Skip to main content

This is an extended guide to Box Group Management and RAD synchronization.

In the Rutgers Box tenant, groups are managed through RAD and then synchronized to Box. They are not managed in Box itself. This guide explains how delegated administrators can do this and provide a number of examples.

If you are looking for a brief overview of the process instead, please see Box group management.

What you will need

  • An -adm account in RAD
  • Ability to manage RAD groups in your OU
  • An -adm account in Box

RAD -box-sync groups

Not all groups in RAD are synced to Box. If you would like a RAD group synced to Box, you must indicate that by making it a member of a -box-sync group in your OU.

There are two valid locations for a -box-sync group: in your top-level OU or in a sub-OU one level down. You can have as many of the latter as you want, so long as they are in different sub-OUs.

Any group in your OU can be a member of your top-level -box-sync group, but the -box-sync groups in sub-OUs can only contain member groups in the same sub-OU. If you make a group which resides outside of the OU or sub-OU a member of one of your -box-sync groups in RAD, that group will not sync to Box.

NOTE: -box-sync groups are only used to mark groups for synchronization and are not themselves groups in Box. As such, they should not contain any users directly. If you add users to a -box-sync group in RAD, they will be ignored during synchronization.

Why Create More Sub-OUs?

This allows for large units to use delegated administration more effectively. By parsing groups into sub-OUs, units do not have to give one department’s delegated IT staff access to manage RAD groups in the entire unit.

What if I Don’t Want to Use Sub-OUs?

If you have a small unit or do not want to use -box-sync groups in sub-OUs for any other reason, you do not have to use them. Simply place all of your OU’s groups that you want synced to Box into your top-level OU’s box-sync group.

Group Flattening

Box does not support nested groups. When RAD groups which contain other groups as members are synchronized to Box, they must produce a flattened group in Box. Only the top-level group becomes a group in Box, but all of the members of all of its subgroups in the same OU/sub-OU are included (aside from -adm accounts, which are a special case addressed in the next section of the guide).

If you want a group to appear in Box, it must be individually a member of an appropriate -box-sync group. If it is only a subgroup of a -box-sync group member, it will not become a group in Box, although its members will be included in the parent group that is synced to Box.

Setting Box Group Admins

Any -adm accounts in a RAD group synced to Box are made into group admins in Box, provided that the admin has an -adm account in Box. Box group admins will have permissions to manage shares for the group and also to delete the group in Box (note that the group will be recreated after the next sync interval unless it is also moved or deleted in RAD).

Unlike regular users, -adm users in subgroups of a group that is synchronized to Box do not become members of the parent group in Box. That would have the unintended side effect of making a delegated administrator for a sub-OU into a Box group admin for an OU-wide group. -adm accounts must be placed directly into any groups synced to Box.

If your -adm account is not a member of a group you marked for synchronization to Box, the group can still be synced. However, you will be unable to see it. Groups in our tenant are only visible to their members and admins, so it may appear on your end as though the synchronization did not work.

Group Naming Conventions

  1. The top-level -box-sync groups must be named [ou]-box-sync. The -box-sync groups one level down must be named [ou]-[sub-ou]-box-sync or [ou] [sub-ou]-box-sync depending on your separator preference (space or hyphen).
  2. RAD groups that you want to be synced to Box should be named in one of the following ways:
    • [ou]-[freeform portion]
    • [ou] [freeform portion]
    • [ou]-[sub-ou]-[freeform portion]
    • [ou] [sub-ou] [freeform portion]
  3. There is no limit on how many sub-OUs a group name can contain. For example, the following is fine:
    • [ou]-[sub-ou1]-[sub-ou2]-[sub-ou3]-[freeform portion]
  4. Both spaces and hyphens are valid separators, but each individual group name must be internally consistent.
  5. Your top-level -box-sync group can contain a group named [ou]-[sub-ou]-[freeform portion] and a group named [ou] [sub-ou] [freeform portion] without any issues, but a group named [ou]-[sub-ou] [freeform portion] or [ou] [sub-ou]-[freeform portion] is not correctly formatted.
  6. If a group that is poorly formatted in this way is placed in your top-level -box-sync group, it will still sync, but if it is placed in a sub-OU’s -box-sync group it will not be recognized as part of that sub-OU and will not sync to Box.
    *This is a deliberate choice to avoid ambiguity, not a limitation of the sync script.

The “Additional information” section of this page contains answers and explanations that may be handy.

NOTE: -box-sync groups are a special exception to the internal consistency requirement; if you want to use spaces to separate your top-level OU and sub-OUs, you can do so while using the required hyphen to separate the sub-OU from “box-sync.” For example, “Pets Cats-box-sync” is as valid as “Pets-Cats-box-sync.”

Warnings & Notes

  • Synchronization is not instantaneous; it occurs every half hour.
  • Once a RAD group has been synchronized to Box, deleting the RAD group or removing it as a member of its -box-sync group will break synchronization. Do not move or delete a Box-synchronized group in RAD unless you no longer want to use the group in Box.

NOTE: The -box-sync groups are unrelated and should not be confused with the Box Sync client. Box is promoting Box Drive over Box Sync until they phase Box Sync out completely.

  • The group will be renamed in RAD to indicate an error in synchronization, so this broken state will be readily apparent to end users.
  • The group’s membership will be retained as it was after the last successful synchronization — it will no longer be editable in any way. Shares to the group will be unaffected.
  • In the case of a moved group, moving it back to its original location will resolve the issue automatically. However, there is no easy fix for a deleted group.
    • If you no longer wish to use a group in Box, you can move or delete it in RAD and then simply delete the group in Box.
  • You can add users to a RAD group marked for synchronization to Box even if they do not have a Box account.
    • Without a Box account they cannot be immediately added as a member of the group in Box; however, when they activate a Box account, they will automatically be added to all of the groups they were previously made a member of.
  • Currently, this addition will happen the next time the sync script runs, but instant addition of newly-activated Box users to their assigned groups is in the works.
  • Group names containing parentheses are not supported.

Examples

For the examples in this guide, we will use the hypothetical delegated administrator “netid1” who manages the “Pets” OU.

First, we will consider examples using the top-level -box-sync group for the OU.

Correct:

[OU] Pets

[GROUP] Pets-box-sync

[GROUP] Pets-Dogs-All Dogs

[USER] netid1-adm

[GROUP] Pets-Dogs-Golden Retrievers

[USER] netid1-adm

[USER] netid2

[USER] netid3

[GROUP] Pets-Dogs-Corgis

[USER] netid1-adm

[USER] netid4

[GROUP] Pets-Dogs-Corgis

[USER] netid1-adm

[USER] netid4

This will result in two groups being created in Box (Pets-Dogs-All Dogs and Pets-Dogs-Corgis). If a group is placed in a -box-sync group, members of its subgroups are synced as members of that parent group in Box, so Pets-Dogs-All Dogs would contain netid1-adm, netid2, netid3, and netid4.

Correct:

[OU] Pets

[GROUP] Pets-box-sync

[GROUP] Pets Cats Bengals

            [USER] netid1-adm

            [USER] netid5

            [OU] Dogs

[GROUP] Pets-Dogs-box-sync

[GROUP] Pets-Dogs-Golden Retrievers

[USER] netid1-adm

[USER] netid2

[USER] netid3

This will result in two groups being created in Box (Pets Cats Bengals and Pets-Dogs-Golden Retrievers).

NOTE: Groups in the “Pets-Dogs-box-sync” group must also be in the “Dogs” sub-OU of “Pets,” while groups in the “Pets-box-sync” group do not have that restriction and only need to be in the “Pets” OU. Also note that both spaces and hyphens are fine as separators so long as each individual name uses them consistently.

Incorrect:

[OU] Pets

[GROUP] Pets-box-sync

[USER] netid1-adm

[GROUP] Pets-Dogs-Golden Retrievers

            [USER] netid2

            [USER] netid3

[GROUP] Pets-Dogs-Corgis

            [USER] netid4

            [OU] Dogs

[GROUP] Pets-Dogs-box-sync

[USER] netid1-adm

[USER] netid2

[USER] netid3

Incorrect:

[OU] Pets

[OU] Dogs

[GROUP] Pets-Dogs-box-sync

[GROUP] Pets-Cats-Bengals

                                    [USER] netid1-adm

[USER] netid5

[GROUP] Pets-Dogs Siberian Huskies

                                    [USER] netid1-adm

[USER] netid6

[OU] Retrievers

[GROUP] Pets-Dogs-Retrievers-box-sync

[GROUP] Pets-Dogs-Retrievers-Golden Retrievers

[USER] netid1-adm

[USER] netid2

[USER] netid3

This Will Result in 0 Groups Being Created in Box!

A -box-sync group in a sub-OU can only contain groups in the same sub-OU. Therefore, “Pets-Cats-Bengals” cannot be included in “Pets-Dogs-box-sync,” because it is in the Cats sub-OU and not the Dogs sub-OU. “Pets-Cats-Bengals” should be placed either in a top-level “Pets-box-sync” group or else in a “Pets-Cats-box-sync” group in the Cats sub-OU.

Because “Pets-Dogs Siberian Huskies” does not use separators consistently, it is interpreted as being a group named “Dogs Siberian Huskies,” which resides directly in the Pets OU. Because it is not considered to be in the Dogs sub-OU and -box-sync groups in sub-OUs can only contain groups in the same sub-OU, it cannot be synced.

There is a maximum depth of one for -box-sync groups. “Pets-Dogs-Retrievers-box-sync” is simply never looked at, regardless of its correct formatting.

Additional Information

Enterprise Infrastructure’s guide to RAD

General Management of Box Groups

Please contact help@oit.rutgers.edu if you have any questions.

Rationale Behind Requirement for Internal Consistency of Separators

Consider a hypothetical group whose name contains a space or hyphen in the freeform portion of its name, like “TestBox Box-Users.” Because the first separator used is a space, the script will only consider spaces as separators in this group name, so the group name is parsed as “[TestBox] [Box-Users]” (a single OU and then a freeform portion). This is the intended behavior.

If there were no requirement for internal consistency and both spaces and hyphens were treated as separators in all cases, the name would be parsed as “[TestBox] [Box] [Users]” (an OU, a sub-OU, and a freeform portion). If this group were placed in TestBox’s top-level -box-sync group, it would sync to Box and at first glance appear to be working. However, this would lead to unpleasant surprises. If “TestBox Box-Users” contained “TestBox Admins,” the members of “TestBox Admins” would not be synced because the “TestBox Admins” group would not be in the mistakenly-identified “Box” sub-OU.