The Google for Education Community Platform

mcbride · ‎06-03-2024

Hello. For many years our process has been to create new staff accounts in AD, sync them via GADS/GCDS to Google and then have the staff sign in for their first time on a Windows network PC on-premise, where they would be prompted to change their password on first login, and that password would be synced to Google via GAPS. This process works well without issue.

However, leadership now wants new staff to get access to their email and other Google resources once they are hired but before they will be onsite (as early as a month before they will first visit onsite). As is now, I don't think GADS/GCDS sets the new Google account to prompt for password change on first login, since we are handling that with the AD account. So, if new staff login remotely for the first time they will not be prompted to change their default password. If I change that setting, I would still want to keep that setting enabled on the AD account as well because not all staff will sign in remotely the first time, and I want them to be prompted when signing in on the domain the first time so the passwords are synced with GAPS. In this situation, they would be prompted when signing in remotely via Google the first time and then they would be prompted again when signing in to AD on-premise the first time. This doesn't seem ideal but it's the best situation I can come up with since we want to offer what they are requesting and since we want to keep passwords synced via GAPS.

I'm looking for feedback from anyone who is in a similar situation (I feel this must be a fairly common situation). Any other suggestions? Any better way to handle a similar process?

James_Seymour · ‎06-03-2024

We have a very similar setup and over the years have migrated to this process for new staff;-

Accounts are set up in AD & Synced to Google.
We assign a password that is secure and, due to complexity, they will want to change as soon as possible. We do have a web portal (to the AD) that allows users to change their password online. However, we found this caused issues when they arrived in school, they had forgotten their changed password which complicated then logging onto the Windows PCs. By issuing a password, we have a record of this and can get them to change easily. All new staff do this in a dedicated IT session when they arrive.
After sending them their emails and passwords, we get them to read some IT related info and confirm that they have read this using a Google Form. We then know that they have access to our Google Workspace.
As above, one of the first meetings they have in the school is where we issue devices and get them to change their passwords.

Kim_Nilsson · ‎06-04-2024

Just taking a step back to state the obvious.

Nobody should have access to any accounts before their first day of work.

First day of employment is first day with access. Never before, nor after.

Now, if your leadership hires and starts paying salary for staff to work earlier than the first day they spend at location, ie let them work remotely for some time before first visit, then that's fine.

Then a solution like the one presented by @James_Seymour can be used, an online portal for password management of the AD password. There are plenty to choose from, some free, others not, some easy to use and simple to set up, and some not. 🙂

Alternatively

Some organisations can also just ignore that the AD and Google passwords are temporarily different, if they allow Google passwords to be changed in My Account (most who sync passwords from AD actually allow it!).

Then the user will/can just fix it when they come to location for the first time. Either with the help from IT or by using the same password portal as last time. Some even offer third-party user authentication, like e-id, so they don't even have to remember their old initial password.

This, of course, depends on whether their AD account is used as credentials to log into day-to-day systems, which they need to access before first visit. Then they need to keep using their AD account.

--
https://wheretofind.me/@NoSubstitute

mcbride · ‎06-04-2024

The first thing I did was have our legal counsel confirm. The proposed change is to provide them their credentials once they contract has been ratified, instead of on their first day of work as it previously was. In the summer this can be 1-2 months earlier than previously before.

The biggest questions I have stem around the setting in GADS to force password change for new accounts. I currently have that disabled because we have the setting enabled in AD and our process was for staff to sign into AD first and we didn't want the passwords between AD and Google getting out of sync, which causes confusing because of all of our SSO applications.

I want to know more about these web-based AD password change options for the end user, can someone please recommend some that are highly recommended and have support to get setup? This may be our best option. Otherwise, I was considering putting all new staff in a separate OU in both AD and Google, setting that OU in Google to force a password change, so they can sign in remotely and get forced to change. Then the week before school starts moving their AD accounts to the correct school OUs, running a GADS sync to move them to Google, etc. Not the cleanest, but could work.

James_Seymour · ‎06-04-2024

We are using Microsoft's RDWeb service (part of the remote desktop), which I am sure is free and relatively easy to set up. We were forced during Covid when physical access to school computers was impossible 😀

The Google for Education Community Platform

New Staff Accounts and Password Syncs and Prompts to Change - Seeking Feedback