Use exclusion rules with GCDS

Exclusion rules allow you to omit specific users, user profiles, groups, organizational units, calendar resources, and other data from the Google Cloud Directory Sync (GCDS) synchronization process. For example, you can add a user profile exclusion rule to exclude information that you don't want to sync in your Google domain, such as a user's personal email address.

What are exclusion rules?

Exclusion rules are an important aspect of GCDS, but are often misunderstood. Exclusion rules control what GCDS sees. If an entity is excluded, GCDS performs the sync as if it doesn't exist.
For example, a user exists on both the Google domain and the LDAP server, and a Google exclusion rule is created for it. GCDS tries to create it on every sync (because, according to the exclusion rule, it doesn't exist on the Google domain). If an LDAP user exclusion rule is created for the same user, GCDS will delete the user (because it exists on the Google domain but not on the LDAP server). 
Exclusion rules are based on string values and regular expressions.

Using exclusion rules

Add, delete, or change the priority of an exclusion rule

Add an exclusion rule

On the Exclusion Rules tab, click Add Exclusion Rule.

  1. Exclude type: Specify what kind of data to exclude from the drop-down menu.
  2. Match type: Specify the type of rule to use for the filter. From the drop-down menu, select one of the following:
    • Exact match: The data must match the rule exactly in order to be excluded.
    • Substring match: The data must contain the text of the rule as a substring in order to be excluded.
    • Regular expression: The data must match the regular expression specified in order to be excluded.
  3. Exclusion rule: Enter the match string or regular expression for the exclusion rule.
  4. Click OK.

Change the priority of an exclusion rule

Exclusion rules apply in the order that they appear in the table. To change the order:

  1. Click the exclusion rule.
  2. Click the up or down arrow to increase or decrease the priority.

Delete an exclusion rule

  1. Click the exclusion rule.
  2. Click X.
Exclusion rules for your LDAP data

If you have data on your LDAP directory server that matches your search rules but shouldn't be added to your Google domain, use an LDAP exclusion rule. This eliminates the data from a synchronization.

LDAP exclusion rules can be created for the following:

Organizational units

Purpose of exclusion rule Use the rule if you have any organizational units on your LDAP server that match your search rules but should not be added to your Google domain.
Exclude types This Exclude type is always Org Unit DN. Base the exclusion rule on the Distinguished Name (DN) of the org unit to exclude.
Example

Several organizational units are no longer in use because two offices have joined together. The defunct OUs all have “stpaul” in the DN:

  • Match type: Substring Match
  • Exclusion rule: stpaul

 

Users

Purpose of exclusion rule Use the rule if you have any users on your LDAP directory server that match your search rules but should not be added to your Google domain.
Exclude types Specifies the LDAP data to exclude.
  • Primary Address: GCDS excludes primary addresses that match this rule. This is displayed as ADDRESS.
  • Alias Address: GCDS excludes aliases that match this rule. This is displayed as ALIAS.
If you want to exclude both primary addresses and alias addresses, create two exclusion rules.
Example

Two users have opted out of the Google domain and should not be synchronized. Add a separate rule for each special user.

First rule:

  • Exclude type: Primary Address
  • Match type: Substring Match or Exact Match
  • Exclusion rule: atif

Second rule:

  • Exclude Type: Primary Address
  • Match Type: Substring Match or Exact Match
  • Exclusion rule: svetlana

 

Groups

Purpose of exclusion rule Use the rule if you have any entries in your LDAP server that match a mail list rule, but shouldn't be treated as a mailing list on your Google domain.
Exclude types Specifies the LDAP data to exclude.
  • Group Name: Exclude a group that has a name that matches the rule.
  • Group Address: Exclude a group that has an email address that matches the rule.
  • Member Address: Exclude a user whose primary email address matches this rule from any groups.
Example

Several mailing lists are no longer in use because two nearby offices have joined together. The defunct lists all have “stpaul” in the address:

  • Match type: Substring Match
  • Exclusion rule: stpaul

 

User profile

Purpose of exclusion rule Use the rule if you have any existing user profile information in your Google domain that you don't want to synchronize.
Example

Printers are listed as LDAP users and match the LDAP query given. However, the printers all have the word “printer” in the name. The rule looks for that substring:

  • Match type: Substring Match
  • Rule: printer

 

Shared contacts

Purpose of exclusion rule Use the rule if you have any contacts on your LDAP directory server that match your search rules but should not be added to your Google domain.
Example

About 500 test users are listed in the LDAP server, but they are only used for internal testing. All the test users follow the same name pattern: internal-testX, where X is a number, and all test users are in the same domain:

  • Match type: Regular Expression
  • Rule: internal-test[0-9]*@example.com

 

Calendar resources

Purpose of exclusion rule Use the rule if you have any entities on your LDAP server that match your calendar resource search rules but should not be added to your Google domain as calendar resources.
Exclude types Specifies the LDAP data to exclude.
  • Calendar Resource Id: GCDS excludes calendar resources where the Calendar Resource Id attribute specified in LDAP Calendar Resources Attributes matches this pattern. The interface displays this choice as CALENDAR_RESOURCE_ID.
  • Calendar Resource Display Name: GCDS excludes calendar resources where the Calendar Resource Display Name attribute specified in LDAP Calendar Resources Attributes matches this pattern. The interface displays this choice as CALENDAR_RESOURCE_DISPLAY_NAME

If you want to exclude both resource IDs and resource display names you must create 2 exclusion rules.

Example

Printers are listed as LDAP resources and match the LDAP query given. All printers have the word “printer” in the name. The rule looks for that substring:

  • Exclude type: Calendar Resource Id
  • Match type: Substring Match
  • Rule: printer
Exclusion rules for your Google domain data

If you have entities in your Google domain that don't match your search rules but should remain in your Google domain, use a Google domain exclusion rule. When you synchronize, the Google entities will remain in the Google domain.

Google domain exclusion rules can be created for the following types of entities:

  • Organizations (including users in those organizations)—select Organization Complete Path
  • Users—select User Email Address
  • User aliases—select Alias Email Address
  • Groups—select Group Email Address
  • Group members—select Group Member Email Address
  • User profiles (by sync key)—select User Profile Primary Sync Key
  • Shared contacts (by sync key)—select Shared Contact Primary Sync Key
  • Calendar resources:
    • By Resource ID—select Calendar Resource ID
    • By display name—select Calendar Resource Display Name
    • By type—select Calendar Resource Type

How to maintain different attributes for users

Do you have a user that has certain attributes in the Google domain and different attributes in the LDAP server? If you don't want any changes applied to the user in the Google domain, you must create two exclusion rules: one LDAP exclusion rule and one exclusion rule for your Google domain data.

Examples of exclusion rules

Example 1: LDAP user exclusion rule

In this example, printers are listed as LDAP users and match the LDAP query. However, the administrator wants to ensure that printers aren't identified as Google users. All the printers have the word "printer" in the name in the LDAP directory. The rule looks for that substring.

  • Exclude type: Primary address
  • Match type: Substring Match
  • Exclusion rule: printer
Example 2: LDAP calendar resource exclusion rule

Two conference rooms have been converted into offices and shouldn't be imported as Google calendar resources. The administrator adds a separate rule for each conference room.

First rule:

  • Exclude type: Calendar Resource Display Name
  • Match type: Substring Match or Exact Match
  • Exclusion rule: ConferenceRoom-BlueSkyMontana

Second rule:

  • Exclude type: Calendar Resource Display Name
  • Match Type: Substring Match or Exact Match
  • Exclusion rule: ConferenceRoom-BigPlains
Example 3: LDAP group exclusion rule

About 500 test mailing lists are listed in the LDAP server, but they are only used for internal load testing. All the test users follow the same name pattern, which is: internal-testX, where X is a number,. All test users are in the same domain.

  • Exclude type: Group Address
  • Match type: Regular Expression
  • Exclusion rule: internal-test[0-9]*@example.com
Example 4: Google domain user exclusion rule

GCDS will delete users from your list of Google users and from your Google groups if they aren't listed in your LDAP directory server. To avoid this, you can add the following two rules:

First rule:

  • Exclude type: User Name
  • Match type: Exact Match
  • Exclusion rule: username@example.com

Second rule:

  • Exclude type: Member Name
  • Match type: Exact Match
  • Exclusion rule: username@example.com
Was this article helpful?
How can we improve it?