Omit data with exclusion rules & queries

You can control what Google Cloud Directory Sync (GCDS) reviews and updates by using exclusion rules or queries. 

Differences between exclusion rules & queries

  • With exclusion rules, you can omit LDAP directory data, Google Account data, or both from a sync. For example, if you use an exclusion rule to omit a user, profile, or group, GCDS behaves as if they don't exist during a sync.
  • To prevent GCDS from deleting or suspending users, you can use a query with Google Account data to exclude Google users from a sync. If you have lots of users, a query is more efficient than GCDS loading all users and then using an exclusion rule to filter the ones that you don’t want to sync.

When to use rules & queries

Type of data Consider using... If that's not possible, use...
Entities in your LDAP directory server that you don’t want in your Google Account LDAP search rule LDAP exclusion rule
Users in your Google Account that you don’t want suspended or deleted Users search query If the query syntax doesn't support the type of filter you need, use a Google exclusion rule.
Entities other than users (such as groups, organizational units, or calendar resources) that should remain in your Google Account but don't exist in your LDAP directory server Google exclusion rule  

Add a Google users search query

  1. In Configuration Manager, click Google Domain Configurationand thenExclusion Rules.
  2. For Users Search Query, add the rule using the search guidelines in Search for users.

Using exclusion rules

Expand section  |  Collapse all & go to top

Add, delete, or change the priority of a rule

To add a rule:

  1. On the Exclusion Rules tab, click Add Exclusion Rule.
  2. Complete the following options:
    • Type—Specify what kind of data to exclude from the menu.
    • Match type—Specify the type of rule to use for the filter. From the menu, select an option:
      • Exact match—The data must match the rule exactly.
      • Substring match—The data must contain the text of the rule as a substring.
      • Regular expression—The data must match the regular expression specified.
    • Exclusion Rule—Enter the match string or regular expression for the rule.
  3. Click OK.

Rules apply in the order that they appear in the table. To change the order:

  1. On the Exclusion Rules tab, click the rule.
  2. Click the up or down arrow to increase or decrease the priority.

To delete a rule:

  1. On the Exclusion Rules tab, click the rule.
  2. Click X.
Use exclusion rules for your LDAP data

If you have data on your LDAP directory server that matches your search rules but shouldn't be added to a Google domain, use an LDAP exclusion rule. This eliminates the data from synchronization.

Organizational units

Purpose of exclusion rule You have organizational units on your LDAP server that match your search rules but you don't want them added to a Google domain.
Exclusion type Org Unit DN

Base the exclusion rule on the Distinguished Name (DN) of the organizational unit to exclude.

Example Several organizational units are no longer in use because 2 offices joined together. The defunct organizational units all have "stpaul" in the DN.
  • Match type—Substring Match
  • Rule—stpaul

Users

Purpose of exclusion rule You have users on your LDAP directory server that match your search rules but you don't want them added to a Google domain.
Exclusion type Specifies the LDAP data to exclude.
  • Primary Address—Excludes primary addresses that match this rule.
  • Alias Address—Excludes alias addresses that match this rule.
If you want to exclude both primary addresses and alias addresses, create 2 exclusion rules.
Example Add a separate rule for each user who has opted out of the Google domain and shouldn't be synchronized. First rule:
  • Exclusion type—Primary Address
  • Match type—Substring Match or Exact Match
  • Rule—atif

Second rule:

  • Exclusion Type—Primary Address
  • Match Type—Substring Match or Exact Match
  • Rule—svetlana

Groups

Purpose of exclusion rule You have entries in your LDAP server that match a mail list rule but you don't want as a mailing list on a Google domain.
Exclusion type Specifies the LDAP data to exclude.
  • Group Name—Excludes a group that has a name that matches the rule.
  • Group Address—Excludes a group that has an email address that matches the rule.
  • Member Address—Excludes from groups a user whose primary email address matches the rule.
Example Several mailing lists are no longer in use because 2 nearby offices joined together. The defunct lists all have "stpaul" in the address.
  • Match type—Substring Match
  • Rule—stpaul

User profile

Purpose of exclusion rule You have user profile information in your LDAP server that you don't want to synchronize to a Google domain.
Example Printers are listed as LDAP users and match the LDAP query given. The printers all have the word "printer" in their name. The rule looks for that substring.
  • Match type—Substring Match
  • Rule—printer

Shared contacts

Purpose of exclusion rule You have contacts on your LDAP directory server that match your search rules, but you don't want them added to a Google domain.
Example About 500 test users are listed in the LDAP server, but they’re only used for internal testing. All the test users follow the same name pattern: internal-testX, where X is a number, and all test users are in the same domain.
  • Match type—Regular Expression
  • Rule—internal-test[0-9]*@example.com

Calendar resources

Purpose of exclusion rule You have items on your LDAP server that match your calendar resource search rules, but you don't want them added to a Google domain as calendar resources.
Exclude types Specifies the LDAP data to exclude.
  • Calendar Resource Id—GCDS excludes calendar resources where the Calendar Resource ID attribute specified in LDAP Calendar Resources Attributes matches this pattern.
  • Calendar Resource Display Name—GCDS excludes calendar resources where the Calendar Resource Display Name attribute specified in LDAP Calendar Resources Attributes matches this pattern.

To exclude resource IDs and resource display names, create 2 exclusion rules.

Example Printers are listed as LDAP resources and match the LDAP query given. All printers have the word "printer" in the name.
  • Exclusion type—Calendar Resource Id
  • Match type—Substring Match
  • Rule—printer
Use exclusion rules for Google data

You might have entities in your Google Account, such as users or groups, that don't exist in your LDAP domain but you want to keep in your Google Account. Use a Google domain exclusion rule so that when you synchronize, the Google entities remain:

  1. Click the Google Domain configuration tab.
  2. On the Exclusion Rules tab, click Add Exclusion Rule.
  3. Under Type, from the list, select:
    • Organization Complete Path to exclude organizations and their users
    • User Email Address to exclude users
    • Alias Email Address to exclude user aliases
    • Group Email Address to exclude groups
    • Group Member Email Address to exclude group members
    • User Profile Primary Sync Key to exclude user profiles by sync key
    • Shared Contact Primary Sync Key to exclude shared contacts by sync key
    • Calendar Resource ID to exclude resources by ID
    • Calendar Resource Display Name to exclude by name
    • Calendar Resource Type to exclude by category
  4. For Match Type, select:
    • Exact Match to match the exact keyword
    • Substring Match to match the keyword partially
    • Regular Expression to match the keyword using the regular expression
  5. Click OK.
Maintain different attributes in your Google data

If you have entities in your Google and LDAP domains that you don't want updated in your Google Account, use 2 exclusion rules:

  • A Google domain exclusion rule to exclude the entities from the Google Account.
  • An LDAP domain exclusion rule to exclude the entities from the LDAP domain.

When you run a sync, the entities aren't synchronized. They remain unchanged in the Google Account.

For example, you might need to maintain a user attribute, such as an organizational unit, in your Google Account that's different than the user attribute in the LDAP domain. You can use 2 exclusion rules to make sure that the attributes don't change during a sync. For details, see Maintain different user attributes during a sync.

Examples of exclusion rules

Expand section  |  Collapse all & go to top

LDAP user exclusion rule

In this example, printers are listed as LDAP users and match the LDAP query. However, you want to ensure that printers aren't identified as Google users. All the printers have the word "printer" in the LDAP directory name. The rule looks for that substring.

  • Type—Primary address
  • Match type—Substring Match
  • Exclusion Rule—printer
LDAP calendar resource exclusion rule

Some conference rooms are converted into offices. You want to make sure that they aren’t imported as calendar resources. Add a separate rule for each conference room.

First rule:

  • Type—Calendar Resource Display Name
  • Match type—Substring Match or Exact Match
  • Exclusion Rule—ConferenceRoom-BlueSkyMontana

Second rule:

  • Type—Calendar Resource Display Name
  • Match Type—Substring Match or Exact Match
  • Exclusion Rule—ConferenceRoom-BigPlains
LDAP group exclusion rule

About 500 test mailing lists are listed in the LDAP server, but they’re only for internal load testing. All the test users are in the same domain and follow the same name pattern, which is: internal-testX, where X is a number.

  • Type—Group Address
  • Match type—Regular Expression
  • Exclusion Rule—internal-test[0-9]*@example.com
Google user exclusion rule

If a user isn’t listed in your LDAP directory server, GCDS deletes the user from your list of Google users and from Google Groups. For user accounts and groups that don't exist in your LDAP directory, use an exclusion rule so the users and groups remain in your Google Workspace or Cloud Identity account. Google administrator accounts are excluded by default, so you don’t need to create an exclusion rule for those accounts.

Option 1: Use an organizational unit to retain users

Move the user accounts to a dedicated organizational unit and create an exclusion rule for it in the Google domain configuration settings of Configuration Manager.

  • Type—Organization Complete Path
  • Match type—Exact Match
  • Exclusion Rule—/OUPath/MyExcludedOU

Option 2: Use an email address

Create an email address match exclusion rule in the Google domain configuration settings of Configuration Manager.

  • Type—User Email Address or Group address
  • Match type—Exact Match
  • Exclusion Rule—user@example.com

Option 3: Exclude all other organizations

If you want to sync your LDAP users into one top-level organizational unit and its sub-organizations below, then you need to exclude all other top-level organizational units. The following regular expression excludes all top-level organizational units other than those starting with MyIncludedOU. Do not include a slash at the beginning when using regular expressions.

  • Type—Organization Complete Path
  • Match type—Regular Expression
  • Exclusion Rule—^((?!MyIncludedOU).)*$

Option 4: User profile primary sync key

You can use this to specify a user address, group email address, or member address to exclude from a synchronization. An excluded member address is not removed from the group in the Google domain.

  • Type—User profile primary sync key
  • Match type—Exact Match
  • Exclusion Rule—luka@solarmora.com
User profile exclusion rule

In this example, you can specify which user profiles are excluded from a synchronization.

  • Type—Sync Key
  • Match type—Exact Match
  • Exclusion Rule—luka@solarmora.com

    If you want to replace domain name in LDAP email addresses (of users and groups) with this domain name, don’t include the domain name @solarmora.com in the exclusion rule. Use luka, not luka@solarmora.com.

Related topics


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
1079173866766795940
true
Search Help Center
true
true
true
true
true
73010
false
false