Use exclusion rules with GCDS

You can control what Google Cloud Directory Sync (GCDS) reviews and updates. Using exclusion rules, you can omit data, such as users, profiles, or groups, from a sync. If an entity is excluded using an exclusion rule, GCDS performs the sync as if the entity doesn't exist.

Considerations for LDAP data

For items in your LDAP directory server that you don’t want to add to your Google Account, create an LDAP search rule to not return those entities. For details, see Optimizing your search rules

If this isn’t possible, use an LDAP exclusion rule. You can also use a Google exclusion rule for entities in your Google Account that don't exist in your LDAP domain but should remain in your Google Account.

Control what GCDS syncs with exclusion rules

Open all   |   Close all

Add, delete, or change the priority of an exclusion rule

Add an exclusion rule

  1. On the Exclusion Rules tab, click Add Exclusion Rule.
  2. Complete the following options: 
    • Type—Specify what kind of data to exclude from the menu.
    • Match type—Specify the type of rule to use for the filter. From the menu, select an option:
      • Exact match—The data must match the rule exactly.
      • Substring match—The data must contain the text of the rule as a substring.
      • Regular expression—The data must match the regular expression specified.
    • Exclusion Rule—Enter the match string or regular expression for the exclusion rule.
  3. Click OK.

Change the priority of an exclusion rule

Exclusion rules apply in the order that they appear in the table. To change the order:

  1. On the Exclusion Rules tab, click the exclusion rule.
  2. Click the up or down arrow to increase or decrease the priority.

Delete an exclusion rule

  1. On the Exclusion Rules tab, click the exclusion rule.
  2. Click X.
Use rules for your LDAP data

If you have data on your LDAP directory server that matches your search rules but shouldn't be added to a Google domain, use an LDAP exclusion rule. This eliminates the data from synchronization.

Organizational units

Purpose of exclusion rule You have organizational units on your LDAP server that match your search rules but you don't want them added to a Google domain.
Exclusion type Org Unit DN

Base the exclusion rule on the Distinguished Name (DN) of the organizational unit to exclude.

Example Several organizational units are no longer in use because 2 offices joined together. The defunct organizational units all have "stpaul" in the DN.
  • Match type—Substring Match
  • Rule—stpaul

Users

Purpose of exclusion rule You have users on your LDAP directory server that match your search rules but you don't want them added to a Google domain.
Exclusion type Specifies the LDAP data to exclude.
  • Primary Address—Excludes primary addresses that match this rule.
  • Alias Address—Excludes alias addresses that match this rule.
If you want to exclude both primary addresses and alias addresses, create 2 exclusion rules.
Example Add a separate rule for each user who has opted out of the Google domain and shouldn't be synchronized. First rule:
  • Exclusion type—Primary Address
  • Match type—Substring Match or Exact Match
  • Rule—atif

Second rule:

  • Exclusion Type—Primary Address
  • Match Type—Substring Match or Exact Match
  • Rule—svetlana

Groups

Purpose of exclusion rule You have entries in your LDAP server that match a mail list rule but you don't want as a mailing list on a Google domain.
Exclusion type Specifies the LDAP data to exclude.
  • Group Name—Excludes a group that has a name that matches the rule.
  • Group Address—Excludes a group that has an email address that matches the rule.
  • Member Address—Excludes from groups a user whose primary email address matches the rule.
Example Several mailing lists are no longer in use because 2 nearby offices joined together. The defunct lists all have "stpaul" in the address.
  • Match type—Substring Match
  • Rule—stpaul

User profile

Purpose of exclusion rule You have user profile information in your LDAP server that you don't want to synchronize to a Google domain.
Example Printers are listed as LDAP users and match the LDAP query given. The printers all have the word "printer" in their name. The rule looks for that substring.
  • Match type—Substring Match
  • Rule—printer

Shared contacts

Purpose of exclusion rule You have contacts on your LDAP directory server that match your search rules, but you don't want them added to a Google domain.
Example About 500 test users are listed in the LDAP server, but they’re only used for internal testing. All the test users follow the same name pattern: internal-testX, where X is a number, and all test users are in the same domain.
  • Match type—Regular Expression
  • Rule—internal-test[0-9]*@example.com

Calendar resources

Purpose of exclusion rule You have items on your LDAP server that match your calendar resource search rules, but you don't want them added to a Google domain as calendar resources.
Exclude types Specifies the LDAP data to exclude.
  • Calendar Resource Id—GCDS excludes calendar resources where the Calendar Resource ID attribute specified in LDAP Calendar Resources Attributes matches this pattern.
  • Calendar Resource Display Name—GCDS excludes calendar resources where the Calendar Resource Display Name attribute specified in LDAP Calendar Resources Attributes matches this pattern.

To exclude resource IDs and resource display names, create 2 exclusion rules.

Example Printers are listed as LDAP resources and match the LDAP query given. All printers have the word "printer" in the name.
  • Exclusion type—Calendar Resource Id
  • Match type—Substring Match
  • Rule—printer
Use rules for Google data

You might have entities in your Google Account, such as users or groups, that don't exist in your LDAP domain but you want to keep in your Google Account. Use a Google domain exclusion rule so that when you synchronize, the Google entities remain:

  1. Click the Google Domain configuration tab.
  2. On the Exclusion Rules tab, click Add Exclusion Rule.
  3. Under Type, from the list, select:
    • Organization Complete Path to exclude organizations and their users
    • User Email Address to exclude users 
    • Alias Email Address to exclude user aliases
    • Group Email Address to exclude groups
    • Group Member Email Address to exclude group members
    • User Profile Primary Sync Key to exclude user profiles by sync key
    • Shared Contact Primary Sync Key to exclude shared contacts by sync key
    • Calendar Resource ID to exclude resources by ID
    • Calendar Resource Display Name to exclude by name
    • Calendar Resource Type to exclude by category
  4. Click OK.
Maintain different attributes in your Google data

If you have entities in your Google and LDAP domains that you don't want updated in your Google Account, use 2 exclusion rules:

  • A Google domain exclusion rule to exclude the entities from the Google Account. 
  • An LDAP domain exclusion rule to exclude the entities from the LDAP domain.

When you run a sync, the entities aren't synchronized. They remain unchanged in the Google Account.

For example, you might need to maintain a user attribute, such as an organizational unit, in your Google Account that's different than the user attribute in the LDAP domain. You can use 2 exclusion rules to make sure that the attributes don't change during a sync. For details, see Maintain different user attributes during a sync.

Examples of exclusion rules

LDAP user exclusion rule

In this example, printers are listed as LDAP users and match the LDAP query. However, you want to ensure that printers aren't identified as Google users. All the printers have the word "printer" in the LDAP directory name. The rule looks for that substring.

  • Type—Primary address
  • Match type—Substring Match
  • Exclusion Rule—printer
LDAP calendar resource exclusion rule

Some conference rooms are converted into offices. You want to make sure that they aren’t imported as calendar resources. Add a separate rule for each conference room.

First rule:

  • Type—Calendar Resource Display Name
  • Match type—Substring Match or Exact Match
  • Exclusion Rule—ConferenceRoom-BlueSkyMontana

Second rule:

  • Type—Calendar Resource Display Name
  • Match Type—Substring Match or Exact Match
  • Exclusion Rule—ConferenceRoom-BigPlains
LDAP group exclusion rule

About 500 test mailing lists are listed in the LDAP server, but they’re only for internal load testing. All the test users are in the same domain and follow the same name pattern, which is: internal-testX, where X is a number.

  • Type—Group Address
  • Match type—Regular Expression
  • Exclusion Rule—internal-test[0-9]*@example.com
Google user exclusion rule

If a user isn’t listed in your LDAP directory server, GCDS deletes the user from your list of Google users and from Google Groups. For user accounts and groups that don't exist in your LDAP directory, use an exclusion rule so the users and groups remain in your G Suite or Cloud Identity account. Google administrator accounts are excluded by default, so you don’t need to create an exclusion rule for those accounts. 

Option 1: Use an organizational unit to retain users

Move the user accounts to a dedicated organizational unit and create an exclusion rule for it in the Google domain configuration settings of Configuration Manager.

  • Type—Organization Complete Path
  • Match type—Exact Match
  • Exclusion Rule—/OUPath/MyExcludedOU

Option 2: Use an email address

Create an email address match exclusion rule in the Google domain configuration settings of Configuration Manager.

  • Type—User Email Address or Group address
  • Match type—Exact Match
  • Exclusion Rule—user@example.com

Related topics

Google, G Suite, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
Was this helpful?
How can we improve it?