Skip to main content

Restricting the use of consumer accounts on domain joined PC's

If you have domain joined PCs that can be managed via group policy and you use G Suite, then you might want to restrict the use of consumer accounts on your machines. If a user can use a private account, they can do a range of things that can potentially bypass content filtering and other policies you have set in the management console in G Suite.

The best way to prevent this is at the network level - see the Google help page here. This means that all devices on your network will be prevented from using consumer accounts. Many firewalls and content filter providers (e.g. Securly) have this as a setting now. However, if you are not able to use this approach, or want to set it on specific users only, then the lastest Group Policy Templates have policies to enable it.

There are two policies for this. One to block signin to Chrome from non domain accounts and the other to block non domain login to things like GMail.

Restrict who can sign into Chrome:


Restrict who can sign into G Suite tools such as GMail. Just be aware that this does not stop them using a private account to authenticate with some services - but it does effectively block the use of G Suite tools with private accounts. 


You can see the documentation for these settings (and all other ones) here. To get the latest policy settings, you do need to periodically download and update your template files on your domain controller. So if you don't have one or both of these settings, download and apply the latest admx files. 



Comments

Popular posts from this blog

My favorite GAM commands - well a few of them at least!

Where would be without GAM? Paying for expensive syncing tools or doing tedious manual tasks in the admin console. GAM can automate most things you might want to do in G Suite. So these are a few of my favourite commands - one I use either as part of a batch file - or just standalone. There are loads more - but these are ones that are used daily. Classroom Create a spreadsheet of all your domains classes -  gam print courses todrive Create a spreadsheet of a teacher's classes:  gam print courses teacher fred@mydomain.com todrive Bulk create classes: gam csv classes.csv gam create course alias ~alias name ~alias section ~subject teacher ~teacher status ACTIVE where classes.csv is a list of classes you want to make. Add teachers: gam csv teachers.csv gam course ~alias add teacher ~teacher Add students: gam csv students.csv gam course ~alias add teacher ~student Sync Students (in this example to a group - but could be an ou/csv file) gam csv groups.csv gam course ~g

Delete a specific email using GAM

If a user send an inappropriate email to a loads of people or get stung by some sort of email exploit you can quickly delete the email from all of the recipients using a GAM command. Step 1 - get the email header Go into Google Vault and search for the offending user or someone known to have got the message. Click show details and grab the email ID. This will be a long string of characters followed by @mail.gmail.com Step 2 - find out who has the email Go into Google Vault and find the original message sent by the offending user. Look at the details to see who got it. Copy the list and dump it into a spreadsheet. Clean up to just a list of emails with a column header 'mail'. Save as a csv file. Step 3 - delete messages with GAM Put your CSV file in your GAM folder - this e.g. assumes its called mail.csv Run: gam csv mail.csv gam user ~mail delete messages query rfc822msgid: MESSAGEIDHERE doit The alternative nuke option is: gam all users delete messages query rf

How to provision Google Classroom using GAM and sync to Capita SIMS

This is a guide (or documentation for my own use!) to the provisioning of Google Classrooms across a large domain and how to achieve ongoing sync of student members. The advantages of doing this are: Teachers don't have to do anything - all their classes are just there. You can add multiple teachers to classrooms. No inviting a secondary teacher. Students have all their classes at the start of the term. Students are automatically in the correct classes. Classes have totally consistent names. You can do it for FREE - however, there are paid for options if you don't want to go the DIY approach. The following requires you to have the student, staff and optionally, guardian emails on SIMS. Step 1 - Setup up GAM - you need this to do command line processing on your domain. It's a very powerful tool to do batch commands. Step 2 - Export a list of current Classrooms and archive any you don't want. I'd recommend this as it means users will only see the ones