In November 2018, Google publicly released the ability to have an LDAP server authenticate users on Windows machines using their Google Workspace credentials. Our team published an article on how to set this up, and we noticed a lot of interest in this topic. This was an exciting advancement, but left some administrators wanting more as they could not manage user or device policies on those Windows devices; it was strictly related to access. Google has been working hard to address the features which were missing in the original solution, and have delivered a new option with enhanced features over the Secure LDAP with the new Windows 10 management features from within the Admin console.
The first enhancement is that this is far more easily set up and deployed than Secure LDAP. To deploy sign-in to Windows machines via Google authentication, all that needs to be done is to install the Google Credential Provider for Windows (GCPW) application onto the machine. Configuring GCPW is done using registry keys which can be used to limit which Google accounts can be leveraged to sign-in to the device. These registry keys can also be changed via Group Policy. Once the application is installed, the device rebooted, and if admins have populated the appropriate Custom Attributes within Google, when a user signs in with their Google Workspace account, their local Windows profiles will be associated.
A big advantage for Google Workspace for Education Plus domains includes configurable Mobile Device Management (MDM) policies. A listing of policies that are MDM compatible can be found on this Google support page as well as custom settings which offers a nice auto-complete option. This allows you to search for any supported custom setting you’re looking to configure. For users which are in Education Plus domains, signing in via GCPW will cause the device to display in Mobile Devices Settings as a “Company Owned Device,” regardless of whether it’s a domain-joined device or not.
The ability to link Google users via a custom attribute, which can be accomplished using Google Cloud Directory Sync (GCDS), ensures that Group policies for domain-joined devices follow users when they sign-in using their Google Workspace email address. Configuring Group Policies, uploading custom admx files for additional applications, and pushing out applications to Windows profiles are a handful of the items which are presently not available through the Windows management within the Admin console.
Group policies in active directory have been around since 2008, and there are a lot of them. With improvements in policy control for Windows 10 through the Google Workspace Admin console for Education Plus customers, things are getting closer to having a single cloud-based management console for managing Chrome and Windows-based machines.
There is still room to grow and improve, but with the direction Google’s taken in the latest iteration of Windows management, the dream of a one-stop platform is nearly within reach. You can connect with us to talk in more detail about your school’s environment and how to best manage your Windows devices.
-
Stephen Gale
Technical Support Analyst -
About the Author:
Stephen lives in Utah and enjoys the puzzle of investigating users’ problems and finding potential solutions. A recovering/reformed gamer, Stephen throws himself into his passion for staying on top of all things Chrome OS and Chromebook related. Prior to joining Amplified IT, Stephen served as a network admin in a therapeutic boarding school and an IT director, where he implemented Google Workspace for Education. Stephen has studied computer science and security at Weber State University, Western Governors University. A self-anointed honor, Stephen likes Chromebooks more than almost anyone else in the world.