Hi there,
Your explanation took me a little to understand... A little comma can make a difference! 🙂
OK, let's get to it!
If I understood correctly - I'm not sure if I did - this is what you are trying to achieve (correct me if I'm wrong): in one OU ("Child" OU1) you want to block external shares to non-whitelisted domains (which will also block sharing to @gmail.com addresses), and then, for another OU ("Child" OU2), which only contains 1 user, you want to allow external sharing to all domains (including Gmail.com).
If this is what you want you need to understand one major limitation: while sharing settings for "My Drive" are defined at OU-level, sharing drives permissions are defined ONLY by the sharing settings of the top-level OU (the domain-wide/account-wide settings).
With that said, your options are as follows:
Option 1: allow sharing only to whitelisted domains, at domain level.
If you do this then all shared drives (in all OU's) will be blocked from sharing to users in domains that have not been whitelisted, regardless of the sharing settings for specific OU's. On the other hand, sharing from "My Drive" will depend on the sharing settings defined for each OU, regardless of the domain-wide setting. Confusing!? A little...
So, this options is only useful if you want to limit sharing from all shared drives and give some additional permissions to some users (in some OU's), allowing them to share to all domains from "My Drive" (but not from a shared drive).
Option 2: allow sharing to all domains, at domain level, and then allow sharing only to whitelisted domains for some nested OU's ("Child" OU1, in your example), while allowing other OU's ("Child" OU2, in your example) to inherit the domain-wide setting, to let them share with anyone, including Gmail accounts.
If you do this then all shared drives will be allowed to share to all domains, regardless of the sharing settings for specific OU's. And again, sharing from "My Drive" will depend on the sharing settings defined for each OU, regardless of the domain-wide setting.
While this creates an apparent risk by allowing all users to share externally from shared drives, it is a better option because you can set limits to shared drives creation and you can also set sharing permissions for each shared drive, individually or at OU level.
So, in the end, you can do this:
- Domain-wide settings (top-level OU): allow sharing to all domains
- "Child" OU 1: allow sharing ONLY to specific domains (this will affect "My Drive" only) AND limit shared drives creation for users in this OU, AND/OR set shared drives to prevent (all) external users from accessing files in shared drives, AND/OR set shared drives to prevent sharing files with non-members and control the members yourself, adding the necessary members from the whitelisted domains. And, obviously, you can adjust the settings depending on your needs for that specific shared drive.
This will prevent users from sharing to Gmail accounts from their "My Drive" and also from the shared drives if you set the right permissions.
- "Child" OU 2: unless you want some sharing nuances, there's no need for this OU because you can simply put the user X (as you wrote) in the top-level OU and all the other users inside "Child" OU1.
And that's it! I hope this help!
I know that sharing permissions can be tricky to understand and some times require a lot of creativity to deliver the best outcome, so if you have any additional questions just let me know.
Regards,
Nuno
LinkedIn
Twitter
