Vous êtes sur la page 1sur 81

USERS In this section

Add Users

Manage Users

Admin Privileges

Groups

Contacts

Organizations

Exercise 1: Add Users Individually


Before people in your organization can begin using your Google services, you need to create
user accounts for each person. An account provides users with a name and password for
signing in to their Google services, as well as an email address (if you're using Gmail). Each
user you add will require a user licence.
The deployment of a Google Apps domain will often be done in phases. In each deployment
phase, you add different types of users based on their particular focus and unique needs. The
first phase of your deployment is where you'll add your technical IT users, so that they can
begin using Google Apps and align the settings with your organization's IT policies.
In this exercise, you'll manually add an individual userAlex Bell, your IT Manager.
To manually add a user:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Go to the Users section, then click

and select Add User.

Because this is a new domain, there's only one Organization (Org)the parent orgnamed the
same as your domain. We'll add more orgs later, but for now, we can add Alex.

Learn more about how to Add users individually.


In the Create a new user dialog box, create your company's IT Manager user account, entering
the following information:

First name: Alex

Last name: Bell

Primary email address: alex.bell@yourdomain.com

Note: If your account has multiple domains associated with it, use the domain (next to @) dropdown list to view the available domains. The domain you select will be the portion of the user's
email address that appears after the @ symbol.

Each user account requires a password. You can assign a temporary, randomly
generated password or manually set a temporary password. Either way, the new user
will change this when signing in for the first time.

For this exercise, you should simply allow a temporary password to be assigned.
You can also add more profile information for Alex, such as his contact and employee details.
This information is visible in the Admin console and Gmail contacts.
a. Click Additional Info and enter the following user information:
o

Secondary Email Address: (Leave this blank if you don't have one)

Phone: 01 23 45 678

Address: 110 Main St, Cloud City

b. Click Next to enter Employee Details:


o

Employee ID:

Employee Type:

Title: IT Manager

Department: IT

Cost Center:

Click Create to generate Alex's account.


Congratulations! You've added your first user in your new domain!
Notice the Show Password link that allows you to see the temporary password generated.
(Optional) Click Email instructions or Print instructions to deliver the account information to
the new user. Use an email address that's currently accessible to the user, not to their new
Gmail address.
Click Done.
Now that you have a user, you can investigate some of the user-specific settings.
Locate Alex's name in the Users list, hover over and click his name, and click Account.
In the Password section, ensure that the Require user to change password at next signin box is checked.
Click the Show password link to see the autogenerated (temporary) password. Remember this
passwordyou'll need it for the next step.
As an administrator, you don't have access to your users accounts, but for this exercise, to get
a feel for the sign-in process, you will sign in as Alex in his new account using one of these
methods:

Sign out of your own Admin account and sign back in as Alex.

Open a new Incognito Chrome browser window , go to mail.google.com and sign in


with the full email address, alex.bell@yourdomain.com, and the temporary
password. You can remain signed in as your Admin account, and also sign in as Alex.

Because this is this user's first time signing in to Google Apps, you'll be prompted to accept the
Terms of Service. Click I Accept. Continue to my account.
Follow the prompts to change the password. For the purpose of this exercise, change the
password to some generic value, such as G00gleapps. Remember this new password.
Continue to explore Alex's account:

Can you access Alex's Gmail inbox? Yes, this should work.

Can you access the Admin console with Alex's user account? Go to
admin.google.com. No you can't, because Alex doesn't have administrator access
rights; you'll be redirected to a user-specific page instead of the Admin console.

Now you have some experience of how to create a new user manually, but also what a new
user's initial sign-in flow is like.
Sign out of Alex's account or close the incognito browser window, and return to your
administrator account browser window.
(Optional) You can now add new users with a mobile device. With the Google Admin appthe
companion app to the Admin consolesuper administrators can perform essential Admin tasks
on the go from Android or iOS devices.
On your mobile device, download the Google Admin app and check out the features:

Android (Google Play)

iOS (iTunes)

Exercise 2: Add Several Users at Once


You've learned how to add users manually; however, when adding many users at once, this
method is quite time consuming. Let's see how to bulk upload many users at once.
Note: This task requires being signed in as a super administrator. For more information,
see Add several users at once .
Scenario: You receive this mail from the IT Manager, Alex:
Hey Aurelia,
Thanks for creating my Google Apps account. Now our next task is to
get the rest of our users accounts created. Below is the list of
people.

First
Name

Last
Name

Email Address

Password

Employee
Title

Ellie

Gray

ellie.gray@yourdomain.com

hellohello
1

Executive
Assistant

Jon

Baird

jon.baird@yourdomain.com

hellohello
1

HR
Contractor

Lars

Ericsso
n

lars.ericsson@yourdomain.com

hellohello
1

HR
Manager

Samanth
a

Morse

samantha.morse@yourdomain.co
m

hellohello
1

CEO

Tim

Lee

tim.lee@yourdomain.com

hellohello
1

Finance
Manager

Tom

Edison

tom.edison@yourdomain.com

hellohello
1

Support
Engineer

Will

Marconi

will.marconi@yourdomain.com

hellohello
1

Support
Engineer

Can you fix the email addresses to match our new domain and create
these user accounts?
Thanks,
Alex Bell, IT Manager

In this exercise, you'll add several users via a comma-separated value (CSV) file.
To add several users at once:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Go to the Users section, click

, and select Add multiple users.

In the Add multiple users dialog box, click the Download as .csv button to download a copy
of a sample spreadsheet to your local machine with the proper headers formatted. Leave this
dialog box open to (later) upload the file after editing.
Open the CSV file in a spreadsheet application, such as Google Sheets or Microsoft Excel. To
open in Google Sheets, upload the file to your Drive and select Open with Google Sheets.
Edit the file to add the user data. Copy the user information into the CSV file from the table Alex
provided.
The file contains a column for each attribute that appears on the user profile in the Admin
console and in Gmail contacts.
Note: You must enter values in the Email Address, First Name, Last Name,
and Password columns; that information is mandatory for each user. Don't forget to update
the domain in the email addresses. The other columns aren't mandatory, so you can enter
values or leave them blank. However, Alex has also provided a column for Employee Title that
requires information to complete.
Once the editing is complete, save a copy of the CSV file (in a CSV file format) back to your
local machine.
To do this in Google Sheets while you still have the file open in Sheets, click File > Download
As > Comma Separated Values (.csv, current sheet).
Return to the Add multiple users dialog box, click Attach File, and browse to the edited
spreadsheet you just saved locally.
By default, the Require user to change password at next sign-in checkbox is enabled. This
requires the user to change the generic password you entered in the spreadsheet.
Click Upload to initiate the creation of the user accounts.

If your file has formatting errors, a warning prompts that you may need to re-edit the
file. Review the list of common errors .

If successful, a status bar prompts how many users will be uploaded and a full report
will be sent when complete.

Go to the Gmail inbox of your Admin account (firstname.lastname@yourdomain.com) and


search for the email report of the bulk upload.

In the Google Apps Admin console, review the list of users and explore the user settings. (This
can take a couple of minutes to appear.)
Congratulations! You uploaded multiple users at once! If you're uploading more than 500 user
accounts, you can optimize the experience by splitting your uploads into smaller batches.
Note: It can take up to 24 hours for new user accounts to appear in the searchable domain
directory.

In this section

Exercise 3: Add an Email Alias for a User

Exercise 4: Reset a User's Password

Exercise 5: Rename a User

Exercise 6: Suspend a User

Exercise 7: Delete a User

Exercise 8: Restore a Recently Deleted User

Quiz

Exercise 3: Add an Email Alias for a User


Scenario: Now that you've added a larger batch of users, some of your users have signed in to
Google Apps to begin using the tools.
You receive this mail from the CEO:
Hello Aurelia,
Thanks for creating my Google Apps account. However I have to ask for
a minor change. My email is samantha.morse@[yourdomain.com] but
really most people know me as just Sam. Is there any way I can have
this as my email also?

Regards,
Sam Morse
CEO [yourdomain.com]

To set an email alias (formerly known as a nickname) for Sam:


Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Users icon.
Locate Samantha Morse's name in the user list, click her name, and click Account.
In the Aliases section, click Add an alias.
Notes:

If you have secondary domains associated with your Google Apps account , the field to
the right of the @sign is a drop-down list with the available domains. The domain you
select will be the portion of the user's email address that appears after the @ sign.

If you have a domain alias for your primary domain, every email address in the
primary domain automatically has an email alias address in the alias domain.

We'll discuss domains in more detail later in this course.


In the Add an alias text field, enter sam and click Save changes.
As part of your workflow, notify Sam about her new email alias and remind her about its
limitations:
Dear Sam,
I created a new email alias for you. In addition to your primary email
address, samantha.morse@[yourdomain.com], now you can also receive mail at
the email alias sam@[yourdomain.com].
However, please be aware that you'll still need to use your primary email
address: samantha.morse@[yourdomain.com] to:

Sign in to Google Apps

Send and receive calendar invitations

Sync with your mobile device

Share Google Drive files and Sites

Note that it may take up to 24 hours for the email alias to become
available.
Regards,
Aurelia

For more information, see Add or remove an email address for a user .

Exercise 4: Reset a User's Password


Now that users are signing in and using the tools, you're likely to come across a scenario where
a user needs a password reset:

A user forgets their password

A user's account is compromised (security concerns)

Scenario: Tim Lee (from Finance) has just come back from holidays, he calls to ask you to
reset his password, because he's forgotten it and is now locked out of his account.
Note: It's important to know that users can update their own Google Apps password, if they
know their current password and are able to successfully sign in. For guidance, see Change
your Google Account password . If the current password is unknown, an administrator
must Reset a user's password .
To reset the password:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Users icon.
Access the reset password function by one of two ways:

In the user list, click Tim Lee. When his page has loaded, click the Reset
password icon.

In the user list, hover over Tim Lee and view the available options that display.
Click Reset password.

In the Rest password for tim.lee dialog box:


1. Fill in a temporary password or click Auto-generate password to let Google create
one for you.
2. Check the Require a change of password in the next sign in box.
3. Click Reset Password > OK.
Provide the user with new sign-in information. If you have auto-generated the password, there'll
be a show password option.
The next time the user signs in, they'll be prompted to supply the current password and enter a
new password.
When they enter the password, the Password strength field evaluates the security level of the
password. They can click the link if they want tips for creating strong passwords. Google
requires a password that's at least eight characters.
As the administrator, inform Tim Lee that his password is now reset and he can now sign in to
change it. You can also give him some tips on creating a secure password in line with your
company's security policy.

Exercise 5: Rename a User


A Google Apps user has two names: a display name consisting of a first name and last name,
and a username that appears before the @ symbol in their primary email address. It is this
username with that they sign in to Google Apps.
The effect of changing a user's display name depends on whether the user has a Google+
profile. If the user has a Google+ profile, Google services, such as Gmail, displays a user's
profile name, rather than the display name defined in the Admin console. If the user doesn't
have a Google+ profile, Google services display their Admin console display name.
Scenario: You receive this mail from the Tim Lee:

Hello Aurelia,
Thanks for resetting my password. I have another issue with my account,
maybe you can help. I don't ever use the name Tim, in business I go by my
full name Timothy but all my friends and co-workers call me Timmy. Can you
fix my account so I log in and mail with my preferred names?
Thanks,
Timothy Lee
Finance

You decide that the best way to implement this is rename the user to Timothy to allow him to
sign in and use his mail with this new username. To use another name (Timmy), you can also
simply add a new alias to the account.
Renaming a user changes their primary email address. When an account is renamed, this
change is reflected across Google Apps. Because Google Apps uses the primary email address
as the unique identifier for a user's account, changing the username can have significant side
effects. See the Impact of changing a username for a complete description of what you should
expect:

Only administrators can rename users.

The user's previous primary address (tim.lee@cloudsola.com) now becomes an alias


to ensure continued email delivery.

To re-use the old address, you first must delete the email alias.

The old email address still appears in autocomplete results, because it's now an alias
of the changed account.

Emails sent to the old address are delivered to the new one.

The user retains access to all mail received under the previous name.

All documents become owned by the new username.

The user needs to create a new Gmail signature for the new primary email address.

If a user simply needs an alternative email address, consider creating an email alias
for the user instead. When you change a user's primary email address, Google Apps
retains the old address as an email alias for the user, to ensure continuous mail
delivery.

To rename a user:
Ask Tim Lee to sign out of his Google Apps account.
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Users icon.
Search or browse to find the user. If you created an organizational structure, select the
organization to which the user belongs. In our case, Tim Lee is in the top-level organization.
In the user list, find Tim Lee, click

, and choose Rename user from the drop-down menu.

In the Rename user dialog box, read the warning message and enter the following:

First name: Timothy

Last name: Lee

Primary email address: timothy.lee. This is the username he'll use to sign in to
Google Apps.

Note: The First and Last name settings represent the Display Name (not used if user has
Google+ profile).
Click Rename user.
If successful, you should see a banner stating that the changes have been saved.
It can take up to 10 minutes for a new primary email address to be reflected throughout the
system, 24 hours for domain and personal contact changes to take effect, and up to 3 days
before the user can use chat.
Now that you have renamed the user to allow him to use his full name (Timothy) to sign in and
send mails, let's look at his other request to use the name Timmy to send mail. You should
know the difference between adding an email alias and renaming a user.
Click the Users icon and select Tim Lee.

Click Account, scroll down to the Aliases section, fill in the new alias, and click Save
Changes.
It can take up to 24 hours for the alias to become available. Now you can see the difference
between just adding an alias for a user and renaming a user.
For more information, see Rename a user.

Exercise 5: Suspend a User


Scenario: After working in the Google Apps domain, you receive an email from Lars Ericsson,
the HR Manager:
Hey Aurelia,
I had a contractor working with me last week for a project, his name is
Jon Baird. He has an account to sign in to our system but for the next few
weeks he'll be working somewhere else. Is there a way to prevent him from
signing in without losing all the work he's done already? He'll be back to
work with us soon.
Regards,
Lars Ericsson

As a Google Apps administrator, you can temporarily block a user's access to your
organization's Google services by suspending the user's account. This disables the account
without deleting the user's profile and related information, such as documents, calendar events,
and email. If the user has shared any documents, sites, or secondary calendars, these shared
assets are still accessible to collaborators. A suspended user can't sign in to the account, and
new information, such as emails and calendar invitations, are blocked.
Note: A suspended user still requires a user license; therefore, a fee still applies.
To suspend a user:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Users icon.

To suspend Jon Baird, find his name on the user list, click

, and choose Suspend user in

the drop-down menu.


Click Suspend.
On Jon Baird's user account page, an exclamation point

indicates Jon's suspended status.

Return to the main user list. In the Filters list at the side (if you don't see this list, click
the Filters button

), choose Suspended users in the User Type drop-down list.

The list now should contain user Jon Baird and any other currently suspended users.
As an administrator, you don't have access to your users accounts, but for this exercise, to test
that Jon Baird's user suspension has been successful and to get a feel for what a suspended
users experience is, you'll sign in as Jon's suspended account.
There are two ways you can do this:

One way to do this is to sign out of your own Admin account and sign back in as Jon.

Open a new Incognito Chrome browser window , go to mail.google.com, and sign in


with the email address, jon.baird@yourdomain.com. Unless you've changed it, Jon's
password should still behellohello1.

A few weeks later, you receive another email from Lars Ericsson, the HR Manager:
Hey Aurelia,
I have a contractor, Jon Baird, who will be working with us again next
week. He had an account before but is locked out at my request. Can you
please re-enable him?
Regards,
Lars Ericsson

As a Google Apps administrator, you can restore a user you (or another administrator)
suspended.
To restore a suspended user:

In the user list, filter for suspended users. Locate Jon Baird in the suspended users list and
click his name to enter his account page.
To restore Jons suspended account click the red exclamation point

and click Restore

user.
After Jon's user account is restored, his name should no longer be in the Suspended users list
he should now be back in Active users. Restored users can sign in and regain full access to
their Apps accounts.
Notes:

Administrators manually suspending users is just one way that a Google Apps account
can be suspended or disabled. If the user is manually suspended by an administrator,
it's possible for an administrator to restore their account immediately.

A user can also be automatically suspended from Gmail for exceeding any account
limits. In this case, the user can still sign in to their Google Apps account to access
other services, such as Calendar and Drive. But when they try to access Gmail, an
error prompts that Google detected unusual activity on the account. Most users can
regain access automatically within 24 hours, but in some cases, an administrator can
reset the limits for the user and allow them to immediately regain access.

You can't restore an account that was suspended for abuse or for breaching
the Google Terms of Service .

You can't re-enable any user with an abusive account status. Administrators can
contact Google Support for more information. These users won't be able to sign in to
Google Apps.

To see why a user was suspended, click the red exclamation point on their account
page and view the error message. See Restore a suspended user for your
corresponding recovery options.

Exercise 7: Delete a User


After some time working in the Google Apps domain, you get another email from Lars Ericsson,
the HR Manager:
Hey Aurelia,

That contractor I had working with me, Jon Baird, has finished up his
project. Can you please delete his account from the system as he won't be
working here anymore? Will you make sure that any files he still has
belong to me now? Don't want to lose anything important.
Regards,
Lars Ericsson

If a user leaves your organization, you might want to delete their Google Apps account. This
destroys all the user's mail messages, and they'll no longer be able to sign in to Google Apps.
Other data is purged within a matter of days. It's important to understand the different
implications of suspending and deleting users, build a process for users leaving the company,
and create a deletion policy that best suits your business needs.
What happens to a user's documents in Drive when they leave the company? As part of the
deletion process, you can optionally transfer the user data to a new owner.
However, be aware that there are many other considerations that should be handled before
deleting an account; there may be many other types of data that could be lost without following
proper steps. You might also consider other ways to extract data before deleting a user's
account.
To delete a user:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Users icon.
To delete Jon Baird, find his name on the user list, click

, and choose Delete user in the

drop-down menu.
Lars has asked you to transfer ownership of all of Jons files to him:

Though Select Data to Transfer (Drive) is checked by default, it's optional. You can
uncheck the Drive box and click Delete account without data transfer to delete the
user without transferring the user's files.

Google then deletes the files the user owned within five days. For this exercise, you'll
transfer ownership as Lars requested this.

To transfer ownership of Drive files, leave the Drive checkbox checked, check Also
include data that is not shared with anyone, and click Assign a new owner for
this data.

The transfer includes all files of all types, not just Google Docs, Sheets, Slides, and so
on.
In the next User Deletion dialog box, in the Assign a New Owner field, enter Lars' email
address (lars.ericsson@yourdomain.com) here, and click Transfer data and delete account.
You should see this message: Data transfer has started, we will notify you once
it is complete. Depending on the amount of data, this process might take some time. You

can use the user status drop-down list to find users with data transfer in progress or failed.
When the deletion and transfer are complete, Google will send you an email.
To ensure data safety, the account will be suspended before data transfer. Once the data
transfer is complete, the account will then be deleted. Click Close to exit the window.
Note: Because the user is suspended first, if you restore a deleted user whose files you
transferred, the Admin console restores the user as a suspended user.
Return to the user list and confirm that Jon Baird is no longer listed. Search for the user in the
user search bar. You should see the result: There are no results to display.
Check your Admin Gmail account to see the email sent. It should have this subject line: Jon
Baird deletion successful.

Exercise 8: Restore a Recently Deleted User


Scenario: The next day you get a high priority email from Lars Ericsson, the HR Manager:
Hello Aurelia,
I'm afraid I was a little premature in getting you to delete our HR
contractor Jon Baird. We've decided to extend his contract and hire him as
a full-time employee.
Is there any way you can restore his user account?
Regards,
Lars Ericsson

You can restore a recently deleted user account for up to five days. After this period, the Admin
console permanently deletes the user account and it can't be recovered, even if you
contact Google technical support.
In most cases, restoring a deleted user account also restores the user's associated data,
including email and calendar events; however, Google doesn't guarantee full data recovery for
a deleted user.
Important:

You must have super administrator privileges to restore a recently deleted user.

You can't restore a recently deleted user if the deleted username matches an existing
group name, another active username, or another user's email alias. If it does, you'll
see a username already exists error message.

You can't exceed your maximum number of user licenses. If you try to restore a
deleted user when you don't have an available license, you'll see a domain is over
user limit error message.

To restore a recently deleted user:


Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Users icon.
In the Filters list (click the Filters button

if you don't see this list), choose Recently

deleted users in the User Type drop-down list.


If you have multiple organizations in your domain, stay at the top-level organizationdeleted
users lose their organization details and are moved to the top-level organization.
Locate Jon Baird in the list and check the box next to his name.
If a deleted user's name isn't in this list, the account has been fully deleted and can no longer
be restored.
Click Undelete user to restore Jon's user account and choose the organization to place him.
Note: You can restore only one user at a time.

If the account restore is successful, you may see a banner message similar to User account
restore has been initiated, please wait for 2 hours for complete restore of the account.
It may take some time for the user to be visible again in the user list.
If a user was suspended at the time the account was deleted, such as when you transfer
ownership of a user's files, the user will still be suspended after the account is restored.
In the Filters list, choose Suspended users in the User Type drop-down list.
Restore the suspension and put Jon Baird back in the Active users list:
1. In the Suspended users list, find and click Jon's username.
2. On Jon's user account page, click the exclamation point

and select Restore user.

Jon should now be back on the Active users list.


Note: When you restore deleted users after transferring the ownership of their files to other
users, the restored users do not automatically acquire ownership of their old files. Instead, they
can only edit the files they previously owned.

In this section

Exercise 9: Grant Super Admin Role and Privileges

Exercise 10: Custom Admin Privileges

Quiz

Exercise 9: Grant Super Admin Role and Privileges


In this exercise, you'll grant the super administrator role to Alex Bell, the IT Manager. The super
administrator role is an example of a pre-built administrator role that's standard in the Admin
console and where you can create custom roles to suit your needs.
To grant the super administrator role and privileges to a user:
You can assign an administrator role to a user on the Users account information page, or on
the Admin roles page where you define the administrator roles. On the Admin roles page, you

can assign a role to multiple users at the same time. Because we're adding a role to just one
user, we'll use the Users method.
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Users icon.
Locate Alex Bell and click to enter his account page.
Scroll down and select the Admin roles and privileges option. (You may need to click Show
more at the bottom of the profile.)
The user currently has no Admin roles assigned to him.
Click Manage roles.
In the Manage roles list, select the predefined Super Admin role and click Update roles.
In the Admin roles and privileges section, you should now see the super administrator role for
all organizations.
Now you can investigate the specific privileges you have granted to the user.
Go to to the main Admin console dashboard and click the Admin Roles icon.
If you don't see this icon on your dashboard, click the More controls pull-down option (at the
bottom of the page), and then click the Admin Roles icon.
Click the Super Admin link to view the current users with Super Admin role.
At this point, this should only be your initial administrator account, plus Alex Bell's account. You
can always see this list by going to Admin Roles control.
In the Super Admin list of users, select the Privileges tab and review the assigned privileges.
Because this is a pre-defined role, note how the Super Admin has all possible privileges
selected and how these privileges aren't customizable.

Now that you've granted the super administrator role to Alex, he can sign in to the Admin
console with full administrator privileges.
Notes:

When Alex signs in to the Admin console, he'll see the default dashboard. Any
previous customizations you made as your own administrator account aren't visible.
Your customizations only apply to your administrator account.

Creating more than three super administrators for your domain can affect
some administrator account recovery options . At least one user in a domain must be a
super administrator, and only a super administrator can assign administrator roles to
other users.

Exercise 10: Custom Admin Privileges


Scenario: A little later you receive a request from the Human Resources Manager, Lars
Ericsson.
Hello Aurelia,
I would like to understand more about how our users are interacting with
Google Apps. That way I can create a customized training plan for the
company. Is there any way I can run reports that track apps usage and user
behaviors?
Regards,
Lars Ericsson

You decide that, rather than giving him a pre-built role with extra privileges he doesn't need, it's
best to create a custom role. That way you can delegate the ability to run reports, but not give
Lars any other administrator privileges.
Note: You can assign more than one administrator role to a user. Creating multiple roles with
fewer privileges is, therefore, more versatile than one role with many privileges. If a user
handles multiple tasks, just assign multiple roles.
To create and assign a custom administrator role:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.

Click the Admin Roles icon.


If you don't see this icon on your dashboard, click the More controls pull-down option (at the
bottom of the page), and then click the Admin Roles icon.
Click Create a new role.
In the Create New Role dialog box, enter the Reporting Role name, give a description for the
role, and clickCreate.
In the Privileges tab, you can select the privileges you want users to have with this role.
Assigning a custom role to a user grants them access to the Admin console. The privileges
determine which dashboard controls are in their console, what information the user can access,
and which management tasks they can perform. Learn more about administrator privilege
definitions.
Investigate here exactly what Lars has access to once he's given Reports privileges in this
role.
Because you want this custom role to just assign privileges for reporting only, check
the Reports box, and clickSave changes.
You should now see Reporting Role in the User Created Roles list.
Creating the role is the first step in this process, but for Lars to be assigned the privileges, we
must also assign the administrator role to his user account .
a. In the Users section, go to Lar's user's account page, scroll to the bottom of the page,
and click Show more > Admin roles and privileges.
b. Click Manage roles to assign the new, custom-built, user-created role.
c. Choose the Reporting Role role from the list and click Update roles. The Admin roles
page lists the user's current privileges, and you should now see the new role assigned
to Lars.
d. Click View Privileges to view combined privileges granted by all the user's roles.
Congratulations! You've now built and assigned a custom administrator role to one of your
users, which allows you to better delegate administrator tasks in your domain.

Exercise 11: Create Three Admin-Managed Groups


Scenario: The company wants to create the following mailing lists or groups that can be
managed only by the system administrators as follows:

OurCompany: An internal mailing list of everyone in the company

Management: A private or restricted group of all executives and managers

Sales: A public mailing list for the sales organization, especially web marketing
campaigns

To create the three groups:


Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Groups icon.
Click the Create group

icon.

In the Create new group dialog box, enter the following information:

Group name: OurCompany

Group email address: OurCompany@yourdomain.com

Group description: (Optional)

Access level: TeamOnly managers can invite new members, but anyone in your
domain can post messages, view the members list, and read the archives.

Click Add all users within this domain to this group.

Click Create.
In the next screen, note the entry for the name All users within your domain.
Go back one level to the settings page for the OurCompany group.
Click Aliases > Add an alias.

Add everyone as an alias to this group.


This allows mail to be sent to OurCompany@yourdomain.com or everyone@yourdomain.com.
Click Save changes.
Repeat the process from Steps 35 with the following information:

Group name: Management

Group email address: Management@yourdomain.com

Group description: (Optional)

Access level: RestrictedOnly members can post messages and view the members
list.

Add new members:

Samantha Morse (CEO)

Alex Bell (IT Manager)

Lars Ericsson (HR Manager)

Go to the Groups page. You should see two groups: Management and OurCompany.
Repeat the process from Steps 35 again, this time with the following information:

Group name: Sales

Group email address: Sales@yourdomain.com

Group description: (Optional)

Access level: TeamAnyone in yourdomain.com can post messages and view the
members list.

Select checkbox: Also allow anyone on the Internet to post messages

Add new members:

Samantha Morse (CEO)

Tim Lee (Finance Manager)

Ellie Gray (Exec Assistant)

Go to the Settings page for the Sales group.


Click Aliases > Add an alias.
Add the Marketing alias to this group.
This allows mail to be sent to Sales@yourdomain.com or Marketing@yourdomain.com.
Test sending mail to each of these groups:

Send mail from your personal email address (not as a user from your training domain)
to each group: OurCompany, Management, Sales

What are the results?

Do any messages bounce with delivery failures? Why?

Send mail as Samantha (CEO) to each group


o

What are the results?

Do any messages bounce with delivery failures? Why?

Send mail from Tom (Support) to each group


o

What are the results?

Do any messages bounce with delivery failures? Why?

Groups for Business


Google Groups provide a convenient way for your users to communicate with groups of people
they frequently contact. As a Google Apps administrator, you can create and manage groups for
your organization using the Groups control in the Admin console. You can also turn the Groups
for Business service on to give users access to additional features.

Exercise 12: Manage Your Contacts

Google Apps users can manage and search their contacts using the Contact Manager . Think of
this as your address book that includes all the users in your company directory as well as your
personal contacts.
In this exercise, you'll use the Contact Manager to search the company directory and add a few
personal contacts.
To manage your contacts:
Sign in to Gmail as Lars Ericsson: Lars.Ericsson@yourdomain.com.
Click the Apps launcher icon on the top right and select Contacts to launch your Contact
Manager.
Click Directory.
You should see a list of the users in your company.
Note: It may take up to 24 hours for any changes made to your domain or personal contacts to
appear.
Click New Contact and add three personal contacts.
These contacts are only visible to you, not everyone in your company.

Name

Email Address

Phone

Samantha Jones

SJones@gmail.com

415-555-1234

Cindy Sitter

CindySitter@gmail.com

650-555-1234

Arnold Accountant

ArnoldA@taxesrus.com

510-555-1234

Click My Contacts.
You should only see the personal contacts you added.
Use the search bar at the top and search for Samantha.
Several Samanthas should appearyour personal contact and the CEO.

Click New Group and enter Home Contacts as the group name.
Add Cindy Sitter and Arnold Accountant to the Home Contacts group.
a. Select My Contacts.
b. Check the boxes for Cindy and Arnold.
c. Click the Groups icon on the top and select Home Contacts.
Click New Contact and add Samantha Jones again.
Click My Contacts.
Two entries display for Samantha. Yes, it allows duplicate contacts, but don't worry, you can fix
that easily.
Click More > Find & merge duplicates.

Exercise 13: Delegate Your Contacts


Contacts delegation allows users to delegate full access to the contacts in their My
Contacts group without granting access to their mail or anything else in their accounts. This is
a common delegation practice between executives and their assistants and may be used in any
situation where a user wants to share all of their contacts with another user.
Before a user can delegate their contacts to another individual, the domain administrator must
enable contact sharing in the Google Apps Admin console. It should be enabled by default.
Scenario: Lars Ericsson decides to delegate his contacts list to the Executive Assistant, Ellie
Gray. This makes it easier for Ellie to send email and schedule appointments with Lars's
contacts.
To enable contact sharing for your company:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Google Apps icon.
Click Contacts.

Select Sharing settings and Hide aliases.


Note: You have several options for what email addresses to display for a user. This mostly
affects the autocomplete feature.
If necessary, click Save changes.
To delegate your contacts to another user:
Sign in to Gmail as Lars Ericsson (Lars.Ericsson@yourdomain.com).
Click the Apps launcher icon on the top right and select Contacts to launch your Contact
Manager.
Click More > Manage delegation settings.
In the Invite people text box, enter Ellie.
Note: This should autocomplete Ellie Gray.
Click Send > Done.
To use the delegated contact list:
Sign in to Gmail as Ellie Gray (Ellie.Gray@yourdomain.com).
Check for the email notification that Lars shared.
Click the Apps launcher icon on the top right and select Contacts to launch your Contact
Manager.
Click Delegate Contacts and select Lars Ericsson.
Review the contact list.
You shouldn't see the group Home Contacts, only the list of individuals from My Contacts.
Click My Contacts.
Using the search bar at the top of the window, search for Samantha.
The second Samantha does appear because she's in the Delegated Contacts list.

Click Delegated Contacts and select Lars Ericsson.


Search for Samantha again; you should see her name.

Click Merge.
Verify the change.

Exercise 14: Create an Organization


Scenario: You receive a new email from the IT Manager, Alex Bell, requesting to restructure
your domain.
Hey Aurelia,
As you know we now have two people working in Support, their names are
Will and Tom (see below for details). I want to set up a helpdesk to offer
technical support to our employees and customers.
Is there any way you can set these guys up with some different settings
than the rest of the employees? For example they will need access to some
different services like chat, that I want blocked for everyone else.
Thanks,
Alex Bell

Employee

Position

Will Marconi

Support

Tom Edison

Support

As a Google Apps administrator, you may want to create an organizational structure within your
Google Apps domain. There are several reasons why you would do this:

To control which applications and services are available to users

To configure the available services differently for different sets of users

To configure different Chrome OS device settings for different sets of devices

Learn more about how user and device policies and organizational structures work.
To create a new organizational unit:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format
Click the Users icon.
In the toolbar, click the Filters icon

to see your organizations (also called orgs or

organizational units).
Hover over the top-level parent org, most likely called yourdomain.com, to add a new sub
organization, and click the arrow that appears to the right.
Click Add suborganization.
In the Create new organization dialog box, fill in the details of the new Support organization
and clickCreate Organization.

The new organization displays as a child of your parent organization.

Return to the parent organization users page, and from the list, select your two Support users:
Will Marconi and Tom Edison.
In the toolbar, click the Move to another organization icon and choose your new Support org.

When the confirmation prompts, click OK.


You should now see your two users moved to your designated Support org.

Users can move from one org to another.

A user can only be in one organizational unit at a time unlike, for example, groups
where a single user can be in multiple groups at once.

If you need more help, see Add an organizational unit .

MANAGE SERVICES
In this section

Exercise 1: Turn Services On or Off for Everyone

Exercise 2: Turn Services On or Off for a Specific Organization

Exercise 3: Set Services Release Track

Quiz

Exercise 1: Turn Services On or Off for Everyone


Your company has a strong focus on the confidentiality of their corporate information. As the
administrator, you've been asked by the IT Manager to remove the ability to access some
Google services to align better with their business policy.
Hey Aurelia,

As you know we are working on a very confidential widget at the moment, to


prevent any information leaks I don't want anyone able to create a blog,
site or YouTube video with their company account.
Thanks,
Alex Bell

Google Apps administrators control user access to various types of Google services, including:

Google Apps for Work, including enterprise versions of Gmail, Calendar, Drive, and
more. These are the Core services that have a Terms of Service agreement and are
fully supported by Google Apps Support. These are located under the Google
Apps icon.

More Google Apps, including Blogger, YouTube, and more. These services are
available to use in Google Apps, but aren't covered by the Terms of Service
agreement, nor supported by Google Apps Support. These are located under
the More Google Apps icon.

Apps available from the Google Apps Marketplace. The Google Apps Marketplace
lets administrators browse for, purchase, and deploy integrated, business-oriented
cloud applications. Warranties and support for third-party Marketplace apps are
provided by the vendors, but not Google Apps Support. These are located under
theMarketplace Apps icon.

Administrators can turn services on or off for the entire company or for a particular organization.
In this exercise, you'll learn how to configure services to fit your company's business needs.
To turn services on or off for everyone:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Google Apps icon. The Google Apps core services are generally On For
Everyone by default.
You've been asked to turn off the Blogger, Sites, and YouTube services. (Only Sites is part of
the core services.) To turn off this service, check the Sites box.
Under the Sites logo, click the drop-down list and select OFF. You're immediately prompted of
the impacts of turning off this service:

Sites will be turned OFF for everyone in your domain.

Any overridden setting will be turned to inherited.

Inheritance, in this case, means that an organization inherits the settings of its parent
organization by default. Because you've created an organization (Support), all users in this unit
will also have the Sites service turned off.
If you're satisfied with the changes that will be applied, click Turn OFF for everyone and you
should see a status bar showing the service is turned off.
Verify that access to Sites has been turned off by trying to launch the Sites service. There are
two ways to launch Sites:

From the Admin console: In the Google Apps section, click the Sites link to enter
the Sites settings page, and then click Launch This App. (This option is available for
most Apps in the Admin console.)

From a new browser tab: Enter sites.google.com/a/yourdomain.com.

Note: It can take up to 24 hours for a service ON/OFF change to take effect.
Now that you have turned off Sites, you must turn off Blogger and YouTube per Alex's request.
These services are not part of the core services and, therefore, won't be under the Google
Apps iconthey'll be under More Google Apps.
On the Admin console's dashboard, click More controls > More Google Apps.
Check the Blogger and YouTube boxes and, in the toolbar, click the Turn OFF Services icon.
When you're prompted, click Turn OFF for everyone.
You've now successfully turned off the three services for your whole organization.
Notes:

Some services depend on other services. For example, Google+ depends on


Calendar, Drive, Talk, and Picasa; you can't turn on Google+ services, unless the
other services are also ON.

It can take up to 24 hours for a service ON/OFF change to take effect.

To control service access for a single user, create an organization containing just that
user.

Gmail data expires in 30 days. If you disable email service for more than 30 days,
users lose all email messages. Re-enabling email after that time results in empty
email accounts.

Exercise 2: Turn Services On or Off for a Specific


Organization
Scenario: You receive another email from the IT Manager, Alex Bell, requesting to re-enable
some services; this time, just for a specific organization.
Hey Aurelia,
Thanks for turning off those services for me. However the guys in Support
have told me they need to create YouTube how to videos. Can you turn
YouTube back on, but just for them?
Thanks,
Alex Bell

Administrators can turn on services for an entire organization or for a specific organization. For
example, to turn off Google+ services only for users who are contractors, create
a Contractors organization containing those users and turn OFF Google+ services for that
organization.
Turn on the YouTube service for the Support organization only:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
On the Admin console's dashboard, click More controls > More Google Apps.
Browse down the list until you find the YouTube service and click the name to view the settings.
The red YouTube icon indicates that the current setting is OFF.

Click the drop-down list and select On for some organizations.


A pop-up window displays the highlighted organization on the left and the respective settings on
the right. Because you turned off YouTube services for everyone in the last exercise, the master
setting should display asOFF.
Because an organization inherits the settings of its parent organization, by default, you should
see the Inheritedsetting. However, we want to let the Support org have a different setting to the
parent org, so we must override this inherited setting.
Click the Support org to confirm the YouTube setting for this org is also set to OFF.
Click the Override link, toggle the service to ON, and click Apply.
When you're prompted of the what changes that will be applied, click Turn on.
Close the window to return to the Settings for YouTube section. The setting in the drop-down
list that was previously OFF highlighted in red should now say ON for some organizations in
green.
Note: To view the settings, click the View the status for each org link.
In the More Google Apps section, you can now see that the YouTube status is now On for
selected orgs.
To test the service behavior:
Now that you've changed the access to the YouTube service for various orgs in your domain,
let's test the behavior of the service when signed in as different users.
Open a new incognito browser window and go to mail.google.com.
Sign in as user Ellie.Gray@yourdomain.com using the the default password (hellohello1) or
the updated password (G00gleapps). (Remember that Ellie Gray is in the top-level parent
organization of your domain.)
Click the Apps icon at the top of the screen to view the available services, and click More at
the bottom to view more services.
YouTube is not available here for this user.

Open a new tab and go to www.youtube.com. Ellie Gray can still view the YouTube website and
watch videos; however, try clicking Sign In.
As YouTube is turned off for her organization, Ellie Gray can't sign in to YouTube using her
domains Google Apps account. You should see a similar error message.
Sign out of the Ellie Gray account and sign in as user Tom.Edison@yourdomain.com.
(Remember that Tom Edison is in the Support organization of your domain.)
Click the Apps icon at the top of the screen to view the available services, and click More at
the bottom to view more services.
YouTube is now available here for this user.
Click the YouTube icon to open the service.
Once the YouTube tab opens, notice that the service opens with Tom Edison logged in using his
Google Apps domain account. Because YouTube is turned on for his Support organization, he
can use the YouTube service with his corporate account.
Now that you have tested the service behavior for different users, you should have a better
understanding of the effect turning on or off services will have on your domain and your users.
Close the incognito window and return to the Admin console.
Note: The method shown in this example is just one method of managing services, regardless
of how you turn on/off a service as an administrator. The result from the user's perspective will
be the same.

Exercise 3: Set Services Release Track


Google Apps is 100 percent web, so you and your users receive new features and updates
automatically, without needing to install or update any software. However, you can still control
when new features become available for users.
Setting which release track your company is on is an important administration task. It defines
when new features and updates are applied in your domain.
To help make that decision, you can choose from two release tracks:

Scheduled Release Track(Recommended and selected for your domain by default)


Choose this track to delay releasing new features to users, giving you extra time to
train your support staff and prepare users for the coming changes. Google releases
features to the Scheduled Release track on Tuesdays only, at least one week after the
feature was released to the Rapid Release track.

Rapid Release TrackChoose this track if you want users to access new features as
soon as Google rolls them out to consumer users. These features have been through
testing and quality assurance, but users will see them at the same time you do, before
you have a chance to evaluate them for your organization.

Scenario: For most Google Apps customers, we recommend the Scheduled Release track.
However your company has decided that they want to access new features as soon as they're
available.
To set the release track to Rapid Release:
Review the Google Apps Release Calendar to see which features are currently on the Rapid
Release track. As the administrator, you should be aware of new changes; Rapid Release are
marked in red.
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Company Profile icon.
Click Profile. You can select domain wide settings using the Profile feature.
In the New User Features section, select the Rapid Release option and click Save Changes.
Your users now have access to these new user features.
Note: It may take up to a day for the change to take effect.
Scroll down to the New Products section, and confirm that the Automatic option is selected.
This setting allows you to opt-in to new products and services automatically for your Google
Apps account.
Periodically, Google launches new products and services (like Google+). You can automatically
enable these new products for your users at time of launch. Each new product or service will

appear on the Services tab (underOrganizations & users) and will default to ON. If you don't
select this option, the service defaults to OFF.
Note: If you have multiple domains associated with your account, the setting applies to all

domains.

SECURITY
Exercise 1: Configure Common Security Settings
This exercise familiarizes you with the Google Apps security features and settings.
To configure common security settings:
Familiarize yourself with these Google Apps Security resources: Security
Whitepaper and Google Apps and Cloud Platform Audit & Certification Summary .
Watch this short video on Google Apps Admin console security settings .
Sign in to your domain's Google Apps Admin console as the administrator user using the
firstname.lastname@yourdomain.com format.
Click the Security icon.
Click Basic settings and enable the following features:
a. Check the Enable SSL box.
b. Check the Allow users to turn on 2-step verification box.
c. If necessary, select Save changes.
Click Password monitoring to check who has signed in to Google Apps and view their
password length and strength.
Note: This information only appears for users who have signed in.
Click API reference to enable programmatic access to your Google Apps domain.
Check the Enable API access box to allow various Google Apps Administrative APIs, including
Google Apps Directory Sync.

Click Advanced settings, which allows you to manage more advanced security and access
settings.
a. Select Set up Single sign-on (SSO).
o

Explore the settings necessary to configure SSO.

When enabled, users are authenticated by the SSO service rather than using
the Google Apps password for web-based services, such as Gmail and
Calendar. Google Apps uses SAML SSO to authenticate users.

b. Select Manage OAuth domain key.


o

OAuth is an authentication method that allows external applications and tools


to access your Google Apps data, such as data migration tools. It uses an
OAuth consumer key and secret to authenticate via the API.

Note: The OAuth consumer secret can be regenerated, which revokes application
access to your Google Apps data until you redistribute the new consumer secret
value.
c. Select Federated Login using OpenID.
o

When enabled, OpenID allows users to sign-in to third-party websites and


services using their Google Apps account, without giving away their
credentials.

Enabled by default, so users are able to authenticate to other websites using


their Google Apps credentials.

Exercise: User Adoption


Scenario: You return to your desk after lunch and there's a note on your desk from the HR
Manager, Lars Ericsson, that says When can we expect the Learning Center to be ready? It's
time you got started building the Apps Learning Center for your company.
To turn on the Google Sites service:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Google Apps icon.

Locate the Sites service and click the name to view the Settings for Sites.
Notice how below the Sites icon the current setting is OFF (highlighted in red).
Click the drop-down menu and select On for everyone.
Click Turn ON for everyone.
To use the customizable Learning Center for your company:
Open a web browser window and go to the customizable Google Apps Learning Center .
Locate the Or customize this site for your domain section and follow the three basic steps to
open and import the learning center template.

Name your new learning center site Apps Learning Center.


Take a few minutes to read the instructions on how to customize the template.
Update the Get Help section with a real email address.
Note: If you prefer, create a group (for example, support@yourdomain.com) and use that for
help.
Click Share at the top.
Select Change, select the option for People at your domain can find and access, and
click Save.
Return to your Apps Learning Center.

(Optional) Test that another user can access the new Apps Learning Center.

Exercise: Add a Domain Alias


Scenario: Your company is preparing to expand their business in the UK and will be purchasing
a domain that they'll use as an alias. This means that each user in the primary domain will
automatically have an alias in the other domain. For example, Lars Ericsson can receive email
as Lars.Ericsson@yourdomain.com or as Lars.Ericsson@yourdomain.co.uk. All of his
messages will go to the same Lars.Ericsson@yourdomain.com inbox.
This exercise will give you practice managing a domain alias before you actually purchase the
new domain. Instead you will use a subdomain named testing.yourdomain.com. Because you
already own yourdomain.com, the testing subdomain is free.
You'll need access to your Domain Name System (DNS) provider, such as GoDaddy or eNom,
because you must configure a DNS TXT record to verify ownership of the subdomain and add
new MX records. If you're new to DNS, read DNS basics.
Note: If you purchased your domain from Google, your DNS provider credentials are available
in your Google Apps Admin console.
To locate your DNS credentials:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Domains icon.
Click Advanced DNS settings.
Your DNS sign-in name password and support information displays.
Click Sign in to DNS console.
To add the domain alias, testing.yourdomain.com:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Domains icon.
Click Add a domain or a domain alias.

Select Add a domain alias of yourdomain.com.


Enter testing.yourdomain.com as the domain alias.
Click Continue and verify domain ownership.
Various options display to verify domain ownership of your domain alias.
Use the Recommended method (Domain name provider) using a TXT record.
If necessary, select your correct DNS provider from the pull-down menu, which displays
instructions for creating the TXT record for your DNS provider.
If you don't see your DNS provider, scroll down to Other for generic instructions.
Sign in to your DNS provider and follow the instructions to create the TXT record for the
subdomain testing.
In the Google Apps Admin console, click Verify.
If verification is successful, click Continue.
From the Admin console dashboard, click the Domains icon.
Locate the domain alias, testing.yourdomain.com, and select Set up Google MX records.
The next page displays instructions on how to create the MX records for your domain alias.
If necessary, select your correct DNS provider from the pull-down menu, which displays
instructions for creating the TXT record for your DNS provider.
If you don't see your DNS provider, scroll down to Other for generic instructions.
Sign in to your DNS provider and follow the instructions to add the 5 MX records for the
subdomain testing.
Note: Because you're using a subdomain, the host is testing, not @.
Click I have completed these steps.
From the Admin console dashboard, click the Domains icon.
Locate the domain alias, testing.yourdomain.com.

To verify that users have an email alias with the domain alias:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
If MX records propagated correctly, the status should display as Domain alias for
testing.yourdomain.com. If it was unsuccessful, it indicates the status and action to take.
In the Google Apps Admin console, click the Users icon.
In the user list, locate Lars Ericsson, hover over his name, and click.
In Lars Ericsson's user account page, click Account.
In the Aliases section, you should see the alias lars.ericsson@testing.yourdomain.com.
Note: You can't remove this alias.
To test sending mail to a user using the domain alias:
Launch the Gmail app.
Compose mail messages to Lars Ericsson at both his normal email address and the domain
alias.
Note: The address for the alias is lars.ericcson@testing.yourdomain.com.
If successful, the message should be delivered to his inbox and not be bounced back.
(Optional) Sign in to the inbox for Lars Ericsson and verify that the message was received.

Exercise 1: Get the Google Apps Release Schedule


A big advantage of working in the cloud is that Google automatically makes all the updates for
you, so you can spend your time doing other things. This also means that new features will
automatically roll out to your users.
To find out the current release schedule for Google Apps services:
Open a web browser window and go to http://whatsnew.googleapps.com.
Click one of this month's Scheduled release features (highlighted in green) on the calendar.

If there arent any this month, check the previous month's featured release.
Note: In the Set Services Release Track exercise, you probably configured your company
profile setting for New User Features to Scheduled Release.
Click Subscribe to updates to view the list of update announcements.
Click Google Apps update alerts > Get Google Apps update alerts delivered by email.
Enter your email address to receive update announcements immediately.

Exercise 2: Use the Apps Status Dashboard


To monitor how the Google Apps services are performing:
Open a web browser window and go to http://www.google.com/appsstatus.
Identify the status of the products covered by the Google Apps Service Level Agreement.
Are any products experiencing a service disruption (noted by an orange dot

)? If yes, click

the orange dot and read the details.


Select Google Apps Help Centers or go to https://support.google.com/a.
Select Fix a problem and take a few minutes to explore some topics, such as Common
questions and How to think like a troubleshooter.

CALENDAR Exercise 4: Create Calendar Resources


Scenario: The company has a total of four Video Conference Rooms; two rooms in each of the
two office locations. Additionally, they have an Executive conference room in their New York
office, which has restricted access to the Executive Assistant.
They've decided to use a naming convention (recommended by Google) that makes it easy to
identify resources: City-Floor-Room Name-Type-Capacity.
In Google Apps, calendar resources refer to conference rooms and equipment that you can
book using the Calendar service.
In this exercise, you'll add the following calendar resources:

NYC-22-Chardonnay-VC-10

NYC-22-Merlot-VC-8

NYC-21-Champagne-EXEC-12

SYD-2-Beethoven-VC-8

SYD-2-Mozart-VC-10

To add the five calendar resources:


Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Google Apps icon and then click Calendar.
Click Sharing settings.
The default settings are considered the best practices. Most companies share free/busy
information externally and share all calendar information internally. These settings will be
applied to all users' primary calendar and calendar resources.
Go back to Settings for Calendar and click Resources.
Click Create a new resource.
Enter the Resource Name (required), Resource type, and Description for each calendar
resource.
Use this list of company calendar resources:

NYC-22-Chardonnay-VC-10

NYC-22-Merlot-VC-8

NYC-21-Champagne-EXEC-12

SYD-2-Beethoven-VC-8

SYD-2-Mozart-VC-10

Here's an example of the NYC-22-Chardonnay-VC-10 conference room:

Click Save changes. When done, the list of calendar resources displays as follows:

Select the NYC-22-Chardonnay-VC-10 resource and note the email address assigned.

Launch the Calendar service and verify that the calendar resources or rooms are listed and can
be booked. For example, create a calendar event, invite another user, and book a room in
Sydney.
Repeat steps 59 to create a new resource for each of the calendar resources:

NYC-22-Merlot-VC-8

NYC-21-Champagne-EXEC-12

SYD-2-Beethoven-VC-8

SYD-2-Mozart-VC-10

Exercise 5: Restrict Access to Executive Suite Calendar


Resource
Scenario: The Executive conference room in the New York office has restricted access to the
Executive Assistant. In Google Apps, all calendar resources are owned by the administrator

users, which means you manage the settings of calendar resources from the administrator's
Calendar service. Eventually the calendar resources will automatically appear under the
administrator's My calendars. This can take 24 hours, but we'd rather not wait. If necessary,
we'll use another technique to make them display sooner.
To restrict the Executive Assistant's access to the NYC-21-Champagne-EXEC-12 Executive
Suite:
Launch the Calendar service as the administrator with
your firstname.lastname@yourdomain.com.
If the calendar resource for the executive conference room doesn't appear under the
administrator's My calendars:
a. From the Other calendars menu, select Browse Interesting Calendars.
b. Click More > Resources for your domain.
c. Once the abbreviated name of locations display, click NYC(3).
d. Locate the NYC-21-Champagne-EXEC-12 resource and click Subscribe.
Alternatively, you can copy and paste the email address of the NYC-21-ChampagneEXEC-12 calendar resource into the Other calendars box.
e. Go back to the calendar and notice the Executive conference room calendar NYC-21Champagne-EXEC-12 now appears under My calendars.
Once the calendar resource for the executive conference room appears under the
administrator's My calendars, on the calendar resource's menu, select Share this Calendar.
Adjust the sharing settings as follows:
a. Uncheck the Share this calendar with others box.
b. Add the Person as Ellie Gray, the administrative assistant.
c. Set the Permission Settings to Make changes AND manage sharing.
Click Save.
Verify that the Executive conference room is not available to other users, except the
administrative assistance. For more information, see Test scheduling resources.

a. Open another browser and launch the Google Calendar service as another user (not
an administrator, nor Executive Assistant).
b. Create an event and view the list of available rooms.
c. (Optional) Try to subscribe to the NYC-21-Champagne-EXEC-12 conference room.
You should an error message similar to this:
Cannot add calendar "NYC-21-Champagne-EXEC-12"
You do not have access to NYC-21-Champagne-EXEC-12's calendar.

Exercise 6: Add a Secondary or Team Calendar


A powerful feature of Google Calendar service is that users can create secondary or additional
calendars for projects and team events, and share them with other individuals or embed them
in a website.
To create a secondary calendar:
Launch the Calendar service as the HR Manager, Lars Ericsson.
Click the My calendars drop-down list and select Create new calendar.
In the Create New Calendar window:
a. In the Calendar Name field, enter Company Events.
b. Check the Share this share with everyone within the organization box.
c. Click Create Calendar.
The new calendar appears under My calendars.

Click the Company Events calendar drop-down list and select Calendar settings. This
displays the Company Events details.

In the Company Events Details window, locate the Calendar Address or Calendar ID (in the
format of an email addresssimilar to Calendar Resources). Distribute this email address to
other users or embed in a website so other individuals can view the calendar.
Click Cancel.
(Optional) Add several events to the Company Events calendar, such as:

HOLIDAY: New Year's

Monthly Company Meeting: Repeats on 1st Monday of the month

Click Done.
(Optional) Sign in to your Google Apps domain as any other users and launch the Calendar
service.
a. Locate the Other calendars box and enter the calendar address of the Company
Events calendar.
b. Verify that the calendar and events are visible for the Company Events calendar.

Gmail Settings
Exercise 11: Configure Common User Access Settings
Scenario: The company has decided to configure several important Gmail features and user
access settings as follows:

Let users choose their own themes

Don't allow email read receipts to be sent

Let users delegate access to their mailbox to other users

Disable Google Apps Sync and Google Apps Connector

Enable Gmail Offline

For the Support organization:

Don't let users delegate access to their mailbox

Disable Gmail Offline

To configure these user access settings:


Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Google Apps icon and click Gmail.
Click User settings.
Review the settings for Gmail, specifically the MX records for your domain.
Scroll down to the End User Settings section. Several policies are already configured while
some must be changed.
a. In the Themes section, check the Let users choose their own themes box.
b. In the Email Read Receipts section, select the Do not allow email read receipts to
be sent option.
c. In the Mail Delegation section, check the Let users delegate access to their
mailbox to other users in the domain box.
Scroll down to the End User Access section and configure the following settings:
a. In the Outlook & BlackBerry Support section, uncheck (disable) the Enable Google
Apps Sync and Google Apps Connector for my users box.
b. In the Automatic forwarding section, check the Allow users to automatically
forward incoming email to another address box.
c. In the Offline Gmail section, check the Enable Offline Gmail box for my users.
Click Save changes.
In the left sidebar, click Support.
Note the policies that are inherited to the Support sub-organization:

a. In the Mail Delegation section, uncheck (disable) the Let users delegate access to
their mailbox to other users in the domain box.
b. In the End User Access > Offline Gmail section, uncheck (disable) the Enable
Offline Gmail for my usersbox.
Click Save changes.

Exercise 12: Enable Gmail Labs


While Gmail Labs are experimental, the company has decided to enable Gmail Labs for all their
users. They may decide to only enable certain Labs, but have decided to see how users
respond to the Gmail Labs first.
To enable Gmail Labs:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Google Apps icon and then click Gmail.
Click Labs.
Note: Gmail Labs are enabled by default.
Explore the option to manage individual Labs as Enabled, Disabled, or Allowed. Optionally, you
can also disable Gmail Labs entirely for your users.
Click Discard changes.

Exercise 13: Configure Compliance Policies


Google Apps provides a rich set of email compliance policies you can configure for an
organization or the entire domain. The IT Manager has decided to follow Google's best
practices to configure only a few compliance policies to start and possibly add more later.

The company will continue to use their compliance footer which will be appended to
the end of all email message leaving the company, but not for internal messages.

The company also wants to prevent their users from receiving attachments that are
video, multimedia and music from external users. Google Apps can remove these

attachments, yet deliver the message. For now, these file attachments can be sent
internally between employees. They may revisit this policy later.

To configure compliance policies:


Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Google Apps icon and click Gmail.
Click Advanced settings.
Scroll down to the Compliance > Append footer section.
Hover over Append footer and click Add another.
The Append footer dialog box displays.
a. Enter a short description that will appear within the setting's summary, such
as Company compliance footer.
b. For all outbound email messages, enter (or copy and paste) the compliance footer as
follows:
This message (and any associated files) may contain confidential
and/or privileged information. If you are not the intended recipient
or authorized to receive this for the intended recipient, you must
not use, copy, disclose or take any action based on this message or
any information herein. If you have received this message in error,
please advise the sender immediately by sending a reply e-mail and
delete this message. Thank you for your cooperation.

c. Modify the text (if necessary) by changing the font size and style.
d. In the Options section, leave the Append footer to messages being sent within
your organization box unchecked.
Click Add setting and on the General settings page, click Save changes.
Scroll down to the Compliance > Attachment compliance section and click Configure.

The Content compliance dialog box displays.


Enter a short description that will appear in the setting's summary, such as Remove video and
music attachments.
In the Email messages to affect section, check the Inbound box.
Under Add expressions that describe the content you want to search for in each
message, click Add and selectVideo and multimedia and Music and sound as the type of
attachments.
Click Add setting.
Under If the above expressions match:
a. Select Modify message (do not reject message).
b. Check the Remove attachments from message box.
In the Options section, uncheck Bypass this setting for messages received from
addresses or domains within these lists.
Click Add setting and on the Advanced settings page, click Save changes.
Verify these policies:
a. Send an email from your training account to your personal email. Does it include the
compliance footer?
b. Reply to this email and attach a video or music file. Does the training account user
receive the message with the attachment?
c. Open a Chrome browser and install the Gmail Offline app .

Exercise 14: Prevent Spammers from Forging Your


Domain
Scenario: Google supports several methods of preventing spammers from forging users in your
domain. Your company has decided to follow Google's best practices to configure:

Sender Policy Framework (SPF) records

DomainKeys Identified Mail (DKIM)

At this point, your company has decided not to configure the newer method Domain-based
Message Authentication, Reporting & Conformance (DMARC) .
You must create DNS TXT records to configure these email security features and allow access
to your DNS registrar, such as GoDaddy or eNom. Learn more about Domain Name Service
(DNS) basics.
Note: If you purchased your domain from Google, the SPF record is already created. Also your
DNS registrar credentials are available in your Google Apps Admin console.
To locate your DNS credentials:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Domains icon.
Click Advanced DNS settings.
Your DNS Sign-in name password displays with support information.
Click Sign into DNS console.

To create or view an SPF record for your company's domain:


You must have access to your DNS registrar to create or view the DNS TXT record for SPF.
Sign in to your DNS registrar as the administrator user.
If you purchased your domain from Google, locate the TXT record configured for SPF.
If you didn't purchase your domain from Google, create a TXT record using the following
information (note that the values for the DNS TXT record vary between DNS registrars; look for
your registrar from the list of specific DNS providers ). Example for GoDaddy and many
registrars:

Hostname: @

Record value: v=spf1 include:_spf.google.com ~all

Learn more about DNS TXT records .


Note: It may take up to 48 hours for DNS changes to fully propagate.

If you have multiple domains in your company, you must complete these steps for every
domain.
To configure DKIM for your company's domain:
Sign in to your domain's Google Apps Admin console as the Google Apps super administrator.
Click the Google Apps icon.
Select Gmail > Authenticate email.
Select your domain from the drop-down list.
If you have multiple domains in your company, you can select another domain name.
Click the Generate new record link.
Use Prefix selector google.
Note: You only need to change the prefix if you're already using google as another prefix.
Click Generate.
The Admin console displays the hostname and TXT record value you must configure with your
DNS registrar.
Sign in to your DNS registrar and create a TXT record using the DNS hostname and record
value provided by Google.
Note: The values for the DNS TXT record vary between DNS registrars, so look for your
registrar from the list of specific DNS providers .
When you're done creating the DNS TXT records, go back to your Google Apps Admin console
and click Start authentication.
If you don't want to configure DKIM, close the Authenticate email window.

Note: It can take up to 48 hours for DNS changes to fully propagate.

Drive
Exercise 7: Drive Sharing Settings
Google Drive is a way for your users to access and share all their files, folders, and Google
documents at any time and on any device.
Hello Aurelia,
I have been thinking about how I want our people to share documents inside
and outside the company. I want everyone to be able to share documents
with our clients and partners, but not be able to publish openly on the
web.
I also want to build a strong collaboration culture, so inside the company
I want everyone to be able to have permission to see each others documents
but only if they have the link first. Can you make this happen?
Regards,
Sam Morse, CEO

As the administrator, you determine whether users can share their Google Drive documents
outside your organization, whether they can access documents created outside your
organization, and the default visibility level for new documents.
To set the default sharing options for new documents created by your users:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Google Apps icon and then click Drive.
Click Sharing Settings.
The current settings display for your domain. Because this is a new domain, these should still
be set to the default settings.

Before you change any settings, first read Set document sharing permissions to understand
what each setting indicates and the impacts of changing them. See Sharing basics from the
user's perspective.
Your CEO wants users to be able to share outside the organization, but does not want users to
publish openly on the web. To do this:
a. Ensure that the Users can share documents outside this organization checkbox is
selected.
b. Uncheck the Allow users to publish documents on the web or make them visible
to the world as public or unlisted documents box.
Click Save changes.
Under File Visibility, the default setting for documents is Private, and must be explicitly shared
to give access. To change the file visibility so that anyone in the company can access the
documents (once they have the link), select the People at this organization with the
link option (recommended default).
This option is recommended as the default for two reasons:

Allows for easy sharing, but offers protection from outside the organization, because
users must sign in to access the shared documents.

Documents with this visibility won't normally be found in search results.

Click Save changes.

Exercise 8: Drive Offline Access


You're able to view Google documents, spreadsheets, presentations, and drawings even when
you don't have an Internet connection. You're also able to edit Google documents,
presentations, and drawings offline. As an administrator, it's important for you to know the
options and limitations of Drive offline access.
Hello Aurelia,
I'm traveling next week but need to prepare for a meeting. I've been told
that I can have offline access to my documents in Drive even when I'm on
the plane. I mostly want to view and edit presentations and spreadsheets.

Can you look into it for me? I'll have my Windows laptop with Firefox with
me. How do I set it up?
Sam Morse, CEO

To investigate more about Drive offline:


Sign in to your domain's Google Apps Admin console as the administrator user using the
firstname.lastname@yourdomain.com format.
Click the Google Apps icon and then click Drive.
Click General Settings.
In the Offline section, ensure that the Allow users to enable offline docs box is checked
(default).
This allows your users to Enable offline access to Google Docs editors.
Click the Learn more link to open the Work offline help page. Click the Access your files
offline link.
Explore these pages and answer the following questions:

Can Sam use Firefox to access her docs offline?

What app does Sam need to install?

What steps will Sam have to take to have offline access for her trip?

How can Sam view the docs once offline?

Can Sam edit the docs she wants to use on the flight?

If Sam has another device, is it set up automatically?

Once you've investigated the options for offline access, you could write a response to Sam
outlining what she needs to do; for example:
Hey Sam,

I've looked into offline access for you. First, download and install the
Chrome browser on your laptop. Then, follow the instructions to set up
offline access. It should only take a minute.
Once you've enabled offline access to view your files when traveling, open
Chrome and visit drive.google.com. The offline version of your Drive will
load. Then you can then view and edit your presentations & spreadsheets
without an Internet connection.
Additionally, if you want offline access on other devices, you need to set
this up on each device individually.
Please let me know if you have any questions.
Aurelia Ion
Admin

Exercise 9: Transfer Ownership


If you're a Google Apps super administrator, you can transfer all documents owned by one user
to the ownership of another user in your organization.
Hello Aurelia,
My executive assistant, Ellie, is responsible for maintaining many of my
important documents. Is there a way that I can make her the owner so that
she has total control over them, while still allowing me to make changes?
Sam Morse, CEO

There are three user types in Google Drive: owner, editor, and viewer. Documents can have
many editors and viewers, but only one owner at a time. By default, the creator of a document
is also the owner, but document ownership can be transferred to another user. After the
transfer, the original owner retains editing privileges of the documents unless that user is
deleted or their edit permissions are removed.
We've already seen that reassigning ownership of all of a user's documents can be useful when
the user leaves the organization. Before deleting a user from your domain, transfer ownership
of their documents to avoid losing them; documents owned by a deleted user can't be
transferred. However, if a user was deleted in the last five days, an admin can restore the
user's documents and then transfer those documents.

As you can see from the above example, there may be other instances outside of user deletion
where you must Transfer ownership of Drive documents.
To transfer ownership of Sam's documents to Ellie:
Sign in to your domain's Google Apps Admin console as the administrator user using the
firstname.lastname@yourdomain.com format.
Click the Google Apps icon and then click Drive.
Click Transfer Ownership.
In the File ownership transfer section, you can input the original owner's email (in this case,
Samantha Morse) and transfer ownership to Ellie Gray.
This feature is useful at the time of deleting an user as it ensures that the documents created
by the user being deleted are not lost.
Click Transfer files.
A prompt confirms that the you successfully initiated the document file transfer.
It's also possible to transfer ownership of documents by other methods. For example, if you
need to Transfer file ownership, or you could use the Drive APIs.

Exercise 10: Restore Deleted Drive Files


You can restore a given user's deleted Google Drive files for a date range you specify, as long
as the Drive files weredeleted within the past 25 days. This helps ensure that, if a user
accidentally deletes important files, those files are not permanently lost.
Hey Aurelia,
I don't know how it's happened, but a really important finance report
("Super Important Budget") has vanished. It's gone. Even if I search, I
can't find it, but it was there 3 days ago. It would take months of work
to re-create it. I emptied the trash yesterday; it must have been in there
somehow. Can you help?!
Timothy Lee, Finance Manager

There comes a time in every administrator's job where someone will approach youin a panic
desperate to recover lost data. The good news is that Google Apps has a way for you to
restore a user's data for a certain period of time. Before we learn to do this, however, let's first
see the series of steps a user must take to permanently delete a Drive file.
Note: As an administrator, you typically don't have access to your users' accounts, but for this
exercise, to get a feel for the deletion process, you'll sign in as Timothy and follow the steps
necessary to delete the file.
To create and delete Timothy's document:
Choose one way to begin:

Sign out of your own administrator account and sign back in as Timothy.

Open a new incognito Chrome browser window , go to drive.google.com, and sign in


with the full email address, timothy.lee@yourdomain.com, using the default password
(hellohello1) or the updated password (G00gleapps). This way you can remain
signed in as your administrator account, and also sign in as Timothy.

When you can access Timothy's Drive, click New and select Google Sheets.
In the spreadsheet, click the title to rename the file to Super Important Budget, and then close
the sheet.
In the Drive homepage, click the new Super Important Budget file to highlight it, and then
click the Trash icon to remove the file from Drive.
Anything you remove from Google Drive will be in your Trash until you permanently delete the
files or restore them. To recover the deleted file, go to Trash, highlight the file, and
click Restore. (But, don't do this now.)
Suppose that Timothy went to Trash and accidentally clicked Delete Forever. A warning
prompts the user with a You can't undo this action message.
Note: These steps are for a user to permanently delete a file. While it's quite difficult to do this
by mistake, accidents can happen. Learn more about File deletion and recovery policy .
Sign out of Timothy's account or close the incognito window.
We have finished with the user portion of the exercise. You can now switch back to Admin
mode and help Timothy recover his files.

To restore a user's deleted files:


Sign in to your domain's Google Apps Admin console as the administrator user using the
firstname.lastname@yourdomain.com format.
Click the Users icon.
Browse or search to find Timothy Lee and click his user account page.
Because Timothy noted that the file was there three days ago, and he emptied the trash
yesterday, choose a date range that goes 4 days back from today, for the files you want to
restore.
Click Restore Data.
A prompt should display a message stating that the data is being restored, and the data will
appear in the owners Drive folder in the same location as before it was deleted.
Send a mail to Timothy; for example:
Hey Timothy,
I have some good news for you. I was able to restore the data you deleted
from Drive starting from the past 4 days. Please check your Drive folder
to ensure that the "Super Important Budget" finance report file has been
recovered. Don't forget to re-delete any other files that you don't need.
I can help you recover deleted data, as long as the trash was emptied in
the last 25 days. After that, it's gone. Please be careful when deleting
files and emptying your trash in the future.
Aurelia Ion, Admin

Here are some things to consider when restoring deleted files:

You can restore files for one user at a time on each user's page.

You can select a date range to restore files up to 25 days ago.

If a user provides others with access to any Drive item, when you restore that item,
the access is not restored. The user can re-enable access as needed.

Note: If your Google Apps account includes Drive storage quotas for users, you can't restore a
user's files if that user's Drive is full.

Learn more about how to Restore a user's Google Drive files .

Storage Space
By default, each user with a Google Apps for Work account has 30 GB of storage available for
uploaded Google Drive files, Gmail, and Google+ photos. Users with the free edition of Google
Apps (or consumer accounts) get 15 GB of storage.

Reports
Exercise 17: Monitor Google Apps Usage
You can monitor Google Apps usage via the Admin console and Reporting Application
Programming Interfaces (APIs). For the purpose of this exercise, we'll focus on Admin console
reports.
To view usage graphs and create an Apps Usage report:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Reports icon.
Take a moment to explore the reports in Google Apps. Reports don't reflect real-time data, and
some reports can take longer to display updated information.
Note: Because you just set up your Google Apps domain, there will be limited data or no data
available for the usage graphs.
a. Select Highlights to view Apps usage. Change the time frame from Last 7 Days
to Last 1 Month.
b. Select Security. Click the Externally Visible Files drop-down list to select External
Apps or 2-Step Verification Enrollment.
c. Select Account Activity. Click the User Account Status drop-down list to Admin
Status or 2-Step Verification Enrollment.
Select Apps Usage Activity.
Click the Select columns icon and select the following columns:

Total Storage Used, Gmail Storage, Drive Storage

Total Emails

Files Owned

Click Apply.
Note how the columns expand in the Admin console to show data per user.
Click the Download

icon and select Export to Google Sheets.

Click Open to view the report.


Congratulations! You just created your first Google Apps usage report.

Exercise 18: View Audit Logs


As a Google Apps administrator, you want to be aware of changes being made to your Google
Apps account possibly by other administrators or Help Desk users. You can view the Admin
audit log to see who has made what changes when. You can also search or filter for specific
events. The Login audit log provides visibility to user sign-in or sign-out activity, including
suspicious events.
To view the Admin Audit Log:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Reports icon.
Click Audit > Admin.
Explore the Admin log entries. Try to locate the events you initiated, such as changing email
policies and other service settings.
Note: Not all administrator tasks are captured in this log.
(Optional) Filter for specific events, such as Gmail Setting Change.
Just start typing an event name and event names are suggested. Optionally, enter a date
range.

(Optional) Add or remove columns.


a. Click the Select columns icon to add (or remove) other columns to the report.
b. Check the Admin box and click Apply to display the administrator name in the report.
(Optional) Export the report to a spreadsheet.
a. Click the Download icon

and select Export to Google Sheets.

b. Open the report to view the data.


Explore the Login Audit Log: Select Audit > Login.
Try to answer these questions:
a. When did you last sign out of Google Apps?
b. Can you filter for Suspicious Login events?

Exercise 19: Configure Alerts


While it's useful to view events in the Admin console audit log, it's probably more helpful to be
alerted immediately of significant changes, such as when a user is deleted or suspended, or if
settings are changed. You can configure alerts and be notified via email of such changes.
To configure alerts:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Reports icon.
Click Manage Alerts.
Explore the alerts:

There are specific User and Settings events.

Alerts are OFF by default.

Turn ON the following alerts by clicking or toggling the OFF button to ON:

a. Suspicious login activity


b. User suspended
c. User deleted
d. Gmail settings changed
(Optional) Send alerts to other recipients.
a. Locate the alert you want to change and click Super administrator(s).
b. Enter the email addresses of the other recipients. Optionally, you can uncheck
the Super administrator(s)box.
c. Click Save.
Verify that the alerts are working properly.
a. Suspend a user, such as Tim Lee.
b. Immediately restore or unsuspend the user.
c. Check the Gmail inbox of your super administrator. There should be an alert message
similar to the following:
This is to inform you that user tim.lee@cloudsola.com has been suspended by Lukas
Novak (lukas.novak@cloudsola.com) on Tue, 26 Nov 2013 13:33 PST.

Exercise 20: Search Email Log


The Email log gives you the ability to sort through the last month of delivery logs for your
Google Apps account and evaluate message transit. This is useful for tracking a sender or
recipient's missing messages, such as those that have been quarantined as spam or otherwise
routed incorrectly. You can also use the Email log to troubleshoot how Gmail policies affect mail
flow.
To search the Email log:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Reports icon.

Click Audit > Email Log Search.


Explore the search options:
a. Specify a date range going back 30 days.
b. Search by sender or recipient.
c. Search for a specific Message ID.
d. Export the results. It can take up to one hour for a message to be logged.
Search for all the messages received by your administrator over the past 7 days.
Search results vary. Hopefully, you've waited long enough to see the alert notification sent to
your administrator user. Note the status of the messages.
Click the subject (or Message ID) link of a message to see the message details.
Note: You can't view the actual content of the message.
Click any of the links of the recipient details to see the message route, or click Back to results.
(Optional) Run another search or export the message log.
MOBILE DEVICE MANAGEMENT

Exercise 15: Configure Mobile Devices Policies


Use Google Apps Mobile Management to enforce the company's mobile policies for Android
and Google Sync devices, including Windows and iOS mobile devices.
Scenario: You receive the following message from Security Officer, Hiro Goto:
Hey Aurelia,
I hope I'm not keeping you too busy with my requests, but I have another
urgent one for you.
Our immediate task is to make sure we secure mobile access to Google Apps.
We've decided to go with the "BYODBring Your Own Device" strategy so our
employees can use their personal mobile devices for work too. But they'll

need to adhere to our security policies. I've read that you can enforce
these policies with Google Apps Mobile Management.
I've decided to go with Google's best practices and define a standard set
of access policies across all devices and organizations with emphasis on
password settings. Mobile policies can be adjusted later, if necessary.
Thanks,
Hiro Goto

To enforce these policies on Android devices, your users must install the Device Policy for
Android app on their device. This app ensures that your domain policies are set properly on the
user's Android device before synchronizing any data.
Note: Most Android 2.2 or later devices will automatically install the app if necessary.
To enforce these policies on Google Sync devices, such as Windows and iOS devices, users
should follow the instructions specific for those devices.
To configure mobile devices policies for your domain:
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Device management icon (or click Google Apps > Mobile).
Select Device management settings.
In the General settings section, check (configure) the following boxes (policies):

Enable Android Sync for users

Enforce policies on Android devices

Enable Google Sync for users

Enforce policies on Android devices

Scroll to the Password settings section and check (configure) the following boxes (policies):

Require users to set passwords on their devices

Password strength: Strong

Minimum number of characters: 8

Automatically lock the device after: 1 minute

Note: Don't enforce password expiry policies, nor wiping device, for invalid password attempts.
Scroll to the Device settings section and uncheck the following boxes (policies):
Note: These are typically the default settings and are already deselected.

Encrypt data on device.

Allow automatic sync when roaming.

Allow camera, which prevents users from using a camera on their mobile device.

Scroll to the Advanced settings section and check the Enable application auditing box.
Scroll to the Android settings section and check the Enable Google Now box.
Scroll to the Compromised device settings section and check the Block compromised
devices box.
(Optional) Use your mobile device to test the enforcement of these policies. Try to synchronize
the data for the user, Lars Ericsson.

Exercise 16: Block Access From a Lost Device


Scenario: A colleague informs you that Lars Ericsson has lost his mobile phone. He's worried
someone may sign in to his work Google Apps account and access his data.
If a user loses a computer or mobile device that has an open connection to that user's Google
Apps account, or maintains cookies that permit a connection without first entering a username
and password, that Google Apps account is potentially exposed to anyone who has possession
of the computer or device.
To block unauthorized access to an account, you can reset the sign-in cookies for that user,
which has the effect of signing out that user from all current HTTP sessions, and requiring new
authentication the next time that user tries to initiate an HTTP session to sign in to Google
Apps.

To reset the sign-in cookies for a user:


Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Users icon.
a. From the user list, click Lars Ericsson (the username).
b. Once the page has loaded, click Account, which displays the user's profile.
In the Password section, click Reset sign-in cookies.
Click Reset sign-in cookies.
It can take up to 60 minutes to sign out the user from current Gmail HTTP sessions. The logout
time for other applications can vary.

SECURITY

Exercise 1: Configure Common Security Settings


This exercise familiarizes you with the Google Apps security features and settings.
To configure common security settings:
Familiarize yourself with these Google Apps Security resources: Security
Whitepaper and Google Apps and Cloud Platform Audit & Certification Summary.
Watch this short video on Google Apps Admin console security settings.
Sign in to your domain's Google Apps Admin console as the administrator user using the
firstname.lastname@yourdomain.com format.
Click the Security icon.
Click Basic settings and enable the following features:
a. Check the Enable SSL box.
b. Check the Allow users to turn on 2-step verification box.

c. If necessary, select Save changes.


Click Password monitoring to check who has signed in to Google Apps and view their
password length and strength.
Note: This information only appears for users who have signed in.
Click API reference to enable programmatic access to your Google Apps domain.
Check the Enable API access box to allow various Google Apps Administrative APIs, including
Google Apps Directory Sync.
Click Advanced settings, which allows you to manage more advanced security and access
settings.
a. Select Set up Single sign-on (SSO).
o

Explore the settings necessary to configure SSO.

When enabled, users are authenticated by the SSO service rather than using
the Google Apps password for web-based services, such as Gmail and
Calendar. Google Apps uses SAML SSO to authenticate users.

b. Select Manage OAuth domain key.


o

OAuth is an authentication method that allows external applications and tools


to access your Google Apps data, such as data migration tools. It uses an
OAuth consumer key and secret to authenticate via the API.

Note: The OAuth consumer secret can be regenerated, which revokes application
access to your Google Apps data until you redistribute the new consumer secret
value.
c. Select Federated Login using OpenID.
o

When enabled, OpenID allows users to sign-in to third-party websites and


services using their Google Apps account, without giving away their
credentials.

Enabled by default, so users are able to authenticate to other websites using


their Google Apps credentials.

Exercise 2: Configure 2-Step Verification

Scenario: The company has established a policy that all managers and executives must set up
2-step verification. However, they'll pilot the security feature starting with the Finance Manager,
Tim Lee.
While the Google Apps administrator has already enabled the feature as one of the Security
basic settings, each usermust configure it individually after they first sign in to Google Apps.
Tim Lee will be given special instructions to set up 2-step verification for his accounts.
To allow users to enable 2-step verification (as the super administrator):
Sign in to your domain's Google Apps Admin console as the administrator user using
thefirstname.lastname@yourdomain.com format.
Click the Security icon.
Click Basic settings, check the Allow users to turn on 2-step verification box, and
click Save changes.
Verify the security settings for the user Tim Lee (before he sets up 2-step).
Click the Users icon.
a. Select the user Tim Lee.
b. Select the Security setting and review the following findings:
o

2-step verification is disabled for the user, nor can the administrator enable
or configure 2-step for the user.

There are no application-specific passwords.

To set up 2-step verification (as user Tim Lee):


Sign in to the Google Apps Gmail service as the user Tim Lee (use mail.google.com).
Use these step-by-step instructions to set up 2-step verification.
(Optional) Save the backup codes to your local disk drive.
(Optional) Configure an application-specific password and name it My iPhone.
Once 2-step is configured, try to sign in as the user from another browser or another computer.
Are you prompted for the 2-step password?

To verify that the user set up 2-step verification (as the Google Apps super administrator):
Sign in to your domain's Google Apps Admin console as the administrator user using the
firstname.lastname@yourdomain.com format.
Click the User icon.
Select the user Tim Lee.
Select the Security setting and review the following:
a. What settings are visible?
b. Is 2-step enabled for the user?
c. Can the administrator disable the feature for the user
d. Can the administrator view the backup codes? When would you use them?
e. Can the administrator view the application-specific password?
Click the Security icon.
Select Basic settings.
Check the Allow users to turn on 2-step verification box and click Go to advanced settings
to enforce 2-step verification.
Enforcement for 2-step verification is turned OFF for the entire company. Keep it OFF!
About enforcing 2-step verification:

It's possible to enforce 2-step verification for one or more or all organizations.

Before enforcing 2-step verification, ensure that the users in the enforced
organizations have previously set up 2-step or create an exception group. Otherwise,
the users are unable to sign in to Google Apps.

You can also generate the 2-Step Verification Enrollment Report to verify who has set
up 2-step verification before turning on enforcement.

Administrator exam topics


This Google Apps Administrator exam measures your ability to accomplish the technical
tasks listed below. The percentages indicate the relative weight of the topics on the exam.
The higher the percentage, the more questions you're likely to see on that content area.
Section 1

User creation, deletion, and


administration
23%
1.1
Create new users manually, in bulk, and via invitation
5%

1.2
Demonstrate how to rename users, move users, add/remove nicknames, and
suspend users
5%

1.3
Demonstrate how to delete users, retain data files for deleted users, and restore
recently deleted users
5%

1.4
Use System Roles to delegate administration duties to users in a domain, including
custom administration roles
3%

1.5
Demonstrate how to reset a user password, force the user to change their
password, and monitor the strength of user passwords
5%

Section 2

Organizational units
10%
2.1
Demonstrate how to create and use organizational units to manage users, groups,
and security settings
6%

2.2
Demonstrate how to manage Google Apps services by organizational unit
4%

Section 3

Google Apps services and


organizational access
14%
3.1
Demonstrate how to configure sharing settings, storage requirements for Drive
3%

3.2
Demonstrate how to use Chrome policies for devices and users

2%

3.3
Demonstrate how to manage domain and organization level settings for Google
Apps services
5%

3.4
Demonstrate how to use reports to determine services use, troubleshoot system
issues, and to improve domain security
4%

Section 4

Mail delivery, routing, and filtering


18%
4.1
Demonstrate how to configure Google Apps to manage mail routing
5%

4.2
Demonstrate how to manage approved or reject sender lists and whitelist senders
by domain and IP addresses
5%

4.3
Demonstrate how to apply security best practices to email including transmit mail
via a secure connection based on system rules
3%

4.4

Demonstrate how to filter messages based on general compliance settings,


content, and attachment settings
5%

Section 5

Calendar settings and resources


7%
5.1
Create and share a group calendar, set-up calendar sharing options, and delegate
calendar access
3%

5.2
Demonstrate how to create and manage calendar resources
4%

Section 6

Mobile policies and device


management
8%
6.1
Demonstrate how to use Google Apps Mobile Management to manage Android and
Google Sync devices
4%

6.2
Demonstrate how to reset user access and prevent access from a lost mobile
device

4%

Section 7

Security
10%
7.1
Demonstrate how to use exception groups to manage security options by
organizational unit
5%

7.2
Demonstrate how to configure SSO, OAuth, and 2-step verification
5%

Section 8

Groups
10%
8.1
Create a group that will be used as a shared mailbox for a group of users, Q & A
Forums, and distribution lists
3%

8.2
Demonstrate how to add, edit, disable, and delete a group, and prevent users from
seeing other members of the group, and administer group roles
2%

8.3

Demonstrate how to share docs, sites, and videos using groups


3%

8.4
Demonstrate how to use Groups for Business to manage permissions and group
settings
2%