Skip to main content

Google Login and Single Sign-on to Google Services in Chrome in an AD environment

I've previously posted about the ability to manage Windows PCs in the Google Admin Console. However, what if you are still managing your PCs via local active directory, but use Google Workspace for most things? Well you can have your cake and eat it - you just need to use Google Credential Provider for Windows and do a few configurations.

Step 1 - update your users on the Google Admin Console

You need to add a custom attribute to all of your users (at least those who use PCs) on the Google Admin console to link them with their local AD account. So you need to create a custom attribute in the Google admin console and populate this with the AD windows user details:


The custom attribute you need is Enhanced_desktop_security and the field is AD_accounts. Detailed instructions can be found here.

You can auto populate this field using GADS (Google Apps Directory Sync) if you use this to auto provision your accounts in Google from AD. Alternatively, you can populate them in bulk with a Google Sheets script or manually add them.

Step 2 - Deploy the GCPW and required registry settings

Download the MSI installer from here and deploy via Group Policy or SCCM as normal.

Deploy the following registry settings vis group policy:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\GCPW]

"domains_allowed_to_login"="yourgoogledomainname"

"enable_dm_enrollment"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\DriveFS]

"ForceBrowserAuth"=dword:00000001

"AutoStartOnLogin"=dword:00000001

The first key specifies the domain allowed to login. If you just put one domain in then the domain is auto-populated on the login screen. However, you can specify multiple domains.

The second key prevents GCPW from trying to enrol the machine on the Google Admin console - we are managing machines here with local group policy. See my other blog posts to cloud manage a machine.

The other two are for the Google Drive App. These are optional, but will auto start the Google Drive app and prompt authentication in the browser. As GCPW does single sign-on then the Drive Apps is signed in.

Step 3 - Testing

If you are using local Chrome policies - you need to test how they interact with GCPW for all policies you have.

The end result

People sign into Chromebooks and PCs with the same account.

Using GCPW updates the local AD password to match the Google one - so if you have apps that auto via a connection to AD these work automatically with the Google Credentials

Chrome has the user automatically signed in after login - so you have single sign-on to all of your Google services.

Labels:

Comments

  1. Roger Nixon15 March 2021 at 09:01

    2-step verification does work - but not yet with USB keys - so if they have a key - they need another methods - Auth app or Google prompt. I'm hoping support will come soon.

    ReplyDelete
  2. Scott P-Blog3 May 2022 at 17:06

    Clarify discrepancy: The picture shows the custom filed required as "AD_accounts". The wording in the paragraph has it as "AD_account". ...which is correct ?

    ReplyDelete
  3. Avrohom Eliezer Friedman18 May 2022 at 12:34

    Hi, we have this deployed and it works great. The only issue we have is that users can bypass 2-Step Verification by clicking other user --> sign in options --> Local or domain account password --> and then use their AD username and Google password. This will only get them onto the computer and not logged into Google, but if the previous session they were logged into Google they still are.

    This is a concern because if someone gets the password of a user, they can access their computer (and then often their email account) with just the password and no 2-Step Verification needed.

    I was wondering if there was a boy to disable the other sign-on option so they are forced to use GCPW

    ReplyDelete
    Replies
    1. Roger Nixon20 May 2022 at 08:33

      Thats all true - to a point. We set a basic AD password - that get updated on the first user login. After that (assuming you are not wiping profiles) what you say is the case and useful if someone has to login offline on a device.

      You can mitigate this is its a concern to you by reducing the time between re-authentication on Google and by preventing people trusting devices if you want.

      You can also enable/disable the various sign in option via a reg key or GPOs

      Delete

Post a Comment

Popular posts from this blog

Delete a specific email using GAM

If a user send an inappropriate email to a loads of people or get stung by some sort of email exploit you can quickly delete the email from all of the recipients using a GAM command. Step 1 - get the email header Go into Google Vault and search for the offending user or someone known to have got the message. Click show details and grab the email ID. This will be a long string of characters followed by @mail.gmail.com Step 2 - find out who has the email Go into Google Vault and find the original message sent by the offending user. Look at the details to see who got it. Copy the list and dump it into a spreadsheet. Clean up to just a list of emails with a column header 'mail'. Save as a csv file. Step 3 - delete messages with GAM Put your CSV file in your GAM folder - this e.g. assumes its called mail.csv Run: gam csv mail.csv gam user ~mail delete messages query rfc822msgid: MESSAGEIDHERE doit The alternative nuke option is: gam all users delete messages query rf
Post a Comment
Read more

Adding subdomains to G Suite

This is how I add subdomains (so basically new schools) to out G suite setup. I've got these steps documented on a scruffy set of notes that I've now got in Keep - so time to document them - for myself as much as anyone else! Steps in order (roughly) Add the new domain Verify the new domain Add MX records to hosting Add SPF record for Google to hosting Turn on email authentication Add DMARC record to hosting Setup custom Directory and restrict students OU to this. Create an admin quarantine for the domain. Configure SPAM setting for the domain. Turn on and off services as appropriate. Map a blank Google Site to the naked domain - if required. Setup some basic groups - allstaff, allusers (for directory) and students with appropriate permissions. Deploy custom wallpapers. So the steps in a bit of detail: Add the new domain & Verify ownership Click on Domains in the admin console: Add/remove domains followed by "add a domain" At this
Post a Comment
Read more

My favorite GAM commands - well a few of them at least!

Where would be without GAM? Paying for expensive syncing tools or doing tedious manual tasks in the admin console. GAM can automate most things you might want to do in G Suite. So these are a few of my favourite commands - one I use either as part of a batch file - or just standalone. There are loads more - but these are ones that are used daily. Classroom Create a spreadsheet of all your domains classes -  gam print courses todrive Create a spreadsheet of a teacher's classes:  gam print courses teacher fred@mydomain.com todrive Bulk create classes: gam csv classes.csv gam create course alias ~alias name ~alias section ~subject teacher ~teacher status ACTIVE where classes.csv is a list of classes you want to make. Add teachers: gam csv teachers.csv gam course ~alias add teacher ~teacher Add students: gam csv students.csv gam course ~alias add teacher ~student Sync Students (in this example to a group - but could be an ou/csv file) gam csv groups.csv gam course ~g
Post a Comment
Read more