Google Apps Directory Sync (GADS) makes syncing your Active Directory users with Google Apps simple. But sometimes you need Google Apps accounts that are independent from AD.
By default GADS will automatically delete any Google Apps accounts it doesn’t find in your Active Directory, which makes accidentally deleting or suspending users really easy.
In this article we show you how to:
- Set up your based DN so to narrow down which users area synced.
- Configure GADS’ users deletion and suspension settings to stop accounts being accidentally deleted.
- Set up Google Apps accounts that don’t exist on your AD and tell GADS to ignore them.
Setting Your Google Apps Directory Sync Base DN
The base DN, found on the LDAP Configuration page, is the entry point that GADS users to start reading user account information from your Active Directory. By setting the base DN “lower” in your Active Directory structure you can better control the number of users GADS syncs and improve security so that you don’t accidentally create Google Apps users you’re not intending to.
The highest level of your directory structure will be:
By using the above as your base DN, GADS will pull over all of your users and groups unless you exclude specific information in other settings. Preferably you want to specify a “lower” organisational unit by using something like this:
Google Apps Users Deletion and Suspension Policy Settings
Once your base DN is set you can use the “Google Apps Users Deletion / Suspension Policy” settings to control how GADS deals with Google Apps accounts that don’t exist in Active Directory.
To adjust “Google Apps Users Deletion / Suspension Policy” settings do the following:
- Open GADS
- Click User Accounts > User Attributes
- Scroll to the bottom of the screen and you’ll find the “Google Apps Users Deletion / Suspension Policy” settings.
- Choose your preferred options and save the configuration file.
Delete only active Google Apps users not found in LDAP (suspended users are retained).
This option deletes any Google Apps users not found in your Active Directory except for suspended Google Apps accounts. While this is good for security, it only takes a user to be accidentally moved into the wrong AD Organisational Unit for their account and data to be deleted.
Delete active and suspended Google Apps users not found in LDAP.
This deletes both active and suspended Google Apps accounts which are not present in your Active Directory. Again, this is good for security, but it only takes a user to be accidentally moved into the wrong AD Organisational Unit for their account and data to be deleted.
Suspend Google Apps users not found in LDAP, instead of deleting them.
This suspends rather than deletes Google Apps accounts not found in Active Directory. This is my preferred option as the account is made inaccessible but no data is put at risk.
Don’t suspend or delete Google Apps admins not found in LDAP.
This option is probably the most important. Selecting this check-box prevents GADS suspending or deleting any Google Apps accounts which have administrator privileges. This can prevent admin accounts getting accidentally locked out or deleted.
Creating Google Apps accounts that aren’t affected by GADS
Sometimes you may want to create a Google Apps account that doesn’t exist on your Active Directory domain. For example, we have a number of remote users who never need to log in to our school system but they do need Google Drive accounts.
To do this we can create exclusion rules which tell GADS to ignore specific Google Apps users or groups when synchronising users.
- Open GADS and navigate to Google Apps Configuration > Exclusion Rules.
- Click Add Exclusion Rule.
- There are a number of options available to specify which user or group we want GADS to ignore, but in this example we’re going to simply stop GADS deleting or suspending users in a Google Apps Organisation I’ve called “Service Accounts”.
- Select Organization Complete Path.
- Select Exact Match for the Match Type.
- In the Exclusion Rule box enter the path to the Google Apps Organisation. Because my Organisation is at the top level of the Google Apps user structure I can simply enter the name of the organisation — in this case “Service Accounts.” But if my organisation were deeper in my organisation structure I would simply enter the path as “Admins\Users\Service Accounts”.
GADS will now ignore any users within this Google Apps Organisation and will never delete or suspend them even though they don’t exist in Active Directory.
There are many ways to specify which information you want GADS to exclude when syncing, and you can create quite complex regular expressions to pick out specific data to ignore, but that’s for another article!