Google Workspace Administration at Scale

Overview

Administration of Google Workspace directories across distributed multi-campus networks. This work involves GAM command-line automation, Organizational Unit (OU) structures, 2-Step Verification (2SV) rollouts, Shared Drive permission hierarchies, and OAuth application audits.

Operational Work & Projects (Representative)

• OU restructuring & cleanup: Audited all 5 campus directories, consolidated legacy Organizational Units (OUs), and deactivated orphaned user accounts (Performed).
• 2-Step Verification (2SV) rollout: Drafted and enforced mandatory 2SV for all staff members, established backup code procedures, and shortened session duration parameters (Performed).
• Shared Drive security audits: Re-structured multi-departmental Shared Drive permissions, blocked external domain sharing, and enforced viewer/commenter limits on core directories (Performed).
• OAuth application audit: Revoked unverified third-party API tokens, analyzed application permission scopes, and configured Admin Console API controls (Performed).
• Offboarding process audit: Analyzed deprovisioning latency and recommended API integration between the HR database and Google Workspace (Recommended).
• GAM script automation: Scripted Google Apps Manager (GAM) CLI commands to automate bulk user creation, audit user access states, and modify directory permissions via CSV inputs (Performed).

Identity & Access Management

• User lifecycle: Auditing departure lag, deactivating credentials on termination dates, rotating access keys, and executing Drive document ownership transfers (Performed).
• Role-Based Access Control: Partitioning students and staff into isolated root OUs to govern separate email limits, service access, and marketplace permissions (Performed).
• 2-Step Verification: Enforcing 2SV, blocking local recovery options for administrative accounts, and configuring session persistence timeouts (Performed).

Security & Governance

• Google Vault: Configuring retention rules, executing search queries, and exporting audit logs to support internal security reviews (Performed).
• API controls: Whitelisting authorized third-party OAuth apps and blocking access scopes for unverified integrations (Performed).
• Sharing controls: Restricting Drive external link creation and blocking external access to sensitive administrative OUs (Performed).

Automation & Scale

• Bulk OU migrations: Moving user accounts across OUs via GAM script parsing of CSV data sheets (Performed).
• Drive access queries: Running GAM commands to output Shared Drive ACL states and strip unauthorized external shares (Performed).
• Directory audits: Generating CSV audits of user 2SV status, last login timestamps, and authorized third-party API tokens (Performed).

Multi-Campus Standardization

• Standard Operating Procedures (SOP): Authoring step-by-step procedures for password resets, Chromebook enrollment, and hardware decommissioning (Performed).
• Operations documentation: Documenting all directory configurations, custom GAM CLI scripts, and root OU structures to maintain continuity (Performed).
• Configuration alignment: Syncing sharing rules, marketplace apps, and device policies identically across all 5 campus locations (Performed).

Operational Design Considerations

• Identity isolation: Separating staff and student accounts into strict root OUs to ensure email routing rules and Drive permissions never cross roles (Performed).
• Delegated roles: Recommending custom, scoped administrator permissions (e.g., Helpdesk role) to minimize active Super Admin profiles (Recommended).
• Device constraints: Restricting unmanaged hardware sync and enforcing session timeouts to prevent directory token persistence (Performed).