An issue with Google Apps Directory Sync and how to fix it

As you know, Google Apps Directory Sync is a great tool to synchronize your MS Active Directory accounts with your Google Apps (for Business or Education). It can help you map your user account structure into Google including the users, groups, OUs... You simply set up the proper search rules for users and groups of your AD architecture. The tool works great except for one thing:

When you add a new user into a group in AD, it will add that user into the counter part of that group in Google. But, when you move that user out of the group in AD, the google account will not be removed from the google groups. What google only does is stop allowing the user to post to that group.

After looking for the solution for a while, I came up with one hack that works:

1. Search for all users in AD groups which you want to sync to Google:

http://www.dangtrinh.com/2016/07/get-all-ms-active-directory-group.html

2. Search for all users in Google groups:

http://www.dangtrinh.com/2016/07/get-google-group-members-using-gam-and.html

3. Compare two lists and delete Google Group members that does not appears in AD's counter part.

Here is a working script:



Usage:

$ python google_groups_ad_sync.py [dry_run]

You can set up a scheduled task that runs this script after GADS.