You can control what Google Cloud Directory Sync (GCDS) reviews and updates by using exclusion rules or queries.
Differences between exclusion rules & queries
- With exclusion rules, you can omit LDAP directory data, Google Account data, or both from a sync. For example, if you use an exclusion rule to omit a user, profile, or group, GCDS behaves as if they don't exist during a sync.
- To prevent GCDS from deleting or suspending users, you can use a query with Google Account data to exclude Google users from a sync. If you have lots of users, a query is more efficient than GCDS loading all users and then using an exclusion rule to filter the ones that you don’t want to sync.
When to use rules & queries
| Type of data | Consider using... | If that's not possible, use... |
|---|---|---|
| Entities in your LDAP directory server that you don’t want in your Google Account | LDAP search rule | LDAP exclusion rule |
| Users in your Google Account that you don’t want suspended or deleted | Users search query | If the query syntax doesn't support the type of filter you need, use a Google exclusion rule. |
| Entities other than users (such as groups, organizational units, or calendar resources) that should remain in your Google Account but don't exist in your LDAP directory server | Google exclusion rule |
Add a Google users search query
- In Configuration Manager, click Google Domain Configuration
Exclusion Rules.
- For Users Search Query, add the rule using the search guidelines in Search for users.
Using exclusion rules
Expand section | Collapse all & go to top
Add, delete, or change the priority of a ruleTo add a rule:
- On the Exclusion Rules tab, click Add Exclusion Rule.
- Complete the following options:
- Type—Specify what kind of data to exclude from the menu.
- Match type—Specify the type of rule to use for the filter. From the menu, select an option:
- Exact match—The data must match the rule exactly.
- Substring match—The data must contain the text of the rule as a substring.
- Regular expression—The data must match the regular expression specified.
- Exclusion Rule—Enter the match string or regular expression for the rule.
- Click OK.
Rules apply in the order that they appear in the table. To change the order:
- On the Exclusion Rules tab, click the rule.
- Click the up or down arrow to increase or decrease the priority.
To delete a rule:
- On the Exclusion Rules tab, click the rule.
- Click X.
If you have data on your LDAP directory server that matches your search rules but shouldn't be added to a Google domain, use an LDAP exclusion rule. This eliminates the data from synchronization.
Organizational units
| Purpose of exclusion rule | You have organizational units on your LDAP server that match your search rules but you don't want them added to a Google domain. |
| Exclusion type | Org Unit DN
Base the exclusion rule on the Distinguished Name (DN) of the organizational unit to exclude. |
| Example | Several organizational units are no longer in use because 2 offices joined together. The defunct organizational units all have "stpaul" in the DN.
|
Users
| Purpose of exclusion rule | You have users on your LDAP directory server that match your search rules but you don't want them added to a Google domain. |
| Exclusion type | Specifies the LDAP data to exclude.
|
| Example | Add a separate rule for each user who has opted out of the Google domain and shouldn't be synchronized. First rule:
Second rule:
|
Groups
| Purpose of exclusion rule | You have entries in your LDAP server that match a mail list rule but you don't want as a mailing list on a Google domain. |
| Exclusion type | Specifies the LDAP data to exclude.
|
| Example | Several mailing lists are no longer in use because 2 nearby offices joined together. The defunct lists all have "stpaul" in the address.
|
User profile
| Purpose of exclusion rule | You have user profile information in your LDAP server that you don't want to synchronize to a Google domain. |
| Example | Printers are listed as LDAP users and match the LDAP query given. The printers all have the word "printer" in their name. The rule looks for that substring.
|
Shared contacts
| Purpose of exclusion rule | You have contacts on your LDAP directory server that match your search rules, but you don't want them added to a Google domain. |
| Example | About 500 test users are listed in the LDAP server, but they’re only used for internal testing. All the test users follow the same name pattern: internal-testX, where X is a number, and all test users are in the same domain.
|
Calendar resources
| Purpose of exclusion rule | You have items on your LDAP server that match your calendar resource search rules, but you don't want them added to a Google domain as calendar resources. |
| Exclude types | Specifies the LDAP data to exclude.
To exclude resource IDs and resource display names, create 2 exclusion rules. |
| Example | Printers are listed as LDAP resources and match the LDAP query given. All printers have the word "printer" in the name.
|
You might have entities in your Google Account, such as users or groups, that don't exist in your LDAP domain but you want to keep in your Google Account. Use a Google domain exclusion rule so that when you synchronize, the Google entities remain:
- Click the Google Domain configuration tab.
- On the Exclusion Rules tab, click Add Exclusion Rule.
- Under Type, from the list, select:
- Organization Complete Path to exclude organizations and their users
- User Email Address to exclude users
- Alias Email Address to exclude user aliases
- Group Email Address to exclude groups
- Group Member Email Address to exclude group members
- User Profile Primary Sync Key to exclude user profiles by sync key
- Shared Contact Primary Sync Key to exclude shared contacts by sync key
- Calendar Resource ID to exclude resources by ID
- Calendar Resource Display Name to exclude by name
- Calendar Resource Type to exclude by category
- For Match Type, select:
- Exact Match to match the exact keyword
- Substring Match to match the keyword partially
- Regular Expression to match the keyword using the regular expression
- Click OK.
If you have entities in your Google and LDAP domains that you don't want updated in your Google Account, use 2 exclusion rules:
- A Google domain exclusion rule to exclude the entities from the Google Account.
- An LDAP domain exclusion rule to exclude the entities from the LDAP domain.
When you run a sync, the entities aren't synchronized. They remain unchanged in the Google Account.
For example, you might need to maintain a user attribute, such as an organizational unit, in your Google Account that's different than the user attribute in the LDAP domain. You can use 2 exclusion rules to make sure that the attributes don't change during a sync. For details, see Maintain different user attributes during a sync.
Examples of exclusion rules
Expand section | Collapse all & go to top
LDAP user exclusion ruleIn this example, printers are listed as LDAP users and match the LDAP query. However, you want to ensure that printers aren't identified as Google users. All the printers have the word "printer" in the LDAP directory name. The rule looks for that substring.
- Type—Primary address
- Match type—Substring Match
- Exclusion Rule—printer
Some conference rooms are converted into offices. You want to make sure that they aren’t imported as calendar resources. Add a separate rule for each conference room.
First rule:
- Type—Calendar Resource Display Name
- Match type—Substring Match or Exact Match
- Exclusion Rule—ConferenceRoom-BlueSkyMontana
Second rule:
- Type—Calendar Resource Display Name
- Match Type—Substring Match or Exact Match
- Exclusion Rule—ConferenceRoom-BigPlains
About 500 test mailing lists are listed in the LDAP server, but they’re only for internal load testing. All the test users are in the same domain and follow the same name pattern, which is: internal-testX, where X is a number.
- Type—Group Address
- Match type—Regular Expression
- Exclusion Rule—internal-test[0-9]*@example.com
If a user isn’t listed in your LDAP directory server, GCDS deletes the user from your list of Google users and from Google Groups. For user accounts and groups that don't exist in your LDAP directory, use an exclusion rule so the users and groups remain in your Google Workspace or Cloud Identity account. Google administrator accounts are excluded by default, so you don’t need to create an exclusion rule for those accounts.
Option 1: Use an organizational unit to retain users
Move the user accounts to a dedicated organizational unit and create an exclusion rule for it in the Google domain configuration settings of Configuration Manager.
- Type—Organization Complete Path
- Match type—Exact Match
- Exclusion Rule—/OUPath/MyExcludedOU
Option 2: Use an email address
Create an email address match exclusion rule in the Google domain configuration settings of Configuration Manager.
- Type—User Email Address or Group address
- Match type—Exact Match
- Exclusion Rule—user@example.com
Option 3: Exclude all other organizations
If you want to sync your LDAP users into one top-level organizational unit and its sub-organizations below, then you need to exclude all other top-level organizational units. The following regular expression excludes all top-level organizational units other than those starting with MyIncludedOU. Do not include a slash at the beginning when using regular expressions.
- Type—Organization Complete Path
- Match type—Regular Expression
- Exclusion Rule—^((?!MyIncludedOU).)*$
Option 4: User profile primary sync key
You can use this to specify a user address, group email address, or member address to exclude from a synchronization. An excluded member address is not removed from the group in the Google domain.
- Type—User profile primary sync key
- Match type—Exact Match
- Exclusion Rule—luka@solarmora.com
In this example, you can specify which user profiles are excluded from a synchronization.
- Type—Sync Key
- Match type—Exact Match
- Exclusion Rule—luka@solarmora.com
If you want to replace domain name in LDAP email addresses (of users and groups) with this domain name, don’t include the domain name @solarmora.com in the exclusion rule. Use luka, not luka@solarmora.com.
Related topics
- Set up your sync with Configuration Manager
- Use limits with GCDS
- Use LDAP search rules to synchronize data
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
