This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

GCDS Filter/Exception to OMIT a Single OU

Justin_W
Contributor II

yesterday

I'm trying to find the correct way to get this working, and so far I'm not having any luck. Gemini was in full hallucination mode when I asked it.

 

We've got GCDS setup and running on our Windows AD server now for several years.  No big issues.


However, as we grow more into our Google Workspace I'm looking to make a change:

 

I've got an OU in AD that I don't want to Sync with GW - and vice-versa.

I'm looking to keep this "Service Accounts" OU separate between the two because each has accounts the other doesn't need.

 

I don't was GCDS to suspend users in GW if they don't exist in AD. I don't want wants GCDS to create users from this OU in GW if they don't exist.  GCDS should just ignore the OU all together - leaving whatever is in there as-is.

 

I'm also not looking for a solution that involves individually making exemptions on a per-account basis - the idea is to that any account created in either location within that specific OU will just be left alone during the Sync.

 

Has someone successfully done this? It doesn't seem like it should be tricky but I'm having a hard time getting it to work right.

0 Kudos
Reply
2 REPLIES 2

dyresons
New Contributor

yesterday

you can accomplish this a few ways. 

You can set up to only search specific OU's for users.

dyresons_2-1778008409672.png

dyresons_3-1778008451642.png

This would add staff to a google ou called staff, if they have an email address and if they are a member of a specific group.

 

Another option would be to change the base dn for a search on the LDAP configuration tab.  If your service accounts were in an OU outside of the search setting.

 

0 Kudos
Reply

Justin_W
Contributor II
In response to dyresons

yesterday

>This would add staff to a google ou called staff, if they have an email address and if they are a member of a specific group.

 

This seems like it's suggesting a complete re-design of my OU structure (moving all staff to a specific OU). That's definitely not what I'm looking for.

 

>Another option would be to change the base dn for a search on the LDAP configuration tab.  If your service accounts were in an OU outside of the search setting.

 

This may be the answer - but I'm not clear on how I actually do this properly for my case.

I'm not overly familiar with the syntax that AD is using here - How would I tell it to do everything it's currently doing, just omit a specific OU named "Service Accounts" (and any of its child OUs)?

 

0 Kudos
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines