Introduction

In this article, we will discuss the technical details of setting up user and group provisioning. This process connects Active Directory with Cloud Identity or Google Workspace by using Google Cloud Directory Sync (GCDS). The guide will provide step-by-step instructions for setting up the synchronization process. It will also ensure that data is securely transmitted between the two systems.

What is Google Cloud Directory Sync?

Google Cloud Directory Sync allows administrators to synchronize users, groups, and other data. This synchronization occurs from an Active Directory/LDAP service to their Google Cloud domain directory. Let’s look at some of the features of GCDS.

1. You can configure GCDS to suspend synchronization for disabled or deleted in Active Directory user accounts.
2. You can scope the synchronization by creating a rule similar to Entra ID Connect or Entra Cloud Sync.
3. It can be configured to sync organisation units, User Profiles, Custom Schemas, Shared Contacts, Calendar Resources and License.
4. You can create a rule to suspend the synchronisation if the deletion count reaches the configured limit.
5. It allows sending notifications with the synchronization result.
6. You can schedule the synchronization.
7. You can configure GCDS to substitute the user suffix domain in Cloud Identity . For instance, replace the actual UserprincipalName from User@myforest1.com to User@frontline.myforest1.com or User@msetlab.com

_{Note: Google Cloud Directory Sync does not sync passwords from Active Directory. To achieve this, we should use the Password Sync feature. It allows updating users’ Google Workspace and Cloud Identity passwords with on-premise Active Directory.}

Organization Benefits

Google Cloud relies on Google identities to handle authentication and access management. Managing Google identities manually for every employee can lead to unnecessary management overhead. This is especially true when all employees already have Active Directory accounts.

Organizations can simplify identity management. They do this by synchronizing user and group information from Active Directory to Google Workspace. This approach avoids double identity management. With this approach, users can access on-premises and Google Workspace applications using a single identity. In other words, they use Active Directory as the Identity Provider and Authoritative source.

Prerequisites

To synchronize Active Directory user accounts and groups with Google Workspace, ensure you meet the below prerequisites.

1. Active directory forest or domain
2. Google Cloud Directory Sync Software
3. A Google Identity or Google Workspace account
4. Public Domain name from the authorized registrar
5. An account from Google Workspace with a Super Admin role
6. A user account with Domain Admin privileges or read/write access to user accounts synchronize with Google Workspace.

Where to deploy Google Cloud Directory Sync?

GCDS is a tool that helps sync user and group information. This information is stored in an LDAP directory. It is synced to Cloud Identity or Google Workspace. It simply acts as a bridge between the LDAP server and Cloud Identity or Google Workspace. GCDS retrieves the necessary information from the directory. It adds, modifies, or deletes users in your Cloud Identity or Google Workspace account.

Google Cloud Directory Sync can be deployed in an on-premises environment. It can also run on a Compute Engine virtual machine in Google Cloud.

Practical Example

Imagine a company called myforest1 that has a worldwide presence. They have an on-premises Active Directory to offer identity services. The main office is in Seattle. Their Active Directory integrates with an Entra ID Tenant through Entra Connect Sync. All users use Microsoft 365 services, including Teams, email, OneDrive, SharePoint online, etc.

But, as per the business requirements, they would like to onboard a new domain, “frontline.myforest1.com”. This is for frontline workers. It will allow them to use Google Workspace services. These include Gmail, Google Drive, Google Docs, Google Sheets, Google Slides, Google Meet, Google Forms, and more.

But, they decided to continue to use Active Directory as the source of truth for identity management.

In this scenario, an organization can simply deploy the Google Cloud Directly Synchronization (GCDS) tool. It provisions on-premise objects with their existing Google Workspace or Cloud Identity. Then, they can assign Google licenses to achieve their business goals.

The diagram presented below serves to illustrate the scenario that has been alluded to in this particular example.

Implementation steps

I have implemented a Hybrid Active Directory environment utilizing Entra Cloud Sync to show the setup. Recently, I have replaced the last Exchange server with the Exchange Management Tool server in this environment.

^{This article exclusively discusses the process of synchronizing user accounts and groups that are linked to the domain frontline.myforest1.com.}

Before we start, please make sure that you have completed the prerequisites. Follow the steps below to achieve the goal mentioned in the Practical Example section.

Step 1: Create a user account in Google Identity for GCDS and assign a Super Admin Role

1. Sign in to https://admin.google.com/ in any web browser
2. Navigate to Directory->Users->Click Add new user.
3. I have created a user account named gcds.myforest1@frontline.myforest1.com assigned a super Admin role, as shown in the screenshots below

^{The GCDS account is used to create, list, and remove user accounts and groups. The super-admin role grants users full access to Cloud Identity or Google Workspace, and Google Cloud resources. To protect users against credential theft and malicious use, it is recommended to activate 2-step verification.}

Step 2: Create an Active Directory user for GCDS

A domain user with enough access must allow GCDS to retrieve information about users and groups from the Active Directory. You can use either the GUI or PowerShell method to create an account.

I have created an account name, gcds@forntline.myforest1.com, using the PowerShell method and added it to the Domain Admins group to grant access to administrative privileges.

Step 3: Install Google Cloud Directory Sync software

Next, we must install the Google Cloud Directory Synchronization software to provision on-premise objects with Cloud Identity. You can follow the instructions given below to download and install the GCDS software.

• Run the PowerShell command given below to download the GCDS installer
  • (New-Object net.webclient).DownloadFile(“https://dl.google.com/dirsync/dirsync-win64.exe”, “$(pwd)\dirsync-win64.exe”)
• Launch the installation wizard by running the following command
  • .\dirsync-win64.exe

In this demonstration, I have installed GCDS software on the domain controller.

Step 4: Create a folder for the GCDS configuration

GCDS stores its configuration in an XML file. Ensure that the folder used for the configuration is properly secured. Because it contains an OAuth refresh token that GCDS uses to authenticate with Google.

Run the PowerShell command given below with Administrative Privileges to create folder,gcds.

$gcdsDataFolder = "$Env:ProgramData\gcds"
New-Item -ItemType directory -Path  $gcdsDataFolder
&icacls "$gcdsDataFolder" /inheritance:r
&icacls "$gcdsDataFolder" /grant:r "CREATOR OWNER:(OI)(CI)F" /T
&icacls "$gcdsDataFolder" /grant   "BUILTIN\Administrators:(OI)(CI)F" /T
&icacls "$gcdsDataFolder" /grant   "Domain Admins:(OI)(CI)F" /T
&icacls "$gcdsDataFolder" /grant   "LOCAL SERVICE:(OI)(CI)F" /T

Step 5: Configure Google Directory Cloud Sync

Configuring Google Cloud Directory Sync (GCDS) is necessary. It enables user and group provisioning from the on-premise to Google Workspace. It also works with Cloud Identity.

In this demonstration, we will provision the users and groups linked to the Organizational Unit known as “Frontline Workers.

After this demonstration, you will be capable of understanding how to;

1. Connect to Google Identity or Google Workspace from GCDS tool
2. Connect to Active Directory Domain from GCDS tool
3. Sync user accounts and groups with Google Cloud
4. Configure user mappings by email address
5. Configure user deletion policy
6. Configure group mappings by email address
7. Configure group deletion policy
8. Configure logging and notifications
9. Simulating user provisioning
10. Initial (Full Sync) user provisioning

To facilitate this demo, I have added a domain named frontline.myforest1.com to Google Workspace or Cloud Identity. For more information about adding and verifying the domain in Google Workspace, refer to my recently published article.

Step 6: Connect to Google Identity or Google Workspace from GCDS Tool

Log in to the domain controller where we installed the GCDS software. Open Configuration Manager. Follow the instructions in the video given below.

Step 7: Connect to Active Directory Domain from GCDS tool

Follow the video instructions to connect to the Active Directory domain. I will use domain admin credentials in the demo. You can use the account gcds that we created earlier.

Step 8: Choose what to synchronize

Select User Accounts and Groups to synchronize with Cloud Identity as illustrated in the below figure.

Step 9 : Configure User mappings by email address

To provision users in Cloud Identity from Active Directory, follow the instructions in the below table or video. You should configure user mappings by email address.

Step 10: Configure user account deletion policy

Please enable the option “Don’t suspend or delete Google domain admins not found in LDAP”. This action prevents the sync Tool from suspending or deleting the super-admin user. You used this user to configure your Cloud Identity or Google Workspace account.

Alternative methods exist to exclude user accounts from the sync scope to Cloud Identity. You can explore Google Documents to learn more more about this.

Step 11: Configure group mappings by email address

After connecting Active Directory with Cloud Identity or Google Workspace, you must configure the group matching. You need to decide how to match groups between the two systems. This step depends on whether you want to match groups using their name or email address.

• To provision security groups, you need to first identify their types and then create an appropriate LDAP query. For syncing all groups with email addresses, the below query that needs to be used.
  • (&(objectCategory=group)(mail=*))
• Create a custom rule for groups. It should match email addresses in the Active Directory and Cloud identity. Follow the instructions to accomplish this task.
  • In Configuration Manager, navigate to Groups–>Search Rules–>Click Use Defaults to add a couple of default rules.
  • Click the first rule edit icon–>Edit Rule to replace the LDAP query–>Click OK
  • Remove the second rule.

Step 12: Configure group deletion policy

GCDS manages the removal of groups in a similar way as it does for users. This can be achieved by adding Exclusion rules to the Configuration manager. To find more information, please check Google’s documentation.

Step 13: Configure logging and notifications

Keeping users in sync requires running GCDS on a schedule. You can control GCDS log file settings to monitor activity and issues.You can Specify where to write log file information, the level of detail, and the maximum log file size.

By default, logging will be saved in a user profile.

However, you can change the directory, as shown in the below figure.

Please remember to commit changes by saving the configuration file whenever you make changes.

GCDS can also send email alerts in addition to keeping a record. To turn on this feature, click on Notifications and enter the details of your email server connection.

Step 14: Initial user provisioning

Now, it’s time to kick off the initial synchronization. To do that, navigate to Sync->Click Simulate. This simulates user provisioning based on the configuration. During simulation, GCDS won’t change your Cloud Identity or Google Workspace account. It will report which changes it would perform during a regular provision run.

Triggering user provisioning in your Cloud Identity or Google Workspace account will permanently change users and groups. Consider temporarily changing the LDAP query to match a subset of users for testing. This helps avoid repeatedly modifying or deleting many users during testing. It also prevents abusive behavior.

Conclusion

Google Cloud Directory Sync (GCDS) is a powerful tool. It synchronizes user and group information between your Google Workspace domain and your LDAP server or Active Directory. With GCDS, you can automate the provisioning and de-provisioning of user accounts. It helps maintain group memberships. GCDS ensures that your directory information is up-to-date and accurate. By using GCDS, you can reduce the manual effort needed to manage your directory information. This can help you save time. It also reduces errors and improves your organization’s overall security.

Thank you for taking the time to peruse this article. I trust that the technical details discussed here were easily comprehensible and that this piece will prove to be a valuable resource for your work