GAPS syncing passwords when AD subdomain/email present?

Showing 1-6 of 6 messages
GAPS syncing passwords when AD subdomain/email present? twilliams 8/2/12 11:57 AM
I have an apps for edu account setup like the following: 

domain.org -> staff/faculty
 
They all login to their accounts through google.com/a/domain.org

Directory sync is working fine. The problem is that staff/faculty have a different email domain in AD. us...@students.DOMAIN.org vs user@DOMAIN.org

here is what the log looks like: 

2012-08-02T13:01:31.738-05:00 1300 E:Network password_sync_service!WinHttp::ExecuteHttpRequestIStreamResponse @ 776 (Munt...@students.DOMAIN.org)> Request:
2012-08-02T13:01:31.738-05:00 1300 E:Network password_sync_service!WinHttp::ExecuteHttpRequestIStreamResponse @ 782 (Munt...@students.DOMAIN.org)> Response:
<HTML>
<HEAD>
<TITLE>You are not authorized to perform operations on the domain students.DOMAIN.org</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>You are not authorized to perform operations on the domain students.DOMAIN.org</H1>
<H2>Error 403</H2>
</BODY>
</HTML>

2012-08-02T13:01:31.738-05:00 1300 A:PasswordSync password_sync_service!PasswordSyncTask::RetriveUser @ 206 (Munt...@students.DOMAIN.org)> retrieved user......
2012-08-02T13:01:31.738-05:00 1300 E:PasswordSync password_sync_service!PasswordSyncTask::RetriveUser @ 244 (Munt...@students.DOMAIN.org)> Unknown Error : <HTML>
<HEAD>
<TITLE>You are not authorized to perform operations on the domain students.DOMAIN.org</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>You are not authorized to perform operations on the domain students.DOMAIN.org</H1>
<H2>Error 403</H2>
</BODY>
</HTML>

2012-08-02T13:01:33.191-05:00 1300 E:Network password_sync_service!WinHttp::ExecuteHttpRequestIStreamResponse @ 768 (Munt...@students.DOMAIN.org)> HttpRequest output.
HTTP/1.1 403 You are not authorized to perform operations on the domain students.DOMAIN.org
Cache-Control: private, max-age=0
Date: Thu, 02 Aug 2012 18:01:40 GMT
Content-Length: 178
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Expires: Thu, 02 Aug 2012 18:01:40 GMT
Server: GSE
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block

We don't have "students.DOMAIN.org" set up as a google apps domain.. Is there anything I can do? I can't change the email addresses of all the students in AD, i would love to be able to just parse out the "students" from the address/password sync tool.
Re: GAPS syncing passwords when AD subdomain/email present? twilliams 8/2/12 1:21 PM
Ok, I've got an idea to try but I'm so far not having any luck getting the scripting working.. I'm thinking of scripting a solution that will modify any users with an "@students.DOMAIN.org" to "@domain.org" but placing it in the"office" attribute in AD so that I don't make a huge mess out of our exchange locally.
Re: GAPS syncing passwords when AD subdomain/email present? AtulSachan-Power Poster 8/2/12 3:23 PM
GAPS support only the e-mail attribute which has Google Apps email address.


Re: GAPS syncing passwords when AD subdomain/email present? twilliams 8/3/12 5:44 AM
So, I'm... not able to use this then.
Re: GAPS syncing passwords when AD subdomain/email present? jlee 8/7/12 4:50 AM
Hi twilliams,

 No, your workaround of using the AD "office" attribute should be fine. Just specify "office" for the "Mail attribute" when configuring GAPS (see step 13 in this help article). As long as the value of the AD user's office attribute matches their Google Apps email address exactly, the password reset should work properly.

Jay
Re: GAPS syncing passwords when AD subdomain/email present? twilliams 8/8/12 10:29 AM
Great. 

I managed to get this working by using a powershell script to modify the email for a given user in a csv file and then place that information into the office field in AD. After I do that, when a user changes their password everything is syncing based on that field just fine. 

Thanks Jay!