This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

GCDS Filter/Exception to OMIT a Single OU

Justin_W
Contributor II

Tuesday

I'm trying to find the correct way to get this working, and so far I'm not having any luck. Gemini was in full hallucination mode when I asked it.

 

We've got GCDS setup and running on our Windows AD server now for several years.  No big issues.


However, as we grow more into our Google Workspace I'm looking to make a change:

 

I've got an OU in AD that I don't want to Sync with GW - and vice-versa.

I'm looking to keep this "Service Accounts" OU separate between the two because each has accounts the other doesn't need.

 

I don't was GCDS to suspend users in GW if they don't exist in AD. I don't want wants GCDS to create users from this OU in GW if they don't exist.  GCDS should just ignore the OU all together - leaving whatever is in there as-is.

 

I'm also not looking for a solution that involves individually making exemptions on a per-account basis - the idea is to that any account created in either location within that specific OU will just be left alone during the Sync.

 

Has someone successfully done this? It doesn't seem like it should be tricky but I'm having a hard time getting it to work right.

0 Kudos
Reply
7 REPLIES 7

dyresons
New Contributor

Tuesday

you can accomplish this a few ways. 

You can set up to only search specific OU's for users.

dyresons_2-1778008409672.png

dyresons_3-1778008451642.png

This would add staff to a google ou called staff, if they have an email address and if they are a member of a specific group.

 

Another option would be to change the base dn for a search on the LDAP configuration tab.  If your service accounts were in an OU outside of the search setting.

 

0 Kudos
Reply

Justin_W
Contributor II
In response to dyresons

Tuesday

>This would add staff to a google ou called staff, if they have an email address and if they are a member of a specific group.

 

This seems like it's suggesting a complete re-design of my OU structure (moving all staff to a specific OU). That's definitely not what I'm looking for.

 

>Another option would be to change the base dn for a search on the LDAP configuration tab.  If your service accounts were in an OU outside of the search setting.

 

This may be the answer - but I'm not clear on how I actually do this properly for my case.

I'm not overly familiar with the syntax that AD is using here - How would I tell it to do everything it's currently doing, just omit a specific OU named "Service Accounts" (and any of its child OUs)?

 

0 Kudos
Reply

dyresons
New Contributor
In response to Justin_W

Thursday

can you share a sample structure of your AD structure and your current base dn seach we we know where you have started looking for accounts.

0 Kudos
Reply

Justin_W
Contributor II
In response to dyresons

Thursday

LDAP.pngOUs.png

 

Hope this helps. I'm stumped and surprised it seems like such a tricky task (I haven't gotten help elsewhere)

0 Kudos
Reply

alexgrutza
Contributor III
In response to Justin_W

Thursday

I believe you'd could add in the "Organizational Units" setting on the left in GCDS, an exclusion rule specifically identifying the Service Accounts OU. Another option would be to add multiple "Org Units" search locations (like all of the OUs) and manually leave the Service Accounts OU not listed in the search criteria. 

Hope that helps

--
CISSP | LinkedIn | @Phyxiis
0 Kudos
Reply

Olger
New Contributor III
In response to alexgrutza

Thursday

I can confirm exclusion rules are for this purpose. We use GCDS to sync to GWS and we have some exclusion rules setup in Org Units (in GCDS) and also in Google Domain Conf (in GCDS) to exclude some OU's in GWS from being looked at by GCDS when syncing.

GCDS can get quite complex but it generally works well.

0 Kudos
Reply

Kim_Nilsson
Admin Moderator

yesterday - last edited yesterday

GCDS is a fun little toy! 🙂

There are probably several ways to solve this.

One easy way would be to make sure all users within the AD OU Service Accounts to be member of an AD-group, and then !exclude those members from being synced.

Or, add the full OU path to the LDAP query in the Rule field. Perhaps as an OR to the negative rule of not syncing disabled users. or its own AND rule.

This should do it.

(&
  (objectCategory=person)
  (objectClass=user)
  (mail=*)
  (!(userAccountControl:1.2.840.113556.1.4.803:=2))
  (!(distinguishedName=*,OU=Service Accounts,OU=ICS,DC=ics-milw,DC=org))
)

Actually I think a shorter version is enough.

(&
  (objectCategory=person)
  (objectClass=user)
  (mail=*)
  (!(userAccountControl:1.2.840.113556.1.4.803:=2))
  (!(OU=Service Accounts,OU=ICS,DC=ics-milw,DC=org))
)

Currently you have a veeeery simple rule to grab everything inside ICS.

The easiest way to accomplish what you want... is to add all users within ISC to a group, except for those in the Service Account OU, and add that as a requirement to your simple LDAP Rule. This logic can then be replicated however many excusion OUs you have in the AD.

Do note that, so far, all of this is done in the AD.

Next step, making sure GCDS doesn't touch manually created accounts.

In the Google rules at the top of GCDS, you should also exclude any and all OUs where you have manually created users, as GCDS should never touch them. And you should, of course, never put manual users inside OUs of synced users.

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines