Google Apps Email Permissions – Only allow some users to Email a Group

September 17th, 2012 by Alex Leave a reply »

So you have certain groups in Google Apps and Active Directory that you want to protect from the majority of users being able to email those groups.

For example we have groups such as All Students, Everyone in School, All Staff etc. We wanted it setup so that only members of the “All Staff” group could email All Students and members of the group “Can Send Global Emails” could email groups like “All Staff”, “Everyone in School” etc.

Google Groups has a setting where only owners of a group can send email to the group, but by default Active Directory offers only the managedBy attribute and while you can set that to a group, GADS (Google Apps Directory Sync) won’t sync the members of that group up to Google Apps as the members of that group, only the email address of the group itself.

So to work around this, I’ve written ManagedBy2Owners.

It takes the managedBy attribute in AD, and if it’s a group, expands it in to the nonSecurityGroupMember attribute as a list of all the users of that group. You then use GADS to sync the nonSecurityGroupMember field in to Apps as the group owner.

Optionally, Managed2ByOwners can use GAM (Google Apps Manager) to set the permissions on each group where you have a managedBy field to “Owner Only”.

The workflow is as follows:

  • For each group you want to protect, set the Managed By attribute to the user or group who should have access to email that group.
  • Run ManagedBy2Owners. If there’s a large number of groups, disable updating permissions for the first run.
  • Set GADS to use the nonSecurityGroupMember attribute as the Owner Reference Attribute in the Group Search Rule dialogue
  • Sync GADS
  • If you opted not to allow Managed2ByOwners to change your group permissions, manually change your group permissions in Google Apps Control Panel. If you disabled updating permissions but intend to allow it after the initial run, run ManagedBy2Owners again now with permission change enabled.

ManagedBy2Owners is part of MIS2AD but can be used standalone if you wish.

The latest version will always be available here:

It requires the same setup as MIS2AD to run (see this post) and GAM setup and configured if you want to change permissions automatically.


The script uses the nonSecurityMember attribute in AD to store your group owners. Note that Microsoft Exchange uses this field to store non-user distribution list members, so be aware that if you’re still using Exchange on your domain this script is probably not for you. IT WILL WIPE THAT FIELD CLEAN ON ALL GROUP OBJECTS IN YOUR DOMAIN, AND POPULATE IT USING THE MANAGEDBY VALUE, EVEN IF MANAGEDBY IS BLANK. It is your responsibility to understand this and understand the implications before you run the software. I offer you no warranty or promise of support.

Be Sociable, Share!


  1. Dan Baker says:

    I just posted this on the Google Apps Support forum:!msg/apps/ZnYVWyR9Z2I/hLMyteIBbAMJ

    By default it appears that GADS ignores the owner field (managedBy) if the owner is a group. So you can only specify a single user for as an owner.

    An easy work-around is to use another field in the group (I use “description” as there are not many other options when it comes to groups.). You can then place the literal email address for the group you want to make owner, then map the “Owner Literal” to this field. I then map the “info” AD attribute to the description field in GADS.

    Now you can sync a group as the owner for your Google Groups.


  2. Alex says:

    That lets you sync a group as the owner but it doesn’t let you lock the group down so only people in that owning group can email – unless they also set themselves up to be able to send email as the owning group.


  3. Dan Baker says:

    You set group permissions from the dashboard. You can say that ONLY manager/owners can post messages. This setting is not modified by the sync. Only group membership/owner is modified by sync…

Leave a Reply