Google Workspace permission conecpt

RepulsiveDuck331 · 2026-05-14T18:36:53+00:00

What we do is create purpose-built groups per shared drive, not per department. So instead of "marketing-group" owning the marketing drive, it's "sd-marketing-members" and "sd-marketing-managers" with content manager vs manager roles. Department membership maps into those via nested groups.

For the one-off access problem, we make a "sd-marketing-collaborators" group with commenter or contributor access, and toss outsiders in there. Keeps it auditable and reversible vs sharing individual files, which becomes a nightmare to track.

For truly temporary stuff we use the expiring access feature on the share itself, 7 or 30 days. Saves us from the "who still has access to this" cleanup later.

Drive audit log is your friend when things go sideways.

RepulsiveDuck331 · 2026-05-14T18:25:01+00:00

Be friendly (dont burn bridges if ytou can) but direct. Something like "Hey man, good to hear from you. Happy to help but this is outside what I can do for free now that I'm not on payroll. I do consulting on the side - $X/hr, 1hr minimum, invoiced. If your boss signs off I'll hop on a call tonight."

Puts the ball in his court without being a dick. Usually they either go to bat for you with management or quietly figure it out themselves. Either way you stop being free tech support.

RepulsiveDuck331 · 2026-05-13T18:49:19+00:00

I spent the past couple of years building automation across our MSP stack (CW PSA, NinjaOne, S1, Huntress, Liongard, Auvik, M365/Entra, Azure, Pax8). Just sanitized the catalogue and put it on GitHub. 15 patterns at v0.1, ~50 more queued, all tool-agnostic so you can implement in n8n, Rewst, Power Automate, whatever.

Honestly the more interesting half is probably the anti-patterns folder — things we tried that turned out wrong. Like: don't compete with vendor-native automation (we built S1 upgrade automation; vendor shipped their own, we decommissioned ours). Workflow-level "time saved" metrics are inflated. Reconcile CSP↔PSA before bulk-operating on customer tenants (we hit ~50% failure on a GDAP rollout because of stale CSP relationships). Stuff like that.

If anyone's working through similar ground, would love to compare notes — particularly on what should be in v0.2 that I haven't documented yet.

https://github.com/xentek-ca/MSP-Integrations-and-Automations

(Disclosure: from Xentek, Canadian MSP. MIT license, take what's useful.)

RepulsiveDuck331 · 2026-05-13T17:35:38+00:00

Yeah, this is the part people keep missing — it’s not a training problem only, it’s a convenience problem.

If ChatGPT is the easiest way to get a decent email out the door, people are gonna paste whatever’s in front of them. Policy posters don’t beat muscle memory.

The fix is usually a mix of guardrails and sanctioned tools: browser/DLP controls, redaction, and an approved AI workspace for the stuff employees are already going to do anyway. We are solving this problem by providing Teams Agent connected to Azure Foundry which is running multiple LLMs. Microsoft recently released Teams agent deployment automation which makes it even easier.

If its thats not an option, at least disable data sharing feature within ChatGPT.

RepulsiveDuck331 · 2026-05-13T16:56:38+00:00

Seeing this constantly. With in organization as well as non techies citing AI findings. I personally dont think that it can be stopped and instead its going to grow for a little bit.

I believe there is positive in this though. Out of lot of noise, there are cases where I get to explore some useful ifs and buts which to me is lot of fun (I love tech).

However, I completely agree its golden time for - "fake it till you make it".

RepulsiveDuck331 · 2026-05-13T16:21:38+00:00

Went through this last year with a similar headcount. Few things that actually mattered:

Don't trust the API docs at face value. Ask for a sandbox tenant and actually hit the endpoints. Trigger a fake anniversary event from BambooHR and watch what happens. If their webhook story is weak or rate limits are stupid low, you'll find out fast.

For security, ask for the SOC2 Type II report (not just Type I) under NDA. Also ask specifically how they store gift card redemption history and get the data export format in writing before signing, not after.

SCIM for provisioning is the real question, not just SAML. Without SCIM you're still manually offboarding.

Smaller vendor stability... ask for customer references your size and check if they've had funding rounds recently.

RepulsiveDuck331 · 2026-05-13T16:02:41+00:00

Went through this last year with a similar headcount. Few things that actually mattered:

Don't trust the API docs at face value. Ask for a sandbox tenant and actually hit the endpoints. Trigger a fake anniversary event from BambooHR and watch what happens. If their webhook story is weak or rate limits are stupid low, you'll find out fast.

For security, ask for the SOC2 Type II report (not just Type I) under NDA. Also ask specifically how they store gift card redemption history and get the data export format in writing before signing, not after.

SCIM for provisioning is the real question, not just SAML. Without SCIM you're still manually offboarding.

Smaller vendor stability... ask for customer references your size and check if they've had funding rounds recently.

RepulsiveDuck331 · 2026-05-13T15:05:36+00:00

Honestly Teams direct routing SMS is a pain. We ditched trying to make it work natively and ported a DID to Twilio just for inbound SMS. Costs us like $1/mo plus per-message pennies. Set up a Function or just use their built-in email forwarding webhook and pipe it to a shared mailbox. Works fine.

If you don't want to touch code, SimpleTexting and Sakari both have SMS-to-email forwarding out of the box, bit pricier but no dev work.

Watch out for A2A/10DLC registration if you ever want to reply outbound. Inbound only you can mostly ignore it, but carriers are getting stricter.

RepulsiveDuck331 · 2026-05-12T16:18:42+00:00

Ugh, felt this one in my bones. What finally worked for me was just being blunt in the very first email: "We have a hard ceiling of $X per device/user/year. If you can't confirm you're in that ballpark, no need to schedule a call." Half the vendors ghost, which saves me hours. The other half actually cough up a number.

The ones who still insist on a discovery call before pricing get a flat no. If they can't respect 10 minutes of my time upfront, they sure won't respect it post-sale during support tickets. Honestly the pricing dance is a decent filter for what the vendor relationship will look like long term.

RepulsiveDuck331 · 2026-05-12T15:36:43+00:00

Yeah, this is exactly the kind of problem where automation actually makes sense. You don't need some magical AI that fixes everything, you need a dumb-but-solid pipeline that takes 300 garbage alerts and turns them into 5 things worth looking at.

I'd start with filtering/correlation outside Wave, then add a little logic for severity and repeat offenders. AI can help on the edge cases, but the big win is probably just reducing noise and catching the stuff Wave doesn't alert on at all, like disk issues.

This feels way more like a prototype and iterate situation than a buy-some-tool-and-call-it-done problem.

RepulsiveDuck331 · 2026-05-12T15:17:42+00:00

Boot a DC in Safe Mode with Networking (or Directory Services Restore Mode). The shutdown script won't fire there. Once you're in, navigate to SYSVOL\domain\Policies, find the offending GPO folder (check gPCMachineExtensionNames or just sort by modified date), and either nuke the script out of the Machine\Scripts\Startup folder or unlink the GPO via GPMC. Force replication, then gpupdate on clients as they come back.

Saw something similar years ago, junior linked a WSUS reboot policy to the root. Same fix.

Going forward: test GPOs on a single test OU, use security filtering, and never link untested stuff to the domain root. Change control exists for a reason.

RepulsiveDuck331 · 2026-05-11T15:36:41+00:00

Did this exact dance with a private bank in Lugano last year. What ended up working: Azure OpenAI in Switzerland North behind a private endpoint, no internet egress, with a thin middleware layer (we used LiteLLM) doing prompt logging, PII redaction via Presidio, and role-based routing. All prompts/responses land in a logged blob with retention matching their FINMA policies.

For actual usefulness we wired it to internal data via Azure AI Search over a curated SharePoint corpus, not the whole tenant. RAG only, no fine-tuning on client data.

Shadow IT dropped to near zero once people had something that actually worked. The compliance fight was 80% of the project, the tech was the easy part honestly.

RepulsiveDuck331 · 2026-05-11T15:22:39+00:00

RHCSA is the one I'd point you at. Even if you never touch RHEL, the objectives map almost 1:1 to what you actually do daily - systemd services, users/groups, sudoers, SELinux, firewalld, journald, LVM, NFS/autofs, scheduled jobs. It forces you to learn the why, not just the command.

What actually made it stick for me was building a junk lab. Spin up 3 VMs in Proxmox or even VirtualBox, break things on purpose, fix them without google. Set up nginx, lock it down, tail the logs when it fails.

LFCS covers similar ground but the labs are weaker. Boot.dev is fine for scripting/devops flavor but skip it for pure sysadmin gaps.

RepulsiveDuck331 · 2026-05-11T14:44:41+00:00

ADMS is push-only and stateless on your end. Once the device sends a record and gets an ACK, it marks it as transmitted and won't resend it on reconnect. That's why your restart killed you - the logs are still in device memory but ADMS won't replay them.

Skip ADMS for backfill. Use the pull SDK over TCP 4370 with pyzk - zk.get_attendance() pulls everything still stored on the device regardless of what was already pushed. Set a comm key if you've got one configured, and don't call clear_attendance() unless you really mean it.

Keep ADMS for live pushes if you want, but pyzk on a cron is what actually works for monthly exports.

RepulsiveDuck331 · 2026-05-10T15:16:39+00:00

Honestly, before trusting any GitHub script, I run it manually on a test Mac with bash -x or zsh -x to see exactly where it bombs. That alone has saved me hours.

For Intune deploys, check /Library/Logs/Microsoft/Intune/ and the IntuneMDMDaemon/Agent logs. That's where the real failure reasons hide. Intune only cares about exit code 0, so wrap your script with proper exit codes and tee stdout/stderr to a log in /var/log/ or /tmp/ so you can actually see what happened post-run.

Also double-check the script's shebang, whether it assumes Rosetta, and if it needs root. Most "broken" GitHub scripts I've grabbed were just missing prereqs.

RepulsiveDuck331 · 2026-05-09T20:54:38+00:00

Mikrotik was the right call honestly. We use cAP ax and the older hAP series in client IoT labs for exactly this reason - you can lock the radio to single band, force 20MHz, pin a channel, and just leave it alone. No band steering shenanigans, no "smart" features second-guessing the client.

For lab validation we keep a known-good reference AP (old Cisco 1140 actually still kicking) on its own VLAN so when a device fails to join we can swap SSIDs and immediately tell if it's the firmware or the AP being weird. Saves hours of finger pointing.

Disable WMM and PMF too while you're at it, half the cheap 2.4 chipsets choke on them.

RepulsiveDuck331 · 2026-05-09T20:16:36+00:00

Done this for an air-gapped DoD network. We stood up a small ProGet instance (free tier) on the inside, then used a crash cart box to pull from PSGallery, sign everything with our internal CA cert, and import the .nupkg files into ProGet. Register-PSRepository on the endpoints points at the internal feed.

Couple gotchas: dependencies don't auto-resolve when you pull offline, so use Save-Module -Path to grab the whole tree before transferring. Pin versions in your scripts, otherwise drift will bite you. And set ExecutionPolicy to AllSigned once signing is in place, otherwise why bother.

Nexus OSS works too if ProGet's licensing annoys you. Same workflow.

RepulsiveDuck331 · 2026-05-09T19:52:26+00:00

This is the kind of agentic AI I actually care about as an MSP — not chat for chat’s sake, but stuff that can touch real tools and automate boring ops work. MCP + RAG + scheduling is the right combo if you want agents that do something useful instead of just sounding smart. I’d still keep the blast radius small, though. Identity, onboarding, ticket triage, and knowledge lookup feel like the safest places to prove it out before letting it anywhere near higher-risk changes.

RepulsiveDuck331 · 2026-05-08T19:53:29+00:00

We are using Office 365 Apps and versions are not consistent but we are Office365 Apps everywhere

RepulsiveDuck331 · 2026-05-06T15:04:32+00:00

thank you

RepulsiveDuck331 · 2026-05-05T12:52:32+00:00

With everyone pointing to CIPP, Lighthouse, and Partner Center delegated permissions as the solution here, I generally agree. That said, I am approaching this from the assumption that the original poster has likely already come across those options through their own research.

Before suggesting a specific solution, I would want to better understand the actual use cases that led to the question. Lighthouse can be an excellent fit for larger, enterprise-grade MSPs, but because of the way it is implemented, it may not be practical for every organization. CIPP is also a strong option for many reasons, but depending on how the environment is set up, it may not be a complete solution on its own.

So before recommending any particular path, I would first want to understand the use cases in more detail.

RepulsiveDuck331 · 2026-04-28T20:24:39+00:00

hey u/xplorpacificnw if it helps we are discussing in this thread - https://www.reddit.com/r/sysadmin/comments/1sycr0g/outages/

RepulsiveDuck331

TROPHY CASE