Apply custom security policies

Exception groups augment your organizational structure by allowing you to create custom sets of users that have Google security services configured differently. Exception groups augment the ability to turn on or off services by organizational unit. This additional layer allows you to apply special security settings to select subsets of existing organizations. The rest of the users in your organization are unaffected by these changes.

For instance, you might have an organizational structure resembling:

    • Engineering
      • Front end
      • Back end
    • Marketing
      • Production
      • Corporate

To apply a setting change to the entire organization:

  1. In the Admin console, click Security > Advanced security settings.
  2. Select the top-level organizational unit ( and make your changes.
  3. (Optional) To isolate the exception to all of Engineering or Marketing, select that organizational unit instead.

    All settings are inherited down through sub-organizations unless otherwise overridden.

To make a custom setting change, (for example, enforce 2-step verification for all of your contractors):

  1. Create a group that contains all of your contractors.
  2. Select the top-level organization and also select the group to apply the change to all contractors in the domain.

    The settings are applied to the intersection of the organization and group (members of both).

  3. (Optional) You can further refine this filtering by selecting lower-level organizations (for example, all of Engineering > Production or all of Marketing > Corporate) before selecting the desired group.

    This setting would apply to all contractors in those organizations only. Similarly, you can make a custom setting change at a higher-level organization and then override it by navigating to the lower-level organization and altering the settings.

To create and use an Exempt from 2-Step enforcement exception group:

  1. Follow the instructions in Create a group in the admin console to create an Exempt from 2-Step enforcement group on your domain.
    Note: If you use Google Cloud Directory Sync (GCDS) to synchronize your Active Directory groups, create the group in Active Directory first then add your users to this group, run GCDS to sync the group, and skip the next step.
  2. Add users to the group who will not be required to use 2-step verification to sign in to their Gmail account.
  3. Click Security
  4. Click Basic Settings > Two-step verification. For details, see 2-step verification enforcement.
  5. Click the Go to advanced settings to enforce 2-step verification link.
  6. Select the domain.
  7. In the Group filters section, click Select and find the group you created (Exempt from 2-Step enforcement).
  8. Select Turn off enforcement and click Save.
  9. In the Group filters section, click No admin groups selected.
  10. Select Turn on enforcement now and click Save.
  11. Once each member of this group enables 2-step verification, they can be removed from the Exempt from 2-Step enforcement exception group.
Was this helpful?
How can we improve it?