Creating standard email distribution groups in GSuite

First let's be clear what we mean by Groups.

This post describes GSuite Organisational Groups. They are part of the company/school as a whole and are listed in the global directory alongside users, and like users, they always have an email address identifier.

Organisational Groups should not be confused with Contract Groups which are managed through the Contacts icon. These are simple email expansion sets which are private to the user and are not shared through the company/school directory.

Creating a standard distribution Group.

The standard’ mail distribution group commonly used in most schools as provided by Microsoft Active Directory has a number of features.
  • Membership of the group is controlled as a admin function. Only groups admins can add or remove users.
  • Mail sent to the group is distributed to all members of the group.
  • The ability to mail to the group is not limited to being a member of the group.
  • Mail into the group should not be visible to all senders but only to members of the group.
  • Membership of the group is hidden to everyone except other members of the group.
  • Group address email appears in the email directory listing and can be hidden or exposed to public access as required.

To recreate these features you need to follow the steps below.

Step 1: Turn off Google Groups for Business to all users except console admin accounts. This will restrict the management of organisational groups to only admin and those users granted Group Management console rights.

Step 2: As an admin user create a group in admin panel using the Restricted template which applies the following rights.

Only managers can invite new members. Only members can post messages, view the members list, and read the archives. Messages to the group do not appear in search results.

The Restricted template is closest to the base requirement and reduces the amount of customisation required. Only group members can see the members list and access the post listings. The only issue is the fact that only group members can post therefore this right needs to be be expanded.

Step 3:The dialog to update this setting can be found by selecting the group and then clicking in Access Settings bar.

As a consequence of Google Groups for Business being active for the admin account the extended permissions dialog is available and you can select Basic Permission from the left hand menu and Post.

The only option other than All members of the group is All Organization members and Public. Set as required.

This creates a group that has the properties listed above but can be customized further.

Management of the Group,

As the default group owner, with Google Groups for Business enabled  the admin account has access to all the properties of the group.

Alternatively a separate user account can be granted Group Management rights using the Admin Role facility in the console (left).

As a group admin the user can update any group with rights that include adding and removing users and can even delete the group and create new groups. However they will be barred from the advanced settings provided by Google Groups for Business as this feature is inactive for this account.

All administrators for the organisation are group Owners by default although they are not listed on the Group membership and do participate in the mail flow.

Restricting Posting permissions.

Unfortunately there is no direct equivalent of the Microsoft group permissions feature that allows you to control posting access to a group.

By default the ability to post to a group is limited to the options listed below.
  • Owners of the group
  • Manager of the group
  • All members of the group
  • All organisation members 
  • Public
Therefore for most general distribution groups the option selected will be All organisations members unless it is a closed interest group such as a project team.

However you may have a situation whereby a single Year Group must be able to email the teaching team or have a All Teachers distribution group that you do not wish student to access.

In this case you have to allow All organisations members but then prevent certain accounts from mailing the group using email routing rules.

This is fairly easy to set up and requires admin access to the GMail icon in the Apps section of the console.

Click on the Settings section and then highlight the point in the OU (left) that you wish the policy to apply to. For instance for all students it would be the root of the student OU tree,

Move to the Routing section of the settings page, and configure the routing option (below).

The setting will need to be similar to those shown below.

This routing rule will prevent all students from mailing the AllStaff distribution group. Other accounts outside of the Students OU would be unaffected.

You  only need to identify internal sending if your group is not public and then capture all emails with the recipient address that you need to block.

The action can be as required but would normally be a rejection with an explanation

No comments:

Post a Comment