Tuesday, June 29, 2010

Google Apps Directory Sync: Tips for Microsoft Active Directory

The Google Apps Directory Sync tool really should be installed at any mid to large corporation using a Microsoft Windows Server (or any LDAP compatible directory server).  It eliminates the need to add, change, or delete users in two different places.

LDAP Directory Sync is definitely complex with a steep learning curve.  You need a good understanding of how to create LDAP queries as there are only limited examples in the provided documentation.  However, once it's configured there should be little reason to change it.

It's our experience that in most installations you'll need one configuration file for synchronizing Users, Profiles, and Contacts and another configuration file for Groups.

If you're migrating in batches from an email server such as Exchange Server to Google Apps it's best to synchronize only users that are a member of a Security Group such as "Google Apps Users".  That way the user is created in Google Apps only after they've been made a member of the security group.

Here's a sample LDAP user query: 
(memberOf=CN=Google Apps Users,OU=Security Groups,DC=domainname,DC=local)

Replace OU=Security Groups,... with the appropriate location in your Active directory tree of the security group.

And note that Google Postini has the same ability to synchronize to Microsoft Active Directory or your LDAP directory server.

Or give us a call at Interlockit.com.  We're happy to configure it for you.