Set up user sync

1. In your Google Admin console (at admin.google.com), click DirectoryDirectory sync.
2. Click the name of your LDAP directory.
3. Click Set up user sync.
4. Enter the name of the LDAP group and press Enter.

   Directory Sync syncs the group members to your Google cloud directory.

5. Enter any additional group names.
6. For Base DN, enter the base distinguished name (DN) from your LDAP directory and click Continue.

   The groups specified in steps 4 and 5 should be directly under the base DN.

   Example: ou=Sales, dc=example, dc=com.

   In this example, Directory Sync searches for groups under the Sales organizational unit in your LDAP directory.

1. For Required attributes, confirm or enter the LDAP directory attributes that map to the following user attributes in the Google cloud directory:
   • First name
   • Last name
   • Primary email address
2. For Recommended attributes, enter attributes that map to the following user attributes in the Google cloud directory:
   • Recovery email address—If you choose to send an activation email to a recovery email address in step 3, this field is mandatory. 
   • Recovery phone number (Optional)
3. For Account activation, choose an option:
   • Send activation email—Sends an activation email to the user after the new user accounts are created. See About activation emails (below on this page).

     If you select this option, you can choose to send the email to the user’s primary or recovery email address. (If you select the recovery email address, you need to complete the Recovery email address field in step 2.)

   • Do not send an activation email—No email is sent to users.

     Use this option if you want to communicate directly with your users about new accounts or you use a third-party Identity provider (IdP) for authentication (and there is no need for users to set a Google password).

4. Click Continue.

About activation emails

If you select Send an activation email, your users are sent an email message following a sync. When your users are ready to sign in to their managed Google Account for the first time, they need to complete the following steps:

1. In their original email account, open the welcome email message and click Sign inNext. 
2. Click Send to get a verification code. 
3. Return to their original account, open the verification code email, and copy the code. 
4. In their new Google account, enter the verification code, and click Next. 
5. Accept the terms of service. 
6. Create a strong password and click Change password. 

If a Google user is not found by the user scope or is disabled in your LDAP directory, you can choose to suspend them. 

Check the Suspend user in Google box and click Continue. If you don’t want to suspend users, uncheck the box and click Continue.

Note: Directory Sync syncs the user's state. If you suspend a user's account but the LDAP account is active, the account is activated following a sync.

Set the conditions under which a sync is automatically canceled. If the sync exceeds the safeguard limits, the sync is automatically canceled and no users are suspended. No further syncs will run until you manually enable the sync. For more information about safeguards, go to How safeguards are determined (below on this page).

To set a safeguard:

1. For Safeguards, select Set a percentage of users or Set a total number of users and enter a percentage or number.
2. Click Simulate Sync.
3. If a safeguard is triggered, you get a notification with details about the failed sync. You can also view additional details in the audit log. For more information, go to Use the alert center and Check audit logs.

How safeguards are determined

Directory Sync calculates how many user accounts exist in your LDAP directory and compares that with how many accounts might be suspended following a sync. If the amount is larger than the specified percentage or number, the sync is automatically canceled and no action is taken.

Examples

You have 100 LDAP users. During a sync, Directory Sync proposes to suspend 12 user accounts and add 3 new accounts.

Example 1: You have set a numerical limit of 14 as a safeguard. Because the number of accounts it proposes to suspend (12) are fewer than the safeguard (14), Directory Sync continues with the proposed changes.

Example 2: You have set a percentage limit of 10% as a safeguard. Directory Sync compares the proposed 12 candidates for suspension against the percentage limit. Because the percentage of candidates for suspension (12%) exceeds the 10% limit, Directory Sync stops the sync without applying any changes.