Monday, November 19, 2012

The problem with Windows 8

If you were in any doubt that the desktop computing model was dead, Windows 8 proves the point. The new Metro interface is designed to work with touch screen mobile devices (more so than the desktop) and the option of being able to login with your Microsoft account and run cloud apps is there too.

Great! We're in the future! Only we're not really. This is still Microsoft desperately trying to keep us buying the bloated windows operating system, designed for running executable files that we've come to love and loathe since 1995. In practice, Metro is little more than a new start menu that runs on top of Windows 7 with a bunch of full screen 'apps' that make it feel more usable on a mobile.

On the one hand Microsoft have recognised an important change. We use mobile devices. On the other hand they have failed to notice that maintaining a bloated operating system like this on mobiles as well as desktops holds very little appeal for the average end user, let alone a system administrator.

Windows requires lots of maintenance and updates, namely because of it's extensive legacy. On installing Windows 8 I had to wait an hour for a number of important updates to apply, only weeks after its release. Not something I'm desperately keen to see happen on my mobile phone or tablet device.

It really doesn't need to be like this. Android and iOS have shown that you can operate in a much leaner way. Moreover, devices that run on these systems recognise that control is with the end user rather than the IT department.

This is why I think Windows 8 will ultimately fail. Buying a bloated operating system that only needs to access web services seems like a wasteful expense. Maintaining it across hundreds of devices is an even greater one that companies don't want or need to take on any more.

So what future for Windows? I think we'll see a free, low maintenance, lightweight fork that ditches the legacy bloat designed for running .exe files. It will be engineered for web apps and will guide you towards their web subscription services. Windows as we know it is a dying operating system and anybody with eyes in their head can see that, even Microsoft.

Tuesday, September 18, 2012

Moving from Outlook to Gmail

Without a doubt the biggest hurdle for businesses to overcome when they 'Go Google' is the transition from a desktop based email client like MS Outlook to Gmail. Here's some tips for helping users make the adjustment.

1. Explain as clearly as possible why the change is happening.

It's not enough to say 'Gmail is better' because that will always be a matter of judgement and individual preference. Be more specific and explain that Gmail will be implemented to help manage desktop and server costs, improve up-time, provide more storage and allow better support for mobile workers. By understanding these points and the bigger picture (ideally communicated from the 'business' not just the IT department) users will be much more tolerant of the impact on them personally.

For users who want to continue with Outlook it's also important to explain the risks and costs associated with the desktop approach. This isn't about choosing an email client to suit individual preference, it's about choosing an email system that works for the entire organization.

2. Hammer the point home. Searching IS more efficient than sorting.

It's not efficient to find emails by sorting, but because users have been doing this for the past 15 years on Outlook it's likely to be second nature and therefore efficient to them. This needs to be challenged. Separating emails into folders takes up time that can be easily avoided using search methods. Demonstrate the use of advanced search (drop down options), labels and conversation view to help users fine tune their search results and quickly identify the email they are looking for.

3. Encourage users to keep the conversation view switched on.

Conversation view provides better search results, keeps inbox clutter down and saves switching between inbox and sent-items when reviewing emails, but one of the first mistakes many Outlook users make is to switch conversation view off because they aren't used to it. That's not a good way to benefit from the transition to the new system or to save time.

4. Understand the value of labels. 

Searching is easier with colour coded labels and labels help provide a sense of order, but there's no reason why this has to be done manually. Much better to use automatic filters and avoid the effort of categorizing emails altogether.

5. Show users where the 'All mail' folder is. 

This re-emphasizes the fact that Gmail is a search based system. All emails are in one place for searching. The labels are not 'folders' designed to separate emails for sorting. They are labels / tags designed only to help with search. This distinction cannot be overstated. Once understood the transition to Gmail is much easier.

6. Migrate existing messages to the All Mail folder

Whilst it's possible to migrate Exchange email folders to Gmail labels, I'd suggest putting them into 'All Mail' archive instead. This will emphasize the 'search' over 'sort' approach, encourage the user to build up their own filters / labels thereby avoiding confusion with the Outlook model.

7. Circulate the 'Life after Outlook' PDF provided by Google. 

This is the single best document for helping users make the transition and benefit from the power of Gmail.

Wednesday, July 25, 2012

Is Windows 8 launch the time to move desktops to open source?

How long is it since you read a ‘Year of the Linux Desktop’ article? Having been a regular feature since around the year 2000 they seem to have tailed off. The promise of a free and stable alternative to Windows was often cited but never really seemed to take off. So what happened? Is open source on the desktop doomed to be a non-starter, or was it just an idea ahead of its time? The launch of Windows 8 is an ideal opportunity to revisit those questions and consider if that time has finally come.

The reasons why operating system choice is becoming more relevant are most apparent for mobile workers. The emergence of cloud computing, smartphones and tablets have ensured that applications are being written for the web with users starting to see beyond the world of Windows and the traditional desktop PC. That many of these devices are running on a Linux system is in itself an interesting shift.

The browser and access to ‘apps’ is what really matters now, which is why the so-called browser wars are more important to Google and Microsoft than they ever were. Google have taken the distinction between operating system and browser furthest with their release of Chromium OS and Chromebooks. They may be based on a Linux kernel, but as far as the user is concerned the browser is the system. Apps are installed to the browser, printing is controlled from the browser and files are accessed from the browser. Even offline applications are accessed by the browser thanks to HTML5.

Windows 8 is Microsoft’s acknowledgement of these changes, designed as it is to work on non desktop devices and connect to cloud services. This is probably exactly what Microsoft need to do given the circumstances, but their move to a post PC world is also an acknowledgment that they can’t dominate the operating system market in the same way they once did.

This trend has already started. Netbooks are being sold with Android installed, Chromebooks are being heavily pushed by Google and the similarities between iOS and MacOS are clear to see. These are all systems with Unix type distributions at their core. We may not be quite ready to celebrate the year of the Linux desktop, but it’s probably safe to say that we’re already there in terms of its use everywhere else.

Using Linux based systems on a device is one thing, but can it really substitute a managed desktop operating system like Windows? What about authentication, file storage, centralised updates and security? Moreover, what about the legacy windows applications most notably MS Office that we’ve come to know and love?

MacOS has been a great example of how these issues can be overcome. With the right backing it has been shown to be perfectly possible to provide a Unix type desktop system that works for users and can be successfully integrated into the enterprise.

Enterprise requirements like print queues, file storage and centralised management are all areas that Unix type systems shines anyway, but the move to web based provision of these services is making the question even less relevant. For some, having desktops that behave more like devices means much less effort on all these fronts.

For the core office productivity applications, Microsoft and Google are already locked in battle to provide them from the cloud to enable remote working. Microsoft are offering richer functionality for users of Windows and Office, but nobody denies that these applications will become increasingly cloud based.

There has always been a strong cost benefit for Open Source, but the need to run applications on the platform for which they were mostly developed, usually Windows, always won the day. Now that applications are developed for the web rather than Windows the argument for continuing to pay for a Windows license is not so strong. It may be called ‘Android’ or ‘Chromium’ rather than Linux but the key difference will be the cost compared to Windows 8. Governments are keen to keep costs down too and are also looking at open source as a quick win.

In a recent BCS discussion on LinkedIn members were asked their thoughts on using Ubuntu instead of Windows. Ubuntu and Red Hat are often touted as the most feasible enterprise alternative to Windows because of their large backers, but Ubuntu is where much of the attention is now focused. They provide a very easy to deploy system and offer commercial support, cloud storage and centralised deployment options.

It was clear that a number of members have used Ubuntu and variants for their personal and family computers but there was less evidence of its use (other than for servers) in the work environment. A growing relevance to government was cited but at this stage there isn’t too much evidence of it actually happening.

For many the idea of alternatives to Windows on the desktop remains as far away as it ever was. For all the rapid adoption of consumer devices and cloud services, the applications used in most companies remain firmly tied to Windows. MS Office remains a favourite with users and has no Linux edition. Even for the users who are moving to Office 365 Microsoft have cleverly engineered a dependence on windows based software for full functionality. Accounting software, HR packages and custom databases are also genuine reasons why a move to Linux would not make sense.

One thing is certain. If 2013 is the year, it won’t be for the reasons we thought back in 2000. It won’t be because Linux has suddenly become more ‘ready’. It won’t be because Windows has got any worse. It won’t necessarily be about money and it won’t be about security. It will be for the simple reason that the operating system is becoming increasingly irrelevant and unnoticed by users who are spending increasing amounts of their time on platform agnostic web apps.

[A version of this article has been published on the BCS website]

Monday, July 9, 2012

How to make 'going Google' easier.

Over the past 12 months I've been working with a number of companies who have 'gone Google' and implemented Google Apps for their business email, calendar and document collaboration. So, what lessons have I learned so far?

Lesson 1: Don't run a pilot study!

Pilot studies are very much suited to products in active development as they allow your users to influence the next release and have it customised to suit. With all the will in the world this is not going to happen with Google Apps, any more than it would happen with Exchange or MS Office (rarely piloted products).

Like any standard software product, the judgement of its suitability is unlikely to come from a pilot study which will just inform you about what users prefer (and most people prefer to stick with what they know). A better approach is to conduct a full change impact analysis and consider the needs of the business over individual preferences.

Lesson 2: Change the way you work.  

The whole point of Google Apps is that you can work on email, calendar and docs from any location on any device. This is often a bigger challenge for the IT department and senior management than it is  end-users! If you don't like the idea of your users being able to easily collaborate and use their own devices, then stick with Microsoft!

Lesson 3: You can do this in less than 4 weeks. 

Once you've decided to use Google Apps, you can bring about the implementation (including the migration of calendar, contacts and recent emails from Exchange) in less than four weeks.  Agree a realistic amount of emails to migrate. One month is usually enough if users can still access the pst archives from Outlook when required (you can always migrate archives after go-live). Remember to plan for shared / public calendars and start your communication plan as early as possible.

Lesson 4: You can continue to use Outlook (if you must). 

A significant number of users will have an Outlook dependency, for example if their CRM product is MS Office integrated. This is easily worked around using Google Apps Sync for Microsoft Outlook. It's still important to train your users how to use gmail though, particularly if they would like to work on other devices from other locations.

Lesson 5: Stop panicking, and just do it. 

If you've planned the migration and kept users informed, the transition will be much less of a nightmare than you ever thought it would be. If you are brave and decide to move the whole company over on the same day, you will probably make life easier for yourself. Users will adapt much quicker than you think and it's always better if you don't have to make your legacy and new system co-exist.  Finally, and of course I would say this, but if you can afford to get a specialist with experience, it will always help!

Ray Allen is a Google Apps Certified Deployment Specialist at Third Way IT.

Tuesday, July 3, 2012

Moving to Ubuntu from Windows 7

I've decided it's time for me to use an alternative to Windows 7 on my main computer. As my dependency on running client side software diminishes (now working mostly from the browser) so too does my need to run Windows as an operating system and its ever increasing startup time.

My motivation isn't just for the sake of reducing startup times. My day job involves helping businesses move away from Microsoft (replacing Exchange, Sharepoint and MS Office with Google Apps), so the obvious next step is to look at a more cost-effective and simple to manage desktop operating system.

Chromebooks are a neat idea, but in practice I don't think I'm ready to replace my main computer with a browser-only device like this. What I'm looking for is a good compromise between a zero-maintenance device like a Chromebook and a high maintenance installation of Windows 7 (a third way if you like).

I've decided to go with Ubuntu which I know to be stable and open source, but flexible enough to run the popular client applications if I need to (Skype, Firefox, LibreOffice and the like). It also has a new user interface called Unity which I'm keen to find out about. 

Installation was straightforward. I remember installing Linux in the early days and it was no fun at all. You had to understand disk partitions and boot managers, but this is now all handled for you, and you can still boot into Windows if you need to. There is even a windows installer option available if you want to install it from within Windows rather than using a boot disk. You can't get easier than that.

Once installed my immediate impression was how similar it was to a MacOS interface. The app launcher is very similar to the mac 'dock', the only difference being it is on the left of the screen rather than the bottom. This makes perfect sense given most screen dimensions, particularly netbooks. You can easily configure this to hide using the settings icon. 

If like me you start looking for the 'menu' so you can add more apps, the trick is to right click the Ubuntu 'Dash' icon at the top of the launcher. This provides you with search and find options for applications, files, pictures and videos. I've now got Chrome, Firefox, LibreOffice, Skype, GIMP and gThumb viewer which covers all my needs. It connected to my USB printer without issue.

The boot up time for me is now 33 seconds, about half what it was taking my relatively clean installation of Windows 7 (Lenovo Ideapad S205). In my experience with Linux this remains consistent, unlike Windows which seems to get progressively slower with each update.

My only disappointment was Skype. I had trouble configuring this on Windows with my internal mic, and it looks like I've got the same problem on Ubuntu. Otherwise, everything appears to work out of the box.

The real insight for me is how straightforward this would be to manage in an enterprise environment. The control panel is limited to what a user would like to do and everything else requires administrative rights. Upgrades are simple, and being open source there will be no cost associated with doing so. Combining open source systems and cloud products is definitely a good approach for companies looking to reduce costs but keep up to date. 

Ubuntu with LibreOffice

Friday, June 15, 2012

Why I gave up on sharepoint

My experience of sharepoint started three years ago when I was a systems development manager. It was clear that people in the company needed to collaborate online. We had an FTP site, public facing website and an intranet but none of these allowed users to easily collaborate in the way they required.

The need for a platform to address this requirement was confirmed when I discovered that members of the production team had set up a free Google site to share files with their suppliers. This was a concern because without the involvement of IT how could we ensure good practice was being followed? It was time to look at a managed alternative.

We were a Microsoft house, running Exchange, IIS and Office. The introduction of sharepoint seemed like a no-brainer and I set about persuading whoever I could that this was the case. Winning that argument was simple, as everybody understood there was a need to collaborate. Implementation was where the challenges started.

The first challenge was funding the implementation of sharepoint. I was told we'd need to invest in terabytes of onsite storage, increase the number of server hosts and purchase licenses. As a 5,000 seat organization the license cost alone was a shock to me, but in a culture where it was believed that "you get what you pay for", the funding challenge was easily overcome.

The second challenge was security. We were told the risk of allowing external collaboration was too high, as sharepoint could provide backdoor access to our network. It was agreed to limit the introduction to internal users on the corporate network only, which was a disappointment given the initial requirement was to help us collaborate externally. 

The third challenge was sharepoint itself and the sheer complexity involved in building a basic shared site. Even as an IT manager with experience of windows access control, the use of active directory access control and inheritance proved to be a nightmare. Were end users really going to understand this?  It was decided that with enough investment (more money of course) this could be addressed with user training and putting processes in place. A sharepoint administrator would have to be hired, and 'power users' appointed to make it work.

The biggest challenge was management. The idea of end-users being able to control data and access was proving too great. 'Data Governance' would have to be thought through, 'Information Architecture' papers would have to be written and limitations on use would have to be imposed. These all resulted in even more restrictions on the ability of users to share data.

In the meantime, the production department were continuing to use Google Sites (and probably still do) despite the official rollout of sharepoint in the business.

My conclusion was that sharepoint was not the web based collaborative platform I'd hoped it would be. Not only was it difficult and costly to implement, it was a nightmare to use. Sharepoint and senior management are a good mix, because it is all about top down control.The problem with that is you frustrate your users who then decide to find their own ways of collaborating.

The experience was good for me on a personal level. The use of Google Sites by the production department got me to take the use of cloud based alternatives more seriously. So much so, that I now provide integration services for companies looking to use Google Apps rather than Microsoft for their core systems. 

Friday, June 1, 2012

Google Apps Password Sync (GAPS) for Active Directory

Up until now it has not been possible to easily sync encrypted Active Directory (Windows) passwords to Google Apps. With the release of Google Apps Password Sync (GAPS) this is no longer an issue. I think this will be a game changer for enterprises considering the adoption of Google Apps because it effectively allows them to ensure users only have one password to manage. In the past this has been dealt with using SSO, but that meant Google Apps users were restricted to only using web services.

The Third Way IT 4-week migration package currently includes the provisioning and management of user accounts using Active Directory, but until now managing passwords on Google Apps has been separate exercise. Certainly transition from Exchange to Google Apps will be that much easier.

Tuesday, May 29, 2012

Google Apps receives ISO 27001 certification

In the early days of the cloud, security concerns were often at the top of business minds as they considered moving to Google Apps. More recently, though, security has become a major reason businesses are moving to the cloud....

Official Google Enterprise Blog: Google Apps receives ISO 27001 certification: Posted by Eran Feigenbaum, Director of Security, Google Enterprise In the early days of the cloud, security concerns were often at the ...

Wednesday, May 23, 2012

Quick access to contact details on Gmail

When searching for an email address, the results will now show you contact details in addition to that person's profile photo and the emails sent from and to them. From here, you can start a chat, call their phone and more.

Google Apps update alerts: New Gmail features: Quick access to contact detail...: The following new features are now available to Google Apps domains: - Quick access to contact details: When searching for an email addres...

Monday, May 21, 2012

A new way of working?

Published in the Oxford Times (16th May 2012)

Bring your own device

How do you feel about using your own computer or tablet at work? For many this is becoming the reality as the trend for ‘bring your own device’ or BYOD starts to take off.

The benefits and risks of BYOD have been the subject of heated debate amongst the technology community for some time now. Some technology experts resist the idea on the grounds that it is too difficult to manage and secure such a wide range of devices in a business setting. Others see it as an opportunity to boost productivity and cut costs.

A classic early example of the BYOD phenomenon was the iPhone. Just as the technology departments had invested significant sums in providing staff with an email-enabled Blackberry, along came users with their iPhones asking why they couldn’t use these instead.

The response by some at the time was to say they didn’t support iPhone. That becomes a difficult position to take against the type of enthusiasm found amongst Mac users. It certainly doesn’t make sense for business users to find themselves having to carry two smartphones.

Now we have the iPad, Android phones and a whole host of other ‘devices’ that users feel their workplace would benefit from. The consumerization of technology has no doubt been a challenge for technology support staff, but it’s certainly here to stay, even if it isn’t favoured by advocates of a more traditional corporate approach.

Instead of pushing back, now many are now starting to embrace the idea. Certainly asking users to buy, support and maintain their own hardware has the potential to offload some of the work carried out by technical support. The nagging concern is that the diversity risks making life just too complicated.

Fortunately, at the same time as the demand for BYOD has increased, so has the popularity of ‘cloud computing’, a slightly abstract term given to the use of web based applications provided by vast data centres maintained by the likes of Google and Microsoft.

This is a game changer, because it promises to make makes BYOD a viable solution. By providing applications through secure web pages, device maintenance becomes much simplified. All that is required is an internet connection and a browser. The device itself becomes almost unimportant.

A good example of this is the implementation of Google Apps at Oxford Brookes University. Staff and students are now provided with a web based email, calendar and document system powered by Google as opposed to locally maintained servers and disks. By providing these services as web applications the university has also removed the need to configure email software on student or staff computers.

So, here we have three trends which promise to revolutionize the way we work. The first is the popularity of consumer devices. They get thinner and faster, but are in many ways becoming more standard because their job is to serve web applications. That’s driving the second trend which is for business and other organizations to make their applications available over the web. Which in turn will drive the third trend of users being able to work from any location on any device.

The transition from work based technology presents its own challenges. One is how to migrate vast amounts of legacy data to web applications. Another is connecting these devices to corporate technology like the printers and photocopiers, although these too are becoming web enabled.

Perhaps the biggest challenge is to make the applications, the data and the devices more secure. The obvious danger of making web applications available to any device from any location you are also increasing the potential ease with which hackers can target them.

Some technologists are against the consumerization of technology for different reasons entirely. If the likes of Google and Microsoft are providing corporate email and document services to consumer devices, where does the control belong? Who owns the data? How secure and private is that data? What else can it be used for?

The take up of cloud based services by all sectors from charity and education to industry and finance suggest there has been some reassurance on these questions. One way these concerns have been addressed has been for the cloud providers to give finely tuned administrative responsibility to the business. That means the business can still retain control of the data, if not the hardware on which it runs.

Cloud and BYOD advocates even argue that this approach is more secure. By keeping data in the cloud rather than on a device, a stolen laptop or disposed desktop computer no longer carries the same risk of exposing data it once did. This is particularly true as remote wipe technology (where phones can be wiped once reported as stolen) is adopted as standard.

The debate will no doubt continue, but one question remains. If you can bring your own device to work, what will you choose?

Ray Allen is the founder of Third Way IT, an Oxford based provider of Google Apps for Business.

Tuesday, May 15, 2012

Introduction to Google Apps Directory Sync (GADS) by example - a beginners guide


This article is intended to help first time users of Google Apps Directory Sync which allows for the automatic provisioning of user accounts to Google Apps from your directory service. A more detailed explanation of the software is available online in the administration guide but this should be enough to perform a basic sync of users and groups from Microsoft's Active Directory on Windows Server 2000, 2003 or 2008.

This article is published by Gappsconnect, a Google for Work Partner  based in the UK. Please contact us if you have any questions or would like to discuss the use of a specialist to undertake this work on your behalf.


1. Active Directory structure. The job of synchronising user accounts is made much easier if the users and groups that you are planning to sync belong to a common organizational unit (OU). If you have your users spread across multple OUs, consider creating a a parent OU called 'Google users'. It is not possible to sync user accounts unless they are in an OU.

LDAP refresher (skip this part if you know it already)
Before starting, remind yourself about directory services (called Active Directory or AD on windows) and the use of LDAP (Lightweight Directory Access Protocol). GADS uses LDAP queries to extract the required information from your directory. A good understanding of terms and acronyms will help!
DC: Domain Component. This describes your domain. For example, the domain would be described in directory services as dc=example,dc=com
OU: Organization Unit. Organizes your directory into a tree structure (nested folders). Typically, you will have separate OUs for users, computers, etc, but also have OUs to help distinguish types of users. You might for example have a separate OU for power users. These will vary site-to-site depending on the preferences of the domain administrator. This is an excellent way to organize the user accounts that you want to replicate to Google Apps. If they are in a distinct OU, the job of syncing becomes much easier.
CN: Container Name. Think of this as a built in OU. Active directory has a CN called users for system user accounts for example. These are usually not replicated to Google Apps. 
DN: Distinguished Name. The path of tree containing the objects that you are interested in. (Example ou=visitors,ou=2012,dc=example,dc=com is the DN to use if you are only interested in objects held in the OU called visitors which in part of the OU called 2012). 
object class: Object classes describe the objects stored in directory services. The most commonly used objects in active directory (and relevant to GADS) are users and groups.
Attributes. Each object will have any number of attributes. For example a user will typically have sn for surname and givenName for their given name. 
A typical LDAP query:
This query would find all users who are in the OU called 2011 at Several good articles are available if you type 'LDAP query language' into your search engine and these may come in handy as you build your GADS config file, although variations on the given example above should suffice for a straightforward sync.

2. Active Directory user account. Create a separate, empty, top level OU in your directory called 'Google sync' and add a standard user account to it called ldap_user. This will be used to look up your directory during the sync. Set it to have a non-expiring password so that you can run scheduled syncs. The account does not require admin privilege as it is only performing directory look ups.

3. Google Apps admin account. Create an account in your Google Apps domain called ldap_sync and give it admin rights so that it can create and delete accounts in the domain.

4. Provisioning API. Switch on the provisioning API in your Google Apps domain control panel. This is found in 'domain settings > user settings'

Configuring Google Apps Directory Sync

5. Install GADS. Download the program and install it to a directory that you have write access to (not program files).

6. Open the Configuration Manager. This is a GUI that helps you build the XML configuration file that will be used to carry out the synchronization. Each menu item has multiple tabs that you should review before saving. The first menu item, General Settings, is where you declare what you plan to synchronize. I recommend you only start with the first three options.

7. Configure Google Apps connection. Use the ldap_sync account created in step 3 to connect. Use OAuth token for secure authentication in preference to the username and password.

Tick 'replace domain names' if the domain name of your AD is different to your Google Apps domain.

Use second tab if you have a proxy server. You can use the third tab to protect any Google Apps users from deletion when the sync takes place (if they are not present in AD).

8. Configure LDAP connection. Use the account created in step 2 to connect to your AD. This step will only work if you have a Base DN that includes an organizational unit; If you have created a parent OU this should be your Base DN.

9a. Configure Organizational Units (mapping). Use the distinguished name (DN) of the parent OU container that you have created for your users and groups and map it to the Organizational Unit name that you would like to use in Google Apps (it will create this for you).

All child organizational units will be synchronized.

9b. Configure Organizational Unit (search rule). The rule for finding all organizational units within the base DN is 'objectclass=organizationalunit'

10a. Configure user accounts (attributes). You need to map user attributes in AD with those required to create accounts in Google Apps.

Because some users may not have an email address defined, the 'userPrincipalName' attribute is useful for defining the mail address in Google Apps. The domain name will be substituted in Google Apps if you ticked the box in step 7.

If you plan to use AD to manage your user accounts, you will want accounts that are deleted from AD, deleted from the Google Apps domain too.

10b. Configure user accounts (additional attributes). You will need to know the given name and surname attributes to create Google Apps accounts. These are usually givenName and sn. Note that it is not normally possible to sync AD passwords using GADS, but a separate product called Google Apps Password Sync is available now to do this.

10c. Configure user accounts (search rule for active accounts). The first rule will find all active (non-suspended) user accounts. This can be achieved with the search rule:


10d. Configure user accounts (search rule for suspended accounts). The second rule will find all suspended user accounts and can be used to ensure Google Apps accounts are suspended if marked as such in Active Directory. The rule syntax is:


Make sure you tick the 'Suspend these users' box!

10e. Review search rules. You should have two rules, one for active accounts, one for suspended accounts.

11. Define group search rules. The search rule to find defined groups in your AD is:

objectclass=group. You will also need to declare the member reference attribute (normally member), group email address attribute (normally mail), display name (normally name), description (normally description) and the owner (normally managedBy)

12. Finally. Define your notifications, sync limits and logging preferences.

Congratulations. You have configured Google Apps Directory Sync and you should be able to perform a test sync to ensure the appropriate changes will be made. Once this has been done you will want to consider synchronizing other information and performing scheduled synchronization. This is documented in the administration guide.

Ray Allen. All rights reserved. Please use comments to let me know how you find this guide, or contact me at GAPPSCONNECT with any questions.

Friday, May 4, 2012

Are you a workplace hack?

In an interesting article on the BBC website, author Josh Klein argues that we should embrace the concept of workplace hacking. Workplace hacking involves finding ways round restrictive systems in the workplace. His first example involves the use of Google Docs.
Find one hated piece of software you're "required" to use and Google a workaround; use Google Docs instead of Excel, Drop Box instead of Sharepoint, or whatever it is you're saddled with. Try it for a week or two. See how much more efficient you are.
Many will recoil in horror at the idea of employees using these systems that are not in the control of the organization, but whether it's liked or not, the truth is this is happening everywhere. It's like BYOD (bring your own device). You can argue that it's dangerous and should not be permitted, but it happens.

IT departments need to embrace the technology users find most effective. If they want to retain control, find out more about why they prefer Google Docs to Sharepoint (after all, who wouldn't). Integrate the systems your users like into your organization. You may even find you same some money.

The enlightened organizations I'm working with who have started to incorporate Google Apps have been pleasantly surprised at the administrative control the can retain. These tools are not just for consumers, but increasingly used by business to both reduce costs and increase productivity.

Thursday, April 26, 2012

Using Google Drive instead of file servers

Google have just announced the release of Google Drive, which allows for easy synchronization of local hard drive data with Google docs. This is very significant for me because it deals with a requirement that I often get asked about, namely having an easy cloud store for data on your hard drive.

It has always been possible to manually upload folders and files to Google docs, but Google Drive does this automatically in the background, meaning you never have to think about it. This also makes sharing the data if you want to very easy. Clearly, this is a major challenge to Dropbox which has been the dominant provider of these types of services.

The first 5GB per user is free which for Google Apps domain administrators represents extremely cheap online storage. This is ample, particularly if users are creating, storing and sharing documents as Google Docs (which are not subject to any quota).

For a number of years Google have challenged the idea that businesses require email servers, with business email being the core element of Google Apps for Business. With the addition of Google Drive, there is now an alternative for onsite file servers too.

If you'd like to discuss the use of Google Drive in a business environment or any other Google Apps, please contact me on 0843 289 0462 or visit to learn more.

Tuesday, April 10, 2012

What is Google Vault?

Google have just announced the release of Google Vault, their new 'e-discovery' product. The two obvious questions are 'What does it do?' and 'What is it competing with'?

The answer to the first question is that Google Vault allows domain administrators to retain and search all incoming and outgoing emails from a Google Apps for Business domain. This is often required by businesses that decide to retain this information for legal purposes (in the event of a legal dispute this information can be requested).

Up until now, this job has been served by the use of  'Google Message Discovery' by Postini, but the benefit of Vault is that it is part of the Google Apps domain rather than a separate product. That's going to make it much easier to configure and use, always a good thing. 

At this stage, Vault will only be available to Google Apps for Business customers, and not users of the education edition for which GMD will remain the recommended product.

The cost of Google Vault is expected to be equivalent to that of Google Apps itself (£3.30 / user / month) and as a Google Apps Authorized Reseller, I'm looking forward to this being part of the product offering.  If you'd like to discuss the use of Google Vault with your Apps domain, please feel free to get get in touch.

Thursday, March 29, 2012

Thursday, March 22, 2012

Tech staff not required by SMEs

IT staff are are an unnecessary cost for most small and medium sized businesses argues Ray Allen, founder of Third Way IT, an Oxford based company helping organizations make more use of web based applications.

"Now that business email, calendars, intranet and document management are being offered as web applications by the likes of Google, the need to run expensive and complicated server hardware is diminishing. Moreover, by accessing these services through a web browser, the need to run managed desktop computers is diminishing too."

Ray Allen is a strong advocate of BYOD, or 'bring your own device' which requires staff to use an allowance to buy their own IT equipment. "Not only does this keep maintenance costs down for the business, it also means that staff are more productive, working with the technology that fits their needs."

So what will this mean for IT staff? Ray Allen argues that they will need to specialize. "There will still be a requirement from business for developing websites, building bespoke applications, automating tasks and managing data, but the days of having a techie whose job it was to tell you to turn your computer off and back on again are numbered."

Ray Allen is the founder of Third Way IT, a UK based startup working with SMEs to lower their IT costs . You can contact Ray Allen on 0843 289 0462

Monday, March 12, 2012

Google Apps additional services - enable or disable?

Companies that use 'Google Apps for Business' are providing their staff with managed access to Google products for business use. That includes the six core apps (contacts, gmail, calendar, docs, sites and talk) but it can also include 62 additional services such as youtube and blogger.

The domain control panel allows the site administrator to force users to logout of the business account before using these services. This makes a lot of sense for companies who would rather their staff were not uploading youtube videos or blogs in the company name and is why I always recommend a 'default-deny' policy for additional apps.

If you do want your staff to use youtube, maps, blogger etc. in a professional capacity, you can always switch them on as required. Google do make it clear what account you are logged into when you access these services, so it should be clear to users in what name they are using these services , but thinking about the policy up front is always advisable.

Tuesday, February 14, 2012

Can you run a business without servers?

I've been asking "Can you run a business without servers?" on a few LinkedIn groups and so far the response is largely doubtful with the most common response being "What if the internet goes down and you depend on cloud services instead of local servers?"

This is interesting because in my view having a poor internet connection provides an even stronger incentive to stop using servers. For example, if your local internet connection fails and you are running a local mail server, communication stops (except internally, if you are lucky). Compare this to when mail is managed by a cloud provider; you can pick up where you left off using a 3G phone, home connection or wifi cafe. Services do not depend on your flaky ISP being available and you are much less vulnerable to disruption.

That's mail servers, but what about print, login, and storage servers? I think we'll see authentication move from the operating system to the browser, particularly as our technology becomes more 'device' driven. That removes the need for login servers. Google's cloud print service is another example of a service providing what used to be managed by servers, and there's plenty of shared storage solutions available too.

So what will run on the work network of the future? My guess it will be just a bunch of devices. Network switches, firewalls, printers and various devices such as tablets with little more to them than a web browser. Where does that leave the IT department? Hopefully doing what they should always have been doing. Integrating services, supporting users, automating process and connecting the business with customers through online services. Oh, and swapping out those devices from time to time. What they won't be doing (and what they really should never have spent so much time doing) is spending their time patching and fixing server hardware.

Tuesday, February 7, 2012

Google Apps Directory Sync - a beginners guide

A more up to date version of this article is now available, this copy here for reference only.

As a Google Apps provider, I've been working a lot with Google Apps Directory Sync (GADS) of late. The tool is intended to help institutions provision their accounts in Google Apps by automatically syncing data from the local directory servers (normally AD, but it can be other LDAP compliant directories too).

It's a tool that comes with a fair whack of documentation, and does require a good understanding of LDAP to make most of it, but once configured it leaves you with a highly automated process for maintaining your Google Apps domain accounts. More detailed information if required is found at:

For less complex sites I've put together this quick guide. It assumes you are using Active Directory on a Windows based server and are happy to make changes to your directory. For more complex sites or if you'd prefer not to make these changes, GAPPSCONNECT can set this up on your behalf (remotely or onsite). Call 0843 289 0462 (UK local rates) or fill in our contact form if this is an option you'd like to discuss.
LDAP basics

Before starting, remind yourself about directory services (called Active Directory or AD on windows) and the use of LDAP (Lightweight Directory Access Protocol). GADS uses LDAP queries to extract the required information from your directory. A good understanding of terms and acronyms will help!

DC: Domain Component. This describes your domain. For example, the domain would be described in directory services as dc=example,dc=com

OU: Organization Unit. Organizes your directory into a tree structure (nested folders). Typically, you will have separate OUs for users, computers, etc, but also have OUs to help distinguish types of users. You might for example have a separate OU for power users. These will vary site-to-site depending on the preferences of the domain administrator. This is an excellent way to organize the user accounts that you want to replicate to Google Apps. If they are in a distinct OU, the job of syncing becomes much easier.

CN: Container Name. Think of this as a built in OU. Active directory has a CN called users for system user accounts for example. These are usually not replicated to Google Apps.

DN: Distinguished Name. The path of tree containing the objects that you are interested in. (Example ou=visitors,ou=2012,dc=example,dc=com is the DN to use if you are only interested in objects held in the OU called visitors which in part of the OU called 2012).

object class: Object classes describe the objects stored in directory services. The most commonly used objects in active directory (and relevant to GADS) are users and groups.

Attributes. Each object will have any number of attributes. For example a user will typically have sn for surname and givenName for their given name.

A typical LDAP query:


This query would find all users who are in the OU called 2011 at Several good articles are available if you type 'LDAP query language' into your search engine and these may come in handy as you build your GADS config file, although variations on the given example above should suffice for a straightforward sync.

A more up to date version of this article is now available, this copy here for reference only.

Active Directory server preparation.

1. Create a basic user account on your directory service. Create an account with the username 'gads' (description Google Apps Directory Service). This can have the lowest privilege but must be able to read your directory tree (which most normal accounts will). The password should be complex but set to never expire. A good place for this account is in the users CN.

2. Prepare your directory service. Organize the objects that you want to replicate. A good approach is to create a new OU called 'google accounts' and place the existing OUs that hold the relevant user accounts, groups etc under this tree. Try to avoid a structure that is too deep if you can. This guide assumes you have created a new OU called 'google accounts' which contains the users that you want created on your Apps domain.

Google Apps Directory Sync (GADS) service.

3. Host computer. Find a host computer to execute the sync on a routine basis with. Google advise that you use a separate machine from the domain controller. The operating system can be any recent version of windows or linux, but the hardware should be reliable enough to be left on at all times.

4. Required software. Install Softerra LDAP browser (free) to test connectivity to your directory service and browse the folder structure (this will come in handy during configuration). You can use this to identify object classes and attribute names. The process of syncing involves writing log files to the installation directory. so be sure to install the GADS software to a folder that your account has write access to! If you install it to 'program files' then you will need to run the program as an administrator which you may not want to do.

GADS configuration.

GADS allows you to build up a sync config file using a graphical interface. You will need to define the general settings (where your AD is for example) and explicitly state which parts of the directory you want to replicate to Google Apps.

5. General Settings. If you have an OU called 'google accounts' you can choose to sync LDAP org units and have all subunits sync too. This saves you having to change settings at a later date and will allow you to create or remove OUs within google accounts and have them replicated to Google. Start off by only syncing users and groups. Once you've got that working, you can choose the other options.

6. Google Apps. Use this screen to tell GADS about your Google Apps domain. This screen should be self-explanatory, but refer to the learn more link if not.

7. LDAP. Connect to your directory server using the gads account created in step 1. Set the base DN to the lowest level of unit that you plan to sync from. Be careful not just to specify the top level domain because the sync will try to replicate system accounts and will have permission issues connecting. If you have followed the suggestion and created an OU called 'Google Accounts', then the configuration will be as follows:

GADS - LDAP connection screen

8. Org units. This is where you define the org units that you want to replicate. Note: you are defining just the unit names (not the objects within them) that you are replicating. Use a separate entry for each OU that you want to replicate. If you have a 'google accounts' OU you can choose to replicate the base DN (indicated in step 7) and not worry about an over-ride or multiple lines. You will need to define a mapping too, also shown below.

GADS - LDAP org search rules

GADS - LDAP org unit mappings

9 Users. The mail address attribute in AD is normally 'mail'. The aliases are normally defined by 'proxyAddress'. givenName and sn are also used. Be sure to tick the 'do not suspend or delete admin accounts'. This is very important to avoid you deleting your domain admin account on Google Apps when they do not exist on AD!

GADS - user attributes

9a. Add two search rules. One to match all users and have them replicate, the other to suspend those who are suspended. Make sure they are in the order shown. The filter for suspended accounts in AD is:


10. Groups. The groups search rules requires you to map to group attributes and filter for the objectClass 'groups'

11. Simulate. At this stage you should be able to define notifications, sync limits, and log file parameters in preparation for a simulated sync. If successful, move on to syncing contacts and calendar resources by following the same approach.

A more up to date version of this article is now available, this copy here for reference only.

Monday, February 6, 2012

Google Apps privacy at work

I remember when I first started as a sysadmin (1997) my new boss told me to send emails on the assumption that copies would be sent to my boss and mother.  He was the man who ran the mail servers so I paid attention.  

I was reminded of this because of the recent Google privacy policy update. Interestingly, most of the attention has focused on what it means for the consumer products, but what I find the most relevant in the privacy statement is an explicit reference early on to Google Apps accounts (e.g. business gmail) and the role of the domain administrator (aka your IT department). Here's what they say:

"If you are using Google services in conjunction with your Google Apps Account, Google provides such services in conjunction with or on behalf of your domain administrator. Your administrator will have access to your account information including your email. Consult your domain administrator’s privacy policy for more information."

This is an important distinction for Google to make and one that I don't think enough people pay attention to. If Google are providing your company with enterprise services (corporate email, document storage and the like) they are also giving your company full control of the data too. This makes perfect sense because domain administrators have always had this and would never give it up, wherever their server is based.

That's why Google saying 'This stuff matters' is so true. It really does, but maybe not for the reasons you first thought. Meantime, I'll continue to write my emails on the assumption my boss and my mother will be reading them, privacy statement or not.

Ray Allen is managing director of Third Way IT, a cloud services provider.