arrow_back

Google Workspace Admin: Managing Applications

Join Sign in

Google Workspace Admin: Managing Applications

1 hour 15 minutes 1 Credit

GSP417

Google Cloud self-paced labs logo

Overview

In this lab, you learn how to create an organizational unit structure and configure applications based on organizational units (OUs).

What you'll learn

In this lab, you use Google Workspace to do the following:

  • Create three OUs and add users to those OUs

  • Configure application access based on OUs

  • Configure application settings based on OUs

Prerequisites

  • Familiarity with basic Google Workspace terminology

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.
  • Time to complete the lab---remember, once you start, you cannot pause a lab.
Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

Start your lab

When you are ready, click Start Lab in the upper left.

Sign in to the Google Workspace Admin Console

To access the Google Workspace Admin Console, you must find your credentials and then sign in.

Find your lab's User Email and Password

To access the resources and console for this lab, locate the User Email and Password in the Lab Details panel. This panel is on the left or at the top, depending on the width of the browser window. Use these credentials to log in to the Google Workspace Admin Console.

If your lab requires other resource identifiers or connection-related information, they will appear on this panel as well.

Sign in to the Admin Console

  1. Click Open Google Workspace Admin Console.

Tip: Open the tabs in separate windows, side-by-side.

Note: If you see the Verify your account dialog:
  • Click Next.
  • Click the prefilled user.
  • Click Use another account.
  1. Enter the User Email and Password.

  2. Accept all terms and conditions as prompted.

The Admin Console opens.

  1. Click VERIFY DOMAIN in either the yellow box at the top or the red box in the Domains card.

  2. Click Next.

  3. In the Welcome, let's set up Google Workspace dialog, in section 1, click VERIFY. Google verifies your training domain.

Ignore step 2, Create new users and step 3, Activate Gmail sections.

  1. Click Google Admin in the top left to open the Google Workspace Admin Console home page.

Task 1. Create an organizational unit (OU) structure

Initially in your Google Admin console, all users and devices are placed in a single organizational unit (OU), called the top-level OU. All settings you make in the Admin console apply to this top-level OU and, therefore, to all users and devices in your account. Any child OUs created under the top-level OU inherit those settings.

To apply different settings to some users or devices, place them in a child OU, below the top level. You then customize the inherited settings of the child OU, and therefore the members of the child OU.

In this section, you create three OUs, and then apply different organizational policies to them.

Create child OUs for Marketing, Compliance, and Contractors

Start by creating your OUs.

  1. From the Admin console, click the Organizational units card. You may have to click Show more at the bottom, or scroll down to see the card.

  2. Click the Create new organizational unit button (the yellow + button) to create a new OU.

  3. For Name of organizational unit, enter Marketing.

  4. Optional: For Description, enter The Marketing team.

  5. Click CREATE.

  6. Repeat steps 2-5 and create the Compliance and Contractors OUs.

Create users in each of the OUs

Next, create three new users and place each of them into their own OU. Start by adding a user to the Marketing OU.

  1. Click the Navigation menu Navigation menu icon > Directory > Users.
  2. Click Add new user.
  3. For First name, enter Jamie.
  4. For Last name, enter Marketeer.
  5. Click Manage user's password, organizational unit, and profile photo
  6. For Organizational unit, click the pencil icon.
  7. Under Google Workspace Labs, click Marketing.
  8. Click Done.
  9. Click ADD NEW USER. Note the username and password. These will be used later in the lab.
  10. Click DONE.
  11. Repeat steps 2-10 to create two more users and assign them to an OU as described below.
    • User: Leslie Compliance, OU: Compliance.
    • User: Jesse Contractor, OU: Contractors.

Click Check my progress to verify the objective. Create OU structure and new users

Task 2. Configure application settings based on OUs

In this section, you configure access settings for Gmail and Google Vault, and Data Loss Prevention (DLP) settings for Google Drive.

Disable Gmail for Contractors

Customize Gmail access such that users in the Contractors OU do not have access to the Gmail service.

  1. Click Main menu Navigation menu icon > Apps > Google Workspace > Gmail.
Note: If a prompt to verify your domain appears, under Services, click the checkbox next to Gmail to select it. Leave this tab open for the rest of the lab. Open a new Admin console tab and repeat steps 1 and 2. The Service Status for all apps should now indicate ‘ON for everyone’.
  1. Click the Service status card.

  2. In the left panel, under Google Workspace Labs, click Contractors.

  3. For Service status, select OFF and click OVERRIDE to override the inherited settings and disable Gmail for all users in the Contractors OU.

Testing Gmail access configuration

Now test to make sure that the Gmail access configuration is working properly.

Testing Gmail access for users in the Contractors OU

  1. Open Gmail.
  2. Click the Google avatar at the top right of the screen. (Notice that you are currently logged in as Workspace User.)
  3. Click Add another account.
  4. For Email or phone, enter the email of Jesse Contractor that you recorded in an earlier section. It should be similar to jesse@goog-test.reseller.gappslabs.co….
  5. Click Next.
  6. For Enter your password, enter the password of Jesse Contractor that you previously noted and click Next.
  7. Accept terms as prompted.
  8. Create a secure password and click Change password.

A page opens with a message explaining that Jesse Contractor does not have access to Gmail.

Testing Gmail access for users in the Marketing OU

  1. Switch to the Gmail browser tab which is logged in as Workspace User.
  2. Click the Google avatar at the top right of the screen.
  3. Click Add another account.
  4. This time, log in as Jamie Marketeer with the email and password for that user that you previously recorded.

Gmail successfully opens for Jamie Marketeer.

Testing Gmail access for users in the Compliance OU

  1. Switch to the Gmail tab which is logged in as Workspace User.
  2. Click the Google avatar at the top right of the screen.
  3. Click Add another account.
  4. This time, log in as Leslie Compliance with the email and password of that user.

Gmail successfully opens for Leslie Compliance.

Click Check my progress to verify the objective. Disable Gmail for contractors

Restrict access to Vault

Configure access to Google Vault such that only users in the Compliance OU can access Google Vault.

  1. Switch to the Admin console browser tab.

  2. Click Main menu Navigation menu icon > Apps > Google Workspace > Google Vault.

  3. Click the Service status card.

  4. Click OFF for everyone to disable Google Vault for all users.

  5. Click SAVE.

  6. In the left panel, under Google Workspace Labs, click Compliance.

  7. For Service status, click ON and then OVERRIDE to override the inherited settings.

  8. Click TURN ON when prompted.

Testing Vault access configuration

Now test to make sure that the Google Vault access configuration is working properly.

Testing Vault access for users in the Compliance OU

  1. Switch to the Gmail tab that is logged in as Leslie Compliance.
  2. Click on the Applications icon.
  3. Scroll down and click Vault.

Google Vault should load successfully for user Leslie Compliance.

Note: If Google Vault defaults to Google Workspace User instead of Leslie Compliance, click on Sign in with a different account located in the middle of the screen and sign in with Leslie Compliance.

Testing Vault access for users in the in the Marketing OU

  1. Switch to the Gmail tab that is logged in as Jamie Marketeer.
  2. Click on the Applications icon.
  3. Scroll down and click Vault.

A page opens with the message that Jamie Marketeer does not have access to Google Vault.

Testing Vault access for users in the Contractors OU

  1. Switch to the Gmail tab that is logged in as Jesse Contractor.
  2. Click on the Applications icon.
  3. Scroll down and click Vault.

A page opens with the message that Jesse Contractor does not have access to Google Vault.

Click Check my progress to verify the objective. Restrict access to Vault

Configuring Data Loss Prevention (DLP) for Google Drive

Set up a rule to prevent file sharing with an external domain in Google Drive.

  1. Switch to the Admin console browser tab.
  2. Click on the Navigation menu Navigation menu icon > Home to return to the Admin console home page.
  3. Click the Rules card.
  4. Click Create rule > Data Protection.
  5. For Name, enter "Google Drive - Prevent sharing with external domain".
  6. Under Scope, click Apply to organizational units and/or groups.
  7. Click Include organizational units.
  8. Select Compliance and Marketing.
  9. Click DONE.
  10. Click CONTINUE.
  11. Under Apps > Google Drive, select File created, modified, uploaded or shared.
  12. Click CONTINUE. (Because no condition has been added this rule will apply to all files in Google Drive.)
  13. For Actions, select Block external sharing.
  14. Click CONTINUE.
  15. Review the rule details and click CREATE.
  16. Leave Active selected and click SAVE.

The new rule, Google Drive - Prevent sharing with external domain, is now listed in the Rules list.

Testing Google Drive DLP configuration

Now test to make sure that the DLP configuration on Google Drive is working properly.

Testing Google Drive DLP access for users in the Compliance OU

  1. Switch to the Gmail tab that is logged in as Leslie Compliance.
  2. Click on the Applications icon.
  3. Click Docs.
  4. Under Start a new document, click Blank.
  5. In the top right hand corner of the page, click Share.
  6. For Add people and groups, enter an email address on an external domain, e.g. @gmail.com. Press the return key on the keyboard.
  7. Click Done.

Leslie Compliance is notified that the file cannot be shared outside Google Workspace Labs.

Testing Google Drive DLP access for users in the Contractors OU

  1. Switch to the Gmail tab that is logged in as Jesse Contractor.
  2. Click on the Applications icon.
  3. Click Docs.
  4. Under Start a new document, click Blank.
  5. In the top right hand corner of the page, click Share.
  6. If prompted, Name before sharing, click Save.
  7. For Add people and groups, enter an email address on an external domain, e.g. @gmail.com. Press the return key on the keyboard.
  8. Click Done.
  9. Click Send.

A message appears warning that you are about to share a file externally. Click Share anyway to share the file with a user on an external domain.

Task 3. Test your knowledge

Congratulations!

In this lab you’ve created child organizational units (OUs), added users to them, and then customized OU-specific application settings. We’ve touched on three different applications in this lab, specifically Gmail, Google Vault, and Google Drive. With this hands-on experience you should feel comfortable configuring other application settings for OUs on the Google Workspace Admin console.

Finish your quest

This self-paced lab is part of the Google Workspace for IT Admin quest. A Quest is a series of related labs that form a learning path. Completing this quest earns you a badge to recognize your achievement. You can make your badge public and link to them in your online resume or social media account. Enroll in this quest and get immediate completion credit if you've taken this lab. See other available quests.

Take your next lab

Continue your Quest with Google Workspace Admin: Managing Google Meet

Next steps / Learn more

Google Cloud training and certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated June 3, 2022

Lab Last Tested May 17, 2022

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.