This page is for Directory Sync. If you’re using Google Cloud Directory Sync (GCDS), go to GCDS. Directory Sync is currently in public beta.
If you're syncing only users and groups, Directory Sync might satisfy your requirements.
If you're syncing objects in addition to users and groups (for example, Google Workspace licenses or shared contacts), you could consider using Directory Sync for the user and group sync and use GCDS for the other objects. However, if you're syncing both users and groups, you must use the same sync tool for both.
Review Compare Directory Sync with GCDS for more information.
Yes. You can use Directory Sync to sync users and groups and GCDS to sync other objects, such as shared contacts. We recommend using one tool to sync users and groups.
Yes, you can change the name of an external directory group. You need to take some extra steps if you have run a sync after adding the group in the User scope section of Directory Sync with the Suspend user in Google directory box checked. In this scenario, follow the instructions below to change the group name.
Note: If the scenario above doesn't apply to your setup, you can rename the external directory group without these additional steps.
- Disable the sync.
For details, go to Activate or deactivate a sync.
- On the Directory details page, next to User sync, click Edit .
- Enter the new group name and save the sync configuration.
- In your external directory, rename the group.
- In Directory Sync, under User Scope, remove the old group name and save the sync configuration.
If a group defined in the user scope is deleted in the external directory, the user in Google cloud directory remains active or suspended after a sync depending on your Deprovisioning setting. This action continues until you remove the group from the scope of the sync.
If you delete the group in the external directory and add it back with the same name, Directory Sync syncs the group as if it's a new group (because it has a new group ID).
For more information, go to Suspend users not found in the external directory.
No, Directory Sync can't sync user passwords from external directories.
Yes, you can use Directory Sync to sync users to a secondary domain.
Make sure the users' email addresses in your external directory match your secondary domain name. If you don't want to make changes to your existing mail attribute, use another attribute and assign the attribute when you set up the user sync. During a sync, Directory Sync creates the users in your Google cloud directory using your secondary domain as the primary mail address.
For more information, go to Replace the domain name for synced users.
To simplify network configuration, we recommend that you create the Virtual Private Cloud (VPC) access connector in the same project as Cloud VPN or Cloud Interconnect. If you want to create the VPC access connector in a different project, use Shared VPC. For more information, go to Shared VPC overview.
Your LDAP server uses the Base DN as the starting point when searching for directory objects, such as users and groups. The narrower the scope of the Base DN, the better it performs when searching.
|Type of Base DN search||Example||Notes|
|Specify the top-level Base DN||dc=example, dc=com||Searches all objects in the directory. Search performance can be low.|
|Specify an organizational unit||ou=sales, dc=example, dc=com||
Searches for all objects under an organizational unit.
Specify a users’ search
cn=Users, dc=example, dc=com
Searches all users in the directory.
We recommend you use objectClass and objectQuery attributes to further narrow down your query. For details, go to Filter on objectCategory and objectClass.
Yes, you can create up to 50 AD connections. The AD domain must be unique for each connection.
To improve search performance:
- Base DN–Adjust the base DN to make it as specific as possible. For example, if your users or groups are in an organizational unit hierarchy, use the search query to point to the parent of the hierarchy instead of the root organizational unit. Doing so ensures the LDAP search occurs in the specific organizational unit hierarchy instead of the entire directory.
- Scope–Consider the hierarchy level that is included in your LDAP query.
In this example, your organization unit hierarchy is divided into regions (1st level) and countries (2nd level). If your users and groups are in the APAC organizational unit, set the scope of the LDAP query as One-level so that the query searches only the APAC unit (and not its 2nd level units). If you want to include the 2nd level organizational units in the search, set the scope to Sub-tree.
Yes, you can only add one Microsoft Azure Active Directory connection.
- User scope–2,000 groups (a character limit of 100,000 in total for all groups)
- Group scope–400 groups (a character limit of 17,000 in total for all groups)
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.