Google Conflicting Accounts & Google Cloud directory sync
Hey, thank you for joining in. This is Goldy. Again, welcome back to Google Conflicting account video series.
In the past, we have discussed what are Google conflicting accounts and how to resolve them seamlessly.
In this video, I wanted to bring a very specific use case, which is how do you deal with Google Conflicting accounts when you are using Google Cloud Directory Sync to provision your user identities.
For that, let us first understand how Google Cloud Directory Sync utility works, So you have your Google Cloud Identity or Google Workspace on one side or the other side inside your firewall, you have your Ldap where you will install the Google cloud directory sync.
Directory sync will read the information from your Ldap based on your Ldap queries, and on the other side, it will also read the information from Google Cloud directory (Google Workspace or Google Cloud Identity).
It will compare about the pieces of information and finally it will write to Google Cloud Identity or to workspace with an objective of replicating whatever you have in your Ldap.
OK, another point to note here is that behind the scenes Google cloud Sync leverages Google’s Directory API and Directory API does not detect whether an account is a conflicting account or not.
So let me show you how you can deal with this specific scenario where one side you have Google cloud directory sync in place and on the other side you have consumer or conflicting accounts.
1. Find Consumer Accounts
So number one, you should find Google consumer accounts (I covered this in another detailed video / post, watch it if you have not yet). It will give you a list of all the consumer accounts, Ideally, you should download that into a CSV file.
Once you have the CSV , You should reach out to these consumer accounts asking in case if they have any corporate data inside their consumer account that they created with company email address.
3. Decision (e.g exclude in GCDS)
Based on their response, you can make your decision to either provision them via Google Cloud Directory Sync or to exclude them and rather send them account transfer request.
E.g – if some of those users come back to you (after your survey / outreach) saying they do no have any corporate data in those consumer accounts, then you can straight away go ahead and create their accounts via Google Cloud Directory Sync (GCDS) as their manage or work account, which means their personal account will be renamed.
However, in case of some of the consumer accounts come back to you saying, yes, we do have some data inside those consumer accounts that belongs to the corporate and we are ready to transfer that data to you.
Then, in that case, you should make sure to exclude those users from Google Cloud Directory Sync.
Now, this video is not about GCDS specifically, but, just to give you a summarized version of it in Google cloud directory you can exclude your users, because it reads information from your ldap based on your ldap query .
So when you’re writing your ldap query, you can exclude a specific group membership in which you will put your consumer accounts so that whoever is a member of that consumer accounts group in ldap that should be excluded to be provisioned in Google cloud directory.
And then you will rather go to Google admin console and take a different path for these specific users, which will be to send them transfer request.
I hope this might be helpful, especially when you’re using Google cloud directory sync and have conflicting or consumer accounts to handle.
In case if you have any questions, comments or feedback, do not hesitate to put that under this video and I will be happy to collaborate with that.
Thank you so much.