This lovely note greeted me when I logged into my school district's Google Apps domain last night (click it for a full-sized image if you left your reading glasses at home):
I was lucky enough to get a preview of the feature many of us have been requesting for some time now: user groups and associated application control from within a single domain. Premier Edition customers should see this feature now (or very shortly), while Education Edition customers should see it in a week. Standard and Team Edition customers? Sorry, you're out of luck, although the size of most organizations using the latter two editions generally makes this level of user policy irrelevant.
Many organizations have actually created multiple domains to offer differentiated functionality to groups of users, causing manageability issues and interfering with many of the collaborative benefits of Google Apps. A hospital, for example, might create doctors.bighospital.org that allows access to all services for doctors and their support staff, while research.bighospital.org gets all services except Sites to prevent researchers and their support staff from too easily publishing sensitive materials. With the new tools, all users can have an @bighospital.org Google Apps account, but the research group can have appropriate restrictions placed on it.
Of course I wasted no time in firing up the user control features for one of the Educational domains I administer. They worked as advertised, including a hierarchical nesting of groups and their inherited privileges. In my case, I was able to shut down Chat for all students, shut down Email for elementary students, and prevent students at the elementary and middle school levels from emailing outside the domain. In one fell swoop I addressed every parent and teacher concern with greater adoption of Google Apps. The core Apps services are easily turned on and off from the administrator dashboard:
According to Google Apps Product Manager, Adam Dawes,
The ability to toggle services on or off for groups of users can also help customers transition to Google Apps from on-premise environments. For example, a business can enable just the collaboration tools like Google Docs and Google sites for users who haven’t yet moved off old on-premise messaging solutions.
Although it's taken Google a while to roll this feature out, they've made it remarkably elegant. Setup of groups and their inheritance routes is handled through a simple web interface within the dashboard and existing users can be moved en masse into the new groups:
I had a chance to speak both with Mr. Dawes and Matt Glotzbach, Google Enterprise Director of Product Management, about the long-awaited release and the competitive disadvantage it handily addressed with Microsoft's cloud and on-premise hybrid services. Mr. Glotzbach noted,
“We didn't do this based on a specific competitive front; instead it was based on feedback from customers.”
Well, OK...sure. And the fact that you can pull these groups directly from an Active Directory (or any LDAP server for that matter) server and synchronize then regularly and automatically with Google's Directory Sync tool isn't a shot at Microsoft either. Whatever. I don't care. This is a feature to write home about. As Mr. Glotzbach explained, Google has done a great job of listening to consumers and users in terms of the UI and feature sets for Apps. However, "administrators are users too," and this addresses a gaping whole in the management capabilities of Apps that has become increasingly obvious as the online suite evolved further and further beyond its Gmail roots.
Is your organization deciding between Google Apps and a Microsoft solution for collaboration and groupware? That decision just got a lot harder today as one of Microsoft's key differentiators just went away. Then again, if you were leaning towards Google, that decision just might have gotten a whole lot easier.