GCDS FAQ

Google Cloud Directory Sync

Your Google domain  |  Syncing users, groups and organizational units  |  General  |  Cloud platform

Open all   |   Close all

Your Google domain

What happens when there is a change in the Google domain that is not reflected in Active Directory or the LDAP directory?

It may take up to 8 days for you to see the change in the Google domain. 

To understand why, you need to understand how GCDS caches data. GCDS keeps a cache of data for your Google service for a maximum of 8 days. GCDS may clear the cache more frequently, depending on the cached data size. Until the cache is cleared, GCDS doesn't identify updates to the Google domain. 

Once the cache is cleared, GCDS identifies the change in the Google domain and compares that with the source data in the LDAP directory. If the data doesn't match, GCDS will undo the change made in the Google domain. 

Remember, it is best practice to update your LDAP data and then sync to the Google domain. 

How to manually clear the cache:

  • Run a sync from Configuration Manager and select to clear the cache when performing a sync.
  • Use the command line flag -f to force a flush of the cache.
  • Modify the XML config file to set the maxCacheLifetime value to 0.

Important: Forcing a flush of cache can dramatically increase synchronization time.

How does GCDS access user profile data in my Google domain?

User profiles, including additional user attributes, are written to the Google user account and are visible in the domain’s global Directory. GCDS accesses the global Directory in Google Contacts. 

How does GCDS determine what alias email addresses are added to a Google Account?

In the GCDS configuration, you can specify the attributes that GCDS evaluates. GCDS evaluates the data stored in the attribute only if it matches a valid SMTP address.

In the case of Microsoft® Active Directory® "proxyAddresses," GCDS strips off the smtp: prefix during the sync so the prefix doesn't show on your Google domain. 

Syncing users, groups, and organizational units

Why does GCDS keep returning an error when the cache is disabled?

This may be a configuration issue, such as an exclusion rule misconfiguration. This kind of misconfiguration can be hidden by GCDS caching. 

GCDS keeps a cache of data for your Google service (such as G Suite or Cloud Identity) for a maximum of 8 days. GCDS may clear the cache more frequently, depending on the cached data size. However, if the cache isn't cleared, you may not see your updates for up to 8 days. 

You can manually clear the cache:

  • Run a sync from Configuration Manger and select to clear the cache when performing a sync.
  • Use the command line flag -f to force a flush of the cache.
  • Modify the XML config file to set the maxCacheLifetime value to 0.

Important: Forcing a flush of cache can dramatically increase synchronization time.

For example, you sync your LDAP data and create a new group for your Google service (such as G Suite or Cloud Identity). You then create an exclusion rule to exclude that group from subsequent syncs. That exclusion rule is misconfigured and will fail. However, the subsequent sync calls on cached data and the group remains in your Google service. When you sync again with clear cache, the misconfiguration causes the group to be removed from your Google service.

How do I configure GCDS to provision only a subset of users from Active Directory or the LDAP directory? 

If you only want to sync a small subset of users to your Google domain you can use a single Active Directory or LDAP directory group as your source. This will limit the users that get provisioned in your Google domain.

Example:

User Query
(&(memberof=cn=appsUsers,cn=users,dc=corp,dc=domain,dc=com)(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

This query returns all users who are members of the group identified by the group DN, have email addresses, and whose accounts aren't disabled.

How can I ensure GCDS won't delete or modify existing groups that I have created? 

You can configure GCDS to exclude a group by defining a Group Email Address exclusion rule in the Google domain configuration. 

Example:

Exclude Rule
Type: Group Email Address
Match Type: Exact Match
Rule: GCP_Project1@domain.com

Note: We recommend you create and manage these groups in your LDAP directory. Group memberships are kept up-to-date in your Google domain when GCDS synchronizes data.

How can I exclude an organizational unit in my Google service from being synchronized by GCDS?

You can configure GCDS to exclude an organizational unit with your Google service (such as G Suite or Cloud Identity) by defining an Organization Complete Path exclusion rule in the Google domain configuration. 

Example:

Exclude Rule
Type: Organization Complete Path
Match Type: Exact Match
Rule: /OUPath/MyExcludedOU

Will GCDS synchronize user-created groups?

A user-created group is a group created in Google Groups for Business. If an LDAP group matches a user-created group, GCDS ignores the group as though there is a GCDS exclusion rule in place for that specific group. It won't remove the group if it doesn't match the LDAP data. 

If you have added members to the corresponding object/entity in LDAP, GCDS adds those members to the group. If you have added users to the Google group that don't match your LDAP data, those members won't be removed during the sync process. 

For more information on user-created groups, see Groups administrator FAQ

Can GCDS sync nested group memberships? 

Yes, GCDS syncs nested group memberships. However, there are some limitations regarding nested groups and email delivery with Google Groups for Business. 

In some situations, not all nested group members will receive email content that's sent to the group. Those situations include:  

  • When moderation permission is enabled–An email won't automatically flow to group members or other nested groups until the moderator of the group gives their approval. 
  • Parent groups–These groups might not have posting permission to send the message to the nested groups. 

For more information, see Add a group to another group and See who can view, post, and moderate

General

Why do I have to configure GCDS to sync passwords?

The default password sync settings in GCDS are used to define how GCDS creates passwords for new user accounts. If you don’t want to customize an initial account password, no action is required. Just use the default settings.

If you're using Active Directory you can use Password Sync to sync user passwords from Active Directory to your Google domain. 

How does GCDS resolve conflicts when multiple sync rules apply?

GCDS considers the rules in order, from the highest to lowest. 

For example, you configure a User Accounts sync rule to create users in the root organizational unit or /. You then create a lower rule to create users in the /Exceptions organizational unit. After a sync, users matching both rules will be created in the root organizational unit because that rule has higher precedence. 

To ensure that users are correctly placed in /Exceptions, you need to make sure that the rule is listed higher than any other conflicting rule. Or, ensure that it's first rule in the ordered list.

How can I audit and review a GCDS synchronization? 

GCDS uses 3-legged OAuth 2.0 for authorization. This process grants GCDS an OAuth 2.0 token. The token allows GCDS to take action on behalf of the administrator who performed the authorization.

All audit events are listed by the administrator who authorized GCDS. Consider creating a dedicated GCDS administrator account so that you can clearly see which changes and audits were performed by GCDS. 

How do I authorize GCDS on a machine without a graphical user interface (GUI)? 

To set up GCDS on a server without a GUI environment:

  1. Open a command prompt and to set your LDAP credentials, enter:

    ./upgrade-config -ldapuser LDAP_username -ldappassword LDAP_password -c config_file_name

  2. Authorize your Google domain, by entering: 

    ./upgrade-config -Oauth Google_domain_name -c config_file_name

  3. To test the LDAP connection, enter:

    ./upgrade-config -testldap -c config_file_name

  4. To test the Google connection, enter:

    ./upgrade-config -testgoogleapps -c config_file_name

Cloud Platform

How can I synchronize security groups from Active Directory or my LDAP directory and use them in Cloud IAM? 

You can configure GCDS to sync security groups using LDAP search rules. 

Example 1: Search for all security groups

This example shows an LDAP search for all security groups that have an email address:

(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483648)(mail=*))

Example 2: Search for a subset of security groups

If you want to sync a subset of security groups, consider using extensionAttribute1 and set a specific value, such as GoogleCloudPlatform. You can then refine the GCDS query to only provision the specific subset of security groups:

This example shows an LDAP search for all security groups that have an email address and the GoogleCloudPlatform attribute:

(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483648)(mail=*)(extensionAttribute1=GoogleCloudPlatform))


Important:

  • All groups in a Google domain are referenced by an email address. You must ensure that all the security groups you want to synchronize have a valid mail attribute defined.
  • A group created in a Google domain doesn't automatically have an explicit Google Cloud Identity and Access Management (IAM) role. After a group is created, you need to use Cloud IAM to assign a group to specific roles.
How can I add users who only need an account for Google Cloud Platform projects?

You can configure GCDS by adding a user sync rule for Google Cloud Platform users. The simplest way is to create a new query based on the users being a member of a group. For example:

(&(memberof=cn=CloudPlatformUsers,cn=users,dc=corp,dc=domain,dc=com)(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Then, you can use the following  search filter to return users who are members of the group, have an email address, and whose accounts aren’t disabled: 

group cn=CloudPlatformUsers,cn=users,dc=corp,dc=domain,dc=com

Consider placing these users into a single organizational unit. To do this, define an Org Unit Name (for example, Cloud Platform Users) in the rule. Create the organizational unit if it doesn't already exist. 

Licensing issues

Consider how your domain is configured so that you can appropriately assign product licenses to user accounts. If automatic licensing is enabled, you may want to exclude the Cloud Platform Users organizational unit from being assigned a product license. For details, see Set automatic licensing options for an organization.

For more complex licensing requirements, you can configure GCDS to sync and manage all your user license assignments. For detail, see Sync licences

Was this article helpful?
How can we improve it?