License: http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
Purpose: Restricts Staff/Student access to Google accounts when AD account is expired by randomizing the account password in Google using GAM.
Requirements:
- You must be using Google Password Sync ( https://support.google.com/a/answer/2611859?hl=en )
- GAM ( https://github.com/jay0lee/GAM ) must be installed and working
- The user account executing the script must have access to read the AD attributes: Enabled, Mail, PasswordNeverExpires, PasswordExpired, ExtensionAttribute2
- The user account executing the script must have access to write the AD attribute: ExtensionAttribute2
- The user account executing the script must be able to read/write to the log file mentioned in the instructions below
Basic instructions:
- Install GAM and ensure that it is working ("gam info domain" should give basic information regarding your domain).
- Download Mangle_GooglePW_ForADExpired.ps1
- Edit the configuration section of Mangle_GooglePW_ForADExpired.ps1
- Execute on your desired schedule
Side Effect:
- When an affected user attempts to login to Google with their now expired password (after the script runs), they will receive an error telling them that their "password changed x hours ago". This will be when the script randomized their Google password.