Tuesday, 23 June 2009

Not So Good GAD - Musings on Directory Synchronisation

The Google Apps Directory Synchronisation (GADS) tool will synchronise accounts between your current directory system (e.g. Microsoft Active Directory) and your Google Apps premier or education system.

I took a look at the Google Apps Directory Synchronisation (GADS) tool on Sunday and had reservations

1 - It doesn't sync passwords – you have to install and operate a Single Sign On Server to do this - more complexity and things to go wrong

2 - It will delete accounts on Google Apps that are not on AD if the parameters are not properly set up – scary

I wonder what happens when someone gets married and we change the AD account name – what happens to the Google account?

Sorting all this out will takes time and adds complexity – the stuff that normal IT people kinda like but not me.

You will guess that I prefer as simple a solution as possible - quicker to get running, easier to fix and maintain and quicker to change and adapt.

If you think about what we do with accounts – it’s pretty straightforward - we create, disable or delete them - that's all.

All the rest of the time is spent in manipulating account resource permissions and memberships.

In Google apps it is the users who manage access and permissions – there isn’t even a central management facility to do this – apart from create groups and mange group membership.

This is what I am proposing

Continue to use the raw Google Apps management tools to create and disable accounts either manually or with the bulk upload tool.

Script from our management system (Centime) a CSV file with account changes to upload to Google in the same way we do for AD anyway

Look at the Google Apps Provisioning API for a direct programmatic interface for this


Microsoft AD is everything to everyone at the moment – it provides systems for access to corporate data as well as communications, information sharing and personal productivity. However, it doesn’t provide the tools for agile collaboration.

Google Apps provides an agile and productive environment for personal productivity and collaboration. By locating the personal productivity in a corporate Google apps we can leverage this for collaboration and sharing too – although this is possible with a fully mashed up system from people’s own resources for the time being this is easier with a corporate located environment just because it is easier to locate people at the moment if they are in the same environment.

I envisage that AD will become more tightly focused on corporate core functions (e.g. data) while a set of “off-core” systems such as Google Apps develop for personal productivity and collaboration. There is some logic to this – the recent discussions on data protection would certainly suggest that core data be carefully protected and focusing our AD onto this makes sense while allowing more flexibility in a separate the collaboration space.


Staff have two separate accounts – the concern is that they will forget their username and/or password for Google apps – this will reduce effectiveness and increase the support needed. However, so far there have been no problems like this, although we have only been piloting with the more keen early adopters.

No comments:

Post a Comment