This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Admin for single domain

GuruGabe1
New Contributor II

‎08-21-2023 03:13 PM

We have added a domain to our Google domain for virtual school, but we need to add a user account to manage that domain only. I have tried adding a new role, but from everything I can see, I can't limit the user to a single domain or even an OU.

We partnered with a company against my protest, and they wanted a Workspace domain within ours. They have the domain part, but we have the Workspace for some reason. They want an admin account to control their OUs, staff, students, and Chromebooks. Why they didn't do this themselves is beyond me. I do not want to give them any access to our domain.

Superintendents always get what they want, right?

Topics:
0 Kudos
Reply
5 REPLIES 5

Kim_Nilsson
Admin Moderator

‎08-21-2023 03:16 PM

This is not possible.

You can't separate certain admin rights to certain OUs. There are quite a few that are global, and will let the person do changes in the entire Workspace account.

--
https://wheretofind.me/@NoSubstitute
Reply

Kim_Nilsson
Admin Moderator

‎08-21-2023 03:18 PM - edited ‎08-21-2023 03:18 PM

What you can do is give them all admin rights that can be limited to OUs, and the rest they will have to apply for, and you perform the actual changes.

--
https://wheretofind.me/@NoSubstitute
Reply

SteveHarmon
Contributor
In response to Kim_Nilsson

‎08-21-2023 03:21 PM

Yep, we do this with our teachers, as we want them to be able to reset student passwords (one particular OU for their school site), but not affect anything else.

@GuruGabe1  I'm not sure if there is a website that shows what Admin Privileges are able to separated out by OU or if you would need to play with them to figure it out. I'd probably start with asking what the Virtual School actually needs access to, what they want to be able to do. Then go down the road of determining if you can give it to them without compromising your domain.

0 Kudos
Reply

Kim_Nilsson
Admin Moderator

‎08-21-2023 03:23 PM

You can also set up a scheduled GAMADV-XTD3, reading from a Google Sheet, where they can insert commands they wish to perform, but the actual gam command will always prefix the action with a reference to their OU or their group email syntax, so they can never inject a command that will affect the root or anything outside their OU/group structure.

Tricky, yes, but doable.

--
https://wheretofind.me/@NoSubstitute
Reply

SteveHarmon
Contributor
In response to Kim_Nilsson

‎08-21-2023 04:09 PM

Ooooh, I like that! Have to store that away in the back of my brain. I probably won't have a problem like GuruGabe1 was facing, but there are other ideas that had been seeded! I can feel them tickling inside my head.

0 Kudos
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines