Use exception groups

Exception groups augment your organizational structure by allowing you to create custom sets of users that have Google Apps security services configured differently. Exception groups augment the ability to turn services on or off by organizational unit. This additional layer allows you to apply special security settings to select subsets of existing organizations. The rest of the users in your organization are unaffected by these changes.

For instance, you might have an organizational structure resembling:

  • Your_domain.com
    • Engineering
      • Front end
      • Back end
    • Marketing
      • Production
      • Corporate

To apply a setting change to the entire organization, you can simply go to the Settings tab of the control panel, select Security, select the top-level organizational unit (Your_domain.com) and make your changes. To isolate the exception to all of Engineering or Marketing, select that organizational unit instead. All settings are inherited down through sub-organizations unless otherwise overridden.

To make a custom setting change, say enforce 2-step verification for all of your contractors, you might create a group that contains them, again select the top-level organization and this time also select the group to apply the change to all contractors in the domain. The settings are applied to the intersection of the organization and group (members of both).

You may further refine this filtering by selecting lower-level organizations, say all of Engineering > Production or all of Marketing > Corporate, before selecting the desired group. This would apply to all contractors in those organizations only. Similarly, you can make a custom setting change at a higher-level organization and then override it by navigating to the lower-level organization and altering the settings.

To create and use an exception group:

  1. Follow the instructions to Create a Google Group in the control panel within the Create a group article. This generates an admin-managed group. Groups created through Google Groups cannot have exceptions applied to them.
     
  2. After saving the group, add the desired users to it.
     
  3. Optionally, click the Access Settings link above the members text box to go to the Access tab of  Google Groups and change settings. See Edit a group for detailed instructions.
     
  4. Now go to the Settings tab and select Security.
     
  5. Select the organization that contains the group to receive custom settings.
     
  6. Click Select to the right of the Group Filters list.
     
  7. Select the group to receive custom settings and click Done. Currently, only one exception group can be applied to each organizational unit. Adding another group here removes the settings of the existing group.
     
  8. With the group highlighted, update the app's settings for the group.