Omit data with exclusion rules & queries

To add a rule:

1. On the Exclusion Rules tab, click Add Exclusion Rule.
2. Complete the following options:
   • Type—Specify what kind of data to exclude from the menu.
   • Match type—Specify the type of rule to use for the filter. From the menu, select an option:
     • Exact match—The data must match the rule exactly.
     • Substring match—The data must contain the text of the rule as a substring.
     • Regular expression—The data must match the regular expression specified.
   • Exclusion Rule—Enter the match string or regular expression for the rule.
3. Click OK.

Rules apply in the order that they appear in the table. To change the order:

1. On the Exclusion Rules tab, click the rule.
2. Click the up or down arrow to increase or decrease the priority.

To delete a rule:

1. On the Exclusion Rules tab, click the rule.
2. Click X.

If you have data on your LDAP directory server that matches your search rules but shouldn't be added to a Google domain, use an LDAP exclusion rule. This eliminates the data from synchronization.

Organizational units

Users

Groups

User profile

Shared contacts

Calendar resources

You might have entities in your Google Account, such as users or groups, that don't exist in your LDAP domain but you want to keep in your Google Account. Use a Google domain exclusion rule so that when you synchronize, the Google entities remain:

1. Click the Google Domain configuration tab.
2. On the Exclusion Rules tab, click Add Exclusion Rule.
3. Under Type, from the list, select:
   • Organization Complete Path to exclude organizations and their users
   • User Email Address to exclude users
   • Alias Email Address to exclude user aliases
   • Group Email Address to exclude groups
   • Group Member Email Address to exclude group members
   • User Profile Primary Sync Key to exclude user profiles by sync key
   • Shared Contact Primary Sync Key to exclude shared contacts by sync key
   • Calendar Resource ID to exclude resources by ID
   • Calendar Resource Display Name to exclude by name
   • Calendar Resource Type to exclude by category
4. For Match Type, select:
   • Exact Match to match the exact keyword
   • Substring Match to match the keyword partially
   • Regular Expression to match the keyword using the regular expression
5. Click OK.

If you have entities in your Google and LDAP domains that you don't want updated in your Google Account, use 2 exclusion rules:

• A Google domain exclusion rule to exclude the entities from the Google Account.
• An LDAP domain exclusion rule to exclude the entities from the LDAP domain.

When you run a sync, the entities aren't synchronized. They remain unchanged in the Google Account.

For example, you might need to maintain a user attribute, such as an organizational unit, in your Google Account that's different than the user attribute in the LDAP domain. You can use 2 exclusion rules to make sure that the attributes don't change during a sync. For details, see Maintain different user attributes during a sync.

In this example, printers are listed as LDAP users and match the LDAP query. However, you want to ensure that printers aren't identified as Google users. All the printers have the word "printer" in the LDAP directory name. The rule looks for that substring.

• Type—Primary address
• Match type—Substring Match
• Exclusion Rule—printer

Some conference rooms are converted into offices. You want to make sure that they aren’t imported as calendar resources. Add a separate rule for each conference room.

First rule:

• Type—Calendar Resource Display Name
• Match type—Substring Match or Exact Match
• Exclusion Rule—ConferenceRoom-BlueSkyMontana

Second rule:

• Type—Calendar Resource Display Name
• Match Type—Substring Match or Exact Match
• Exclusion Rule—ConferenceRoom-BigPlains

About 500 test mailing lists are listed in the LDAP server, but they’re only for internal load testing. All the test users are in the same domain and follow the same name pattern, which is: internal-testX, where X is a number.

• Type—Group Address
• Match type—Regular Expression
• Exclusion Rule—internal-test[0-9]*@example.com

If a user isn’t listed in your LDAP directory server, GCDS deletes the user from your list of Google users and from Google Groups. For user accounts and groups that don't exist in your LDAP directory, use an exclusion rule so the users and groups remain in your Google Workspace or Cloud Identity account. Google administrator accounts are excluded by default, so you don’t need to create an exclusion rule for those accounts.

Option 1: Use an organizational unit to retain users

Move the user accounts to a dedicated organizational unit and create an exclusion rule for it in the Google domain configuration settings of Configuration Manager.

• Type—Organization Complete Path
• Match type—Exact Match
• Exclusion Rule—/OUPath/MyExcludedOU

Option 2: Use an email address

Create an email address match exclusion rule in the Google domain configuration settings of Configuration Manager.

• Type—User Email Address or Group address
• Match type—Exact Match
• Exclusion Rule—user@example.com

Option 3: Exclude all other organizations

If you want to sync your LDAP users into one top-level organizational unit and its sub-organizations below, then you need to exclude all other top-level organizational units. The following regular expression excludes all top-level organizational units other than those starting with MyIncludedOU. Do not include a slash at the beginning when using regular expressions.

• Type—Organization Complete Path
• Match type—Regular Expression
• Exclusion Rule—^((?!MyIncludedOU).)*$

Option 4: User profile primary sync key

You can use this to specify a user address, group email address, or member address to exclude from a synchronization. An excluded member address is not removed from the group in the Google domain.

• Type—User profile primary sync key
• Match type—Exact Match
• Exclusion Rule—luka@solarmora.com

In this example, you can specify which user profiles are excluded from a synchronization.

• Type—Sync Key
• Match type—Exact Match
• Exclusion Rule—luka@solarmora.com

  If you want to replace domain name in LDAP email addresses (of users and groups) with this domain name, don’t include the domain name @solarmora.com in the exclusion rule. Use luka, not luka@solarmora.com.