In the previous section, we learned how to download, install, and configure the GCDS to your MS Active Directory. Now we will see how to sync services like OU, Users, and Groups from AD to Google Workspace.
We are considering that you have GCDS opened and following the steps from the previous page. If you haven’t followed the instructions from the first part, we would recommend reviewing the first part and following the below guidelines.
At Cloud Sultans, our mission is to help small and large businesses better collaborate and achieve high productivity with their teams by maximizing the power of Google Workspace (formerly GSuite).
Selecting Sync Settings for OUs, Users, and Groups 👥
Under General Settings, enable the checkboxes you want to sync, in this example, let’s include OUs, user accounts, and groups. As soon as you enable the desired checkboxes, you may see options from the left-hand side getting added/removed.
Now click on the Org Units section. It is recommended to enable the very first OU policy (Google Organizations Deletion Policy) to avoid deleting OUs in Google Workspace that aren’t present in Active Directory, especially if they’re set up for administrative purposes. Map your existing Active Directory OUs to Google Workspace OUs by using the Base DN* (see previous article) and OU path. You can also create search rules to make sure only relevant objects are included.
Switch to the “Search rule” tab, click on the Add/Edit search rule option, and save the default configurations. The default Searh Rule should be (objectClass=organizationalUnit)
Now switch to the “Exclusions Rules” tab to avoid aggressive OU deletion by GCDS. You can add the count of “percentage” or “number” which will set the limit for GCDS to not perform the OU deletion if the deletion attempt count is exceeded. Additionally, you can add Exclusion rules to restrict the sync of the OUs from AD to Google.
Setting Up User Account Sync Options 🛠️
To keep user data in sync, select “Sync User Accounts.” Use the mail attribute in Active Directory as the email address and objectGUID as the unique identifier. If an account exists in Google Workspace but not in Active Directory, set it to suspend rather than delete the account. This step avoids accidental data loss.
Exclude super admin accounts from synchronization by switching to the “Exclusion Rules” tab and adding the rules using the “Add Exclusion Rule” option. Similar to the OU exclusion rule that we saw previously, this user exclusion rule will allow us to restrict GCDS from accidentally deleting or suspending if the deletion or suspension executions exceed the given number of users or percentage of users.
Configuring Group Sync Options 📂
For group synchronization, please click on the “Groups” section from the left pane. Here you will see the “Google Group Deletion Policy” that will prevent GCDS from deleting groups that aren’t found in LDAP. This setting keeps pre-existing groups in Google Workspace intact. Additionally, we have another policy named “Manager Role Configuration Policy” to avoid modifying group managers during the sync to preserve group roles as they’re currently set. Use default search rules to find and sync relevant groups without exclusions.
For now, you can skip email notifications to avoid unnecessary emails in your inbox and you can set them up again anytime once the sync is successfully running between AD and Google Workspace. To test the sync, let’s switch to the “Sync” tab from the left pane and follow the next instructions.
GCDS Notification Settings 🔔
On the Notifications page, configure your mail server details and email notification settings for post-sync alerts. You can use the following configurations with the notification settings:
- SMTP Relay Host: smtp.gmail.com
- Username: username@yourdomain.com
- Password: password of the above account
- From Address: Same as above Username
After each synchronization, GCDS sends a notification to the email addresses you specify in the “To addresses(recipients)” field. Click “Add” after entering each address. You can leave checkboxes disabled.
After synchronization, GCDS sends an email to the designated recipients, allowing you to verify the sync and address any issues. On the Notifications page, you can define the recipients and configure your mail server settings.
Simulating and Testing Your Sync 🧪
Before going live with GCDS, it’s crucial to simulate the sync to preview changes without applying them. Click “Simulate Sync” to generate a report of what GCDS will change in Google Workspace. If anything looks incorrect, go back to the settings to make adjustments. For example, you might need to increase the threshold for deletions or additions.
Important note: You may need to use the checkbox named “Clear cache” if you are running multiple simulations as it will ensure that the cache is removed from the previous run and test results are shown accurately.
When satisfied, save the configuration to an XML file before you start the change execution using GCSD. Please click on the File > Save As > (Optional) Choose a location to save the file > Enter the file name > Save it.
You would be able then to reload this configuration in case of need on another server or roll back to the previous configuration in case of changes.
Running Your First Full Sync 🔄
Once your configuration is complete and tested, it’s time to perform a full sync. GCDS will apply changes to your Google Workspace accounts, groups, and OUs based on the Active Directory setup. You can select “Sync & apply changes” to allow GCDS to run the executions and apply the necessary changes to your Google Workspace.
Future syncs can be scheduled to maintain up-to-date information automatically. You can use Task Scheduler or the command line to run the sync automatically. With GCDS configured, managing Google Workspace accounts and directories is simplified, and changes made in Active Directory will automatically reflect in Google Workspace.
Any questions, comments, or reactions about our article? We’re happy to hear them in the comment section below. We always love diving into healthy discussions. If you also feel that you haven’t been using Google Workspace at its best, reach us at (Cloud Sultans: contact@cloudsultans.com).
One Response