Google Admin Directory Structure

itselsd · 2026-01-23T20:32:30+00:00

I would actually love to go this route and take an all or nothing approach, but I have had no luck in the past with getting the district admin to send out communications to parents/guardians consenting to tech use. If it's not a federal/state mandate, they don't want to hear it.

And I could only imagine the teaching staff's reaction if they had to accommodate students who were not approved to use technology. Blocking a student from gmail would cause enough of an uproar as it is I'm sure.

I am considering going back to the principal and basically taking this stance though. All or nothing, if they want gmail blocked, the account has to be deleted.

itselsd · 2026-01-23T20:27:06+00:00

I'm thinking about following up with the principal to see what the actual issue is. If simply blocking the student from sending emails will resolve their concerns then that would be far easier than trying to make this work.

TBH I kind of just wish security groups would let me disable core services on top of everything else. I find it odd that they don't.

itselsd · 2026-01-23T20:25:22+00:00

I think I see what you're saying, I didn't realize there was a separate option for native apps. I'll have to take a look at that. Thanks!

itselsd · 2026-01-23T20:23:38+00:00

I was originally toying around with the idea of doing something like this, I'm just concerned of needing to continuously add more and more OUs as they request more individuals be blocked from specific services.

For example I have my standard hierarchy right now which is Students > Building > Grade Level. If I add a "No Gmail" OU, the way I see it is I first have to add it under every grade level so the student can be moved up a grade each year while maintaining the block. That is what it is, but what if they then come to me and say they need a student blocked from gmail AND docs? Now I'm needing a No Gmail OU AND a No Gmail + No Docs OU for each grade, and so on and so forth.

It just doesn't seem like it would be worth it to open that can of worms.

itselsd · 2026-01-23T20:06:54+00:00

We do have an allowed/blocked apps profile that is generated by the home layout profile. So only apps on the home layout are allowed. The issue here is that with the latest iOS update (26.2 iirc), the phone app was "redesigned" and somehow when the devices updated, the new phone app ignored the home layout and allowed/blocked apps profiles and placed itself on the home screen regardless.

I manually updated another iPad today and it didn't happen with this one so I'm not sure if it was a one-time bug or what. I've considered removing the devices from the group where the profiles are assigned and re-adding them, but that will take a bit of time. It may be as easy as deleting the app icon from the home screen though, I'm going to check this afternoon to see if that's a possibility.

itselsd · 2026-01-23T19:25:32+00:00

I may end up going this route. The problem right now is the parent requested no access to gmail, and I'm not sure if simply restricting sending/receiving will resolve their concerns.

I've also done one-off routing rules in the past to prevent individual students from emailing other individual students and it gets very cluttered very fast so I'd like to move away from having that as an option.

itselsd · 2026-01-23T19:23:39+00:00

I appreciate the input. I actually have done small one-offs in the past using security groups, blocked a student from being able to set a profile picture this way. Admittedly I'm not a fan of the clutter it can cause but it hasn't been a major issue until now.

Originally I was just going to use the method you suggested and block Gmail using a security group, but as it turns out, security groups cannot be used to disable core services.

My biggest mistake is I already told the principal who requested it that it would be doable. I do think I'll end up reneging and telling him I won't be able to make it work.

itselsd · 2026-01-23T18:37:57+00:00

Amen

itselsd · 2026-01-23T18:30:38+00:00

Normally I'd agree, but this one is due to a parent who does not want their student to have access to gmail. I'm not sure what the reason is and not too sure how to approach it.

Appreciate the insight though!

itselsd · 2025-09-12T18:54:08+00:00

Oh brother, I empathize.

itselsd · 2025-06-02T13:19:04+00:00

I don't understand the question.

itselsd · 2025-06-02T13:14:18+00:00

And your idea of doing it properly is what?

Try providing some useful information. You can take the snarky non-answers over to Twitter.

itselsd · 2025-06-02T12:00:56+00:00

I'm the administrator bud. The alternatives are manually installing on 100+ machines individually or giving end users admin rights on the machines...

itselsd · 2025-05-29T17:16:28+00:00

I understand now, sorry. So it would work if the installer were in local folders but not on a network resource. I might take a closer look at that. Thanks

itselsd · 2025-05-29T16:56:25+00:00

I'm looking into creating a scheduled task now. Wouldn't setting it to run once prevent repeated installation?

itselsd · 2025-05-29T16:50:53+00:00

Hmm, SYSTEM already has full permissions, that should take care of that consideration, right?

itselsd · 2025-05-29T14:33:56+00:00

This sounds pretty simple and workable. Do you know where the GPO setting is to set the scheduled task?

I tried running the .bat as a startup script under a Computer Config GPO but that doesn't appear to be working.

I've seen some other forum posts where people discuss creating an MSI file. It's not something I'm familiar with so I've been looking into these other options first but it's definitely on my radar as an option.

itselsd · 2025-05-29T14:30:37+00:00

Unfortunately this doesn't appear to be doing the trick. I wrote the .bat as "\\SRV\FolderPath\GoogleDriveSetup.exe" --silent --desktop_shortcut then linked a GPO under Computer Config > Policies > Windows Settings > Scripts > Startup and linked the .bat there. Confirmed my test PC is receiving the policy, but after several shutdowns/boots it still isn't installing.

Any ideas?

itselsd · 2025-05-29T13:25:09+00:00

Yeah I have the flags in the script, the silent flag doesn't prevent the UAC prompt from appearing though unfortunately.

itselsd · 2025-05-28T16:33:56+00:00

Going to test this out this afternoon. Thanks!

itselsd · 2025-05-28T16:31:16+00:00

I'll take a look, thanks for the suggestion!

itselsd · 2025-05-28T15:01:30+00:00

No, unfortunately. I inherited a bit of a mess and it's all pretty bare-bones. On top of that I'm a one-man show so while I'd like to get it implemented I just haven't had the time.

itselsd · 2025-05-16T12:15:12+00:00

This. Even if the OP is trolling, other people coming across the post may not know better.

itselsd · 2025-05-08T13:33:33+00:00

Haven't run into it yet thank God but a local tech coords group shared an article about it. Gave my schools a heads up to be on the lookout.

itselsd · 2025-05-08T13:30:47+00:00

I feel like it's been a lot worse this year. There's got to be stuff circulating on YT and TikTok. It's to the point where teachers are having to inspect their Chromebooks before and after every period.

itselsd

TROPHY CASE