Apply custom security policies

Exception groups augment your organizational structure by allowing you to create custom sets of users that have Google Apps security services configured differently. Exception groups augment the ability to turn services on or off by organizational unit. This additional layer allows you to apply special security settings to select subsets of existing organizations. The rest of the users in your organization are unaffected by these changes.

For instance, you might have an organizational structure resembling:

    • Engineering
      • Front end
      • Back end
    • Marketing
      • Production
      • Corporate

To apply a setting change to the entire organization, you can simply click the Security icon in the control panel, select Advanced security settings, select the top-level organizational unit ( and make your changes. To isolate the exception to all of Engineering or Marketing, select that organizational unit instead. All settings are inherited down through sub-organizations unless otherwise overridden.

To make a custom setting change, say enforce 2-step verification for all of your contractors, you might create a group that contains them, again select the top-level organization and this time also select the group to apply the change to all contractors in the domain. The settings are applied to the intersection of the organization and group (members of both).

You may further refine this filtering by selecting lower-level organizations, say all of Engineering > Production or all of Marketing > Corporate, before selecting the desired group. This would apply to all contractors in those organizations only. Similarly, you can make a custom setting change at a higher-level organization and then override it by navigating to the lower-level organization and altering the settings.

To create and use an exception group:

Before turning on enforcement in Step 7, go to the Reports/Account Activity/2-Step Verification Enrollment section to verify that all the users in the selected group have enrolled for 2-step verification prior to making it a policy. All un-enrolled users could be locked out.
  1. Follow the instructions to Create a Google Group in the control panel within the Create a group article. This generates an admin-managed group. Groups created through Google Groups cannot have exceptions applied to them.
  2. After saving the group, add the desired users to it.
  3. Next, click the Security icon and then go to the Basic Settings section to select your 2-step verification settings. See 2-step verification enforcement for detailed instructions.
  4. Select the checkbox for Allow users to turn on 2-step verification
  5. Now select the Enforce 2-step verification on users link.
  6. Select the organization that contains the group to receive custom 2-step verification enforcement settings.
  7. Click the appropriate radio button; either Turn on Enforcement or Turn off Enforcement.
  8. At the right is a button labelled Use Inherited. Choosing this button will map the policy from the parent group or domain onto your selected group.
  9. All enforcement changes are prompted for confirmation or cancellation before being executed.