How to exclude some users from password sync with GSPS
You might want to prevent certain users' passwords from being synced to your Google domain. This article explains how to exclude users from a sync.
In most cases, there's no need to exclude users from password sync. Doing so requires advanced expertise in configuring Active Directory permissions. Google Cloud support may not be able to provide assistance with this setup. If you encounter any password sync issues, revert back to a standard configuration to make sure that the issue isn't with your Active Directory permissions.
Exclude users from a sync
This method is based on the way GSPS retrieves users' email addresses to update the Google domain. If GSPS can't retrieve the email address, it can't update the password in Google. To exclude users from the sync, create a service user for GSPS that won't have access to the excluded users' email addresses.
- Open Active Directory Users and Computers (ADUC).
- Navigate to any organizational unit you use for administrative users, and create an Active Directory user for GSPS to use. We'll refer to it as the GSPS user.
- Make sure that Advanced Features is enabled under the View menu.
- Select any users or organizational units that you wish to exclude, and right-click them.
- Click Properties.
- Click the Security tab.
- Click the Add button.
- Enter the name of the GSPS user you created in step 2 and click OK.
- A new entry will be added for the GSPS user. Check the Deny / Read box.
- Click OK.
- From the Start menu, run G Suite Password Sync. See Set up G Suite Password Sync for details.
- In the Active Directory step of the GSPS configuration, enter the username and password of the GSPS user.
- Complete the configuration as usual.
Once GSPS is running with this configuration, it will fail to sync the passwords for any users it doesn't have access to. The GSPS service logs show errors when trying to find these users' email addresses. This indicates that the exclusion is working as expected.
Undo the exclusion
To undo the exclusion, simply remove any Deny entries that you've created for the GSPS user. To make sure that you've removed all of the entries, you can create a new GSPS user in Active Directory. Then, set GSPS to use it in the Active Directory step of the GSPS configuration.