aval
Honorable But Hopeless Addict
USA
3273 Posts
Status: offline |
Posted - 05/17/2012 : 7:38:17 PM
|
Michael,
Could you share your reasons for moving to Office 365 for Education?
That would be my preference (personally) given my familiarity with Exchange.
But isn't Google Apps free (beyond regular email, which is also the case for Office 365 for EDU)?
I may be asked to make a decision on doing various things in the cloud (in a relatively distant future).
So I'm trying to gauge the pros and cons of the various solutions. |
|
|
|
chamezzzz
Honorable But Hopeless Addict
United Kingdom
2297 Posts
Status: offline |
Posted - 05/18/2012 : 04:03:29 AM
|
My opinion (Apols Michael)
Google Apps is awful for day to day email if you have been used to Outlook. (there is an Outlook Client - Google Apps Sync - it is awful)
Google want you to use chrome for your day to day email usage.
Which is OK at first but the novelty soon wears off and it is all a bit emperors new clothes.
Examples include appalling spell check and complete inability to attach previous emails to a new email, which just slows the user down. These are all very nice features of Outlook, that just work.
So Outlook is the better experience, there is also the hassle of not being able to easily integrate with Active Directory and having to maintain two sets if users and passwords.
These are the bulk of the issues as to why I would chose Office 365 over Google Apps.
Michael might add more reasons, hope this helps. |
James |
Edited by - chamezzzz on 05/18/2012 04:04:14 AM |
|
|
|
aval
Honorable But Hopeless Addict
USA
3273 Posts
Status: offline |
Posted - 05/19/2012 : 3:30:49 PM
|
| Sure. Thanks for the input! |
|
|
|
NMDANGE
Honorable But Hopeless Addict
USA
2054 Posts
Status: offline |
Posted - 05/22/2012 : 09:41:56 AM
|
We have a single domain name which is shared between our on-premise Exchange server and Google Apps, and it has caused a lot of issues. I imagine if the students had a separate domain name, things would work better, but that simply is not an option for us.
We've had many many problems with students getting their mobile devices working, whereas Exchange Autodiscover works perfectly. We have Postini, and we were "sold" on the promise that we could save money by not paying for Postini filtering for the students. But since we still have Exchange, all mail flows through Exchange first and then to Google, and this results in very poor spam detection. BTW Postini is NOT free for higher education, whereas Microsoft includes FOPE for free. Also, some students want to do things like share their calendar with staff and faculty, and vice-versa. Exchange on-premise can be easily federated with Exchange Online so that things like calendar sharing between the systems is seemless. We can also seemlessy move mailboxes between the two systems in both directions. Many students already have personal Gmail accounts, and don't really want another one, they just forward all their mail to their personal account. At least Exchange is something unique we can offer that they can't get on their own.
Office 365 for Education is free for students and staff until you get into certain advanced features (Exchange UM, Office desktop software licenses, SharePoint ECAL features, Lync Voice CAL.) Basically you get the equivalent of Plan E2 for free, and only E3/E4 features require payment. I don't really see any of the features in E3/E4 as having an equivalent in Google Apps anyway.
http://www.microsoft.com/en-us/office365/all-plans.aspx#fbid=4T7jIi81HQL |
Michael D'Angelo
(former)MVP-MIIS, Pace University Senior Systems Administrator (Windows)
(MS)NMDANGE
PhoeniX WorX Systems Administrator. If you play Total Annihilation, please join us. http://www.phoenixworx.org |
|
|
|
bgetreu
Seasoned But Casual Onlooker
USA
36 Posts
Status: offline |
Posted - 05/22/2012 : 11:29:05 AM
|
| If Office 365 for Education had been available a couple of years ago, we might have looked at it. We moved to Google Apps for Education to eliminate our anemic in-house POP3 mail system. We provide accounts to all staff and to students in grades 3-12, although only high schoolers have e-mail. We have spent the last two years transitioning folks from using "home" folders for personal data and file shares on internal servers for collaboration to using Google Apps. Based on the info from Michael, we are currently in talks with an SSO vendor to solve the problem with password sync between Active Directory and Google. |
|
|
|
bgetreu
Seasoned But Casual Onlooker
USA
36 Posts
Status: offline |
Posted - 06/05/2012 : 1:15:04 PM
|
| Google has just released a new tool for password sync from Active Directory. It does not change require changing any attributes and, so far, is working well for us. It, unfortunately, does not handle one AD domain to multiple Google mail domains, so we requested an enhancement. |
|
|
| |
Topic |
|
Password Sync from AD to Google Apps
