s

G Suite Settings

To create user accounts in G Suite, ADManager Plus must be able to access G Suite and have the necessary privileges to create accounts. For this purpose, you must configure the G Suite settings in ADManager Plus by providing the credentials of a G Suite account with the necessary administrative privileges.

To configure G Suite settings in ADManager Plus,

  • Click the Admin tab.
  • Under Custom Settings, select the G Suite link.
  • Click the Add G Suite Account link located at the top right corner of the page.
  • Enter the User Name (of the G Suite administrative account) and the Service Account Email; select the relevant P12 Key File. Click here for the steps to create a service account email and the P12 file, and also to grant domain-wide authority to the new service account.
  • Select the domains to whose users G Suite accounts should be provisioned.
  • Save the settings.

Steps to create a Service Account Email and P12 file

  • Go to: https://console.developers.google.com
  • Logon using your G Suite Administrator account credentials.
  • Create a new project named ADManager Plus.
  • Now, in the right pane, click 'Enable and manage APIs'.
  • In the right pane, under 'G Suite APIs', click 'Admin SDK', and then 'Enable API'.
  • In the left pane, click 'Credentials'.
  • In the right pane, click 'Add credentials' and then select 'Service account key'.
  • From the 'Service account' drop down menu, select 'New service account'.
  • Enter name as 'ADManager Plus' and choose 'Key type' as P12 and then click 'Create'.
  • Save the P12 file and then click 'close'.
  • You will now be able to see the new service account that you created. Click 'Manage Service accounts'.
  • The Service Account Email is the one that is mentioned in the Email address column.
  • Click the three vertical dots that appear at the end of service account, and then select 'edit'. Select 'Enable G Suite Domain-wide Delegation', and then click 'Configure consent screen'. (If you have already configured a consent screen, click 'Create').
  • If you selected 'Configure consent screen' as explained in the previous step:

    a) In the OAuth Consent Screen, enter 'Product name shown to users' as 'ADManager Plus' and then click 'Save'

    b) Click Save again, if 'Edit service account' information appears.

  • Click 'View Client ID' under 'Options' in the created service account. 
  • Note the Client ID mentioned.
  • Now grant 'domain-wide authority' to this Service Account, using the following steps.

Granting domain-wide authority to the new Service Account

  • Go to the Admin console of your G Suite domain.
  • From the list of controls displayed, select Security.
    (If Security in not listed, select More controls from the gray bar which is located at the bottom of the page, and select Security.)
  • Select Advanced settings from the list of options.
    (Click Show More if Advanced settings is not visible)
  • Select Manage API client access in the Authentication section.
  • Enter the Client ID of the service account in the Client name field.
  • In the One or More API Scopes field enter: https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.orgunit
  • Click Authorize.
  • (For more information on granting domain wide authority, please refer this document from Google.