Archive for September, 2012

Google Apps Email Permissions – Only allow some users to Email a Group

September 17th, 2012

So you have certain groups in Google Apps and Active Directory that you want to protect from the majority of users being able to email those groups.

For example we have groups such as All Students, Everyone in School, All Staff etc. We wanted it setup so that only members of the “All Staff” group could email All Students and members of the group “Can Send Global Emails” could email groups like “All Staff”, “Everyone in School” etc.

Google Groups has a setting where only owners of a group can send email to the group, but by default Active Directory offers only the managedBy attribute and while you can set that to a group, GADS (Google Apps Directory Sync) won’t sync the members of that group up to Google Apps as the members of that group, only the email address of the group itself.

So to work around this, I’ve written ManagedBy2Owners.

It takes the managedBy attribute in AD, and if it’s a group, expands it in to the nonSecurityGroupMember attribute as a list of all the users of that group. You then use GADS to sync the nonSecurityGroupMember field in to Apps as the group owner.

Optionally, Managed2ByOwners can use GAM (Google Apps Manager) to set the permissions on each group where you have a managedBy field to “Owner Only”.

The workflow is as follows:

  • For each group you want to protect, set the Managed By attribute to the user or group who should have access to email that group.
  • Run ManagedBy2Owners. If there’s a large number of groups, disable updating permissions for the first run.
  • Set GADS to use the nonSecurityGroupMember attribute as the Owner Reference Attribute in the Group Search Rule dialogue
  • Sync GADS
  • If you opted not to allow Managed2ByOwners to change your group permissions, manually change your group permissions in Google Apps Control Panel. If you disabled updating permissions but intend to allow it after the initial run, run ManagedBy2Owners again now with permission change enabled.

ManagedBy2Owners is part of MIS2AD but can be used standalone if you wish.

The latest version will always be available here:
https://code.launchpad.net/mis2ad

It requires the same setup as MIS2AD to run (see this post) and GAM setup and configured if you want to change permissions automatically.

CAUTION

The script uses the nonSecurityMember attribute in AD to store your group owners. Note that Microsoft Exchange uses this field to store non-user distribution list members, so be aware that if you’re still using Exchange on your domain this script is probably not for you. IT WILL WIPE THAT FIELD CLEAN ON ALL GROUP OBJECTS IN YOUR DOMAIN, AND POPULATE IT USING THE MANAGEDBY VALUE, EVEN IF MANAGEDBY IS BLANK. It is your responsibility to understand this and understand the implications before you run the software. I offer you no warranty or promise of support.