With Google Cloud Directory Sync (GCDS), you can synchronize the data in your Google Account with your Microsoft Active Directory or LDAP server. GCDS doesn't migrate any content (such as email messages, calendar events, or files) to your Google Account. You use GCDS to synchronize your Google users, groups, and shared contacts to match the information in your LDAP server.
Benefits of using GCDS to sync data
Runs as a utility in your server environment
Includes all necessary components in the installation package. Includes a number of features to make your data more secure. There is no access to your LDAP server data outside your perimeter.
Syncs users, aliases, groups, and other data with your Google Account
Ensures your Google data matches that of your Active Directory or LDAP server. Performs a one-way synchronization. Data on your LDAP server is never updated or altered.
Configure rules for custom mapping
Allows you to configure rules for custom mapping of users, groups, nonemployee contacts, user profiles, aliases, calendar resources, and exceptions.
Has default settings to make setup easier
If you’re using GCDS with an Active Directory server or OpenLDAP, you can easily set up your configuration using the default values in Configuration Manager.
Uses step-by-step user interface
Guides you through creating and running a synchronization. Includes a simulation stage to make sure your setup is tested.
Uses rules and exclusions so you can omit data from a sync
Set up exclusion rules to omit data such as users, profiles, groups, organizational units, or calendar resources from a sync.
How GCDS works?
You set up rules to specify how the system generates a list of your data.
During a sync, the list is exported from your LDAP server.
GCDS connects to your Google Account and generates a list of users, groups, and shared contacts that you specify.
GCDS compares these lists and updates your Google Account to match the data.
After the synchronization, you get an email report so that you can monitor the process.
GCDS best practices
To run a successful synchronization with Google Cloud Directory Sync (GCDS), we recommend that you follow these best practices.
Prepare GCDS
Ensure you meet the system requirements, particularly the amount of free RAM required—If you are planning on syncing a large number of entities from your LDAP directory, make sure you have enough free RAM on your GCDS server. Also, make sure you are running the latest version of GCDS.
Make sure your setup is secure—Ensure that the machine where GCDS is installed is secure. The credentials stored in the XML configuration file are encrypted, but if an attacker gains access to the machine, they can obtain both the XML file and the encryption key.
Update your LDAP data first and remember to simulate a sync—When your LDAP data is ready, run a simulated sync to verify your settings. Then, run a full sync to transfer the updates to your Google Account. GCDS works best when your Google data is updated by the synchronization process.
Review and invite unmanaged users—Check if you have existing unmanaged users. If you do, invite them to transfer their account to your organization's managed Google Account before running the first sync. Doing so ensures that a sync won't create conflicting accounts for these users.
User accounts: Suspend, don't delete—If user accounts aren't found in your LDAP directory, set GCDS to suspend, rather than delete, the accounts. Deleted accounts can't be retrieved after 20 days, but data is retained for suspended accounts. You can also transfer email and Google Drive content from a suspended account to another account.
Sync user accounts on a different schedule—You can quickly create and suspend user accounts after they're changed in the LDAP directory by synchronizing user accounts on a separate, more frequent, schedule. Changes that aren’t as urgent (for example, shared contacts updates or group memberships) can be synced less often. Use the command line to sync only user accounts.
Admin accounts: Don't suspend or delete—By default, GCDS won't suspend or delete Google administrator accounts that aren't found in your LDAP directory. Retain this setting to make sure that you don't lose any Google admin accounts.
Review delete limits—Review the GCDS delete limits for each of the items that you want to synchronize. Ensure that the limit is related to your account size and based on a reasonable percentage or item count.
Use exclusion rules to retain users or groups in your Google Account—If you have user accounts or groups in Google that don't exist in your LDAP directory, you can use an exclusion rule to make sure that the users or groups remain in your Google Account. Before you use exclusion rules, make sure you’re familiar with their usage.
Exclude LDAP data by using focused search rules—If you want to prevent entities in your LDAP directory syncing to your Google Account, we recommend using focused search rules. Search rules are easier to manage than LDAP exclusion rules and can improve sync performance. Before you use search rules, get familiar with their usage.