GCDS best practices

Google Cloud Directory Sync

To help you run a successful synchronization with GCDS, we recommend that you:

  • Update your LDAP data first—Then, synchronize the updates to your Google domain. GCDS works best when your Google domain is updated by the synchronization process.
  • Use GCDS to provision all users and groups in your Google domain.  
  • Simulate the sync first—When you are syncing for the first time or making changes to the GCDS configuration, run a simulated synchronization to verify your settings.
  • Suspend, don't delete, user accounts—Set GCDS to suspend accounts that aren't found in Microsoft® Active Directory® or your LDAP directory. Deleted accounts can't be retrieved. If you suspend the account instead, the information in the account is retained. Also you can transfer email and Google Drive content to another account if the account is suspended. See Ensure users are suspended and Use exclusion rules to retain users
  • Don't suspend or delete administrator accounts—By default, GCDS won't suspend or delete Google administrator accounts that aren't found in Active Directory or your LDAP directory. You need to make sure that this setting is retained on the User accounts page of Configuration Manager. 
  • Review delete limits—Review the GCDS delete limits for each of the items that you want to synchronize. Ensure that the value is related to your domain size and based on a reasonable percentage or item count. 
  • Sync user accounts separately—Synchronizing user accounts on a different schedule than other items allows you to create and suspend user accounts much faster. Learn more

How to

Sync user accounts on a different schedule

You can use the command line to quickly sync user accounts. For example, if your configuration file is enabled to synchronize users accounts, organizational units, and groups, you can use the following command to synchronize only user accounts:

Sync-cmd.exe -c MyConfig.xml -a -g -ou

Ensure users are suspended and not deleted
  1. Open Configuration Manager
  2. On the User Accounts page, click the User attributes tab.
  3. Locate the Google domain users deletion/suspension policy section.
  4. Check the Suspend Google domain users not found in LDAP, instead of deleting them box.
Use exclusion rules to retain users in your Google domain

If you have user accounts that you don't want to appear in your LDAP directory, you can use one of the following exclusion rules:

Option 1: Use an organizational unit

Move the user accounts to a dedicated organizational unit and create an exclusion rule for it in the Google domain configuration settings.

Example: 

Type: Organization Complete Path
Match Type: Exact Match
Rule: /OUPath/MyExcludedOU

Option 2: Use an email address

Create an email address match exclusion rule in the Google domain configuration settings.

Example:

Type: User Email Address
Match Type: Exact Match
Rule: user@domain.com

Was this helpful?
How can we improve it?