Why Use GCDS?
GCDS has a distinct advantage over a CSV file upload for licensing because GCDS can remove licenses when a user is suspended in AD (or rather, when a user falls out of the scope of your LDAP query) when you use the check box option below the license drop-down:
Making the Licensing Area Visible in GCDS
For Licensing to be visible, you need to select Licenses in the General Settings area of GCDS.
Considerations With GCDS Licensing
The first step with GCDS licensing is to ensure you're on the latest version of GCDS. Older versions do not include the Google Workspace for Education SKU in the licenses tab.
Next, ensure you have a way, via a single LDAP search rule, to target all users that need the staff license assigned, and another single LDAP rule to assign the student licenses. You cannot create an LDAP rule to license a specific OU without passing a base DN path, which GCDS does not support. We recommend using a Group in Active Directory (AD) to assign these licenses to your users, one group for all your staff licenses, and one group for all your student users.
You'll input the appropriate single LDAP Query and choose the correct license type from the dropdown. For licensing students with Standard or Plus, use the non-specified license name, not the Extra Student license.
Sample queries
You can use these sample queries to get you up and running quickly if they help. The first one is applicable if you have a security group in AD with no nested groups (i.e., flat user membership), and the second one recurses groups for members of nested groups, too.
- Clean Active AD Users in a Group (Non nested)
(&(objectCategory=person)(objectClass=user)(memberOf=CN=GLS-GAFE-AllStaff,OU=Security Groups,OU=GAFETest,DC=testlab,DC=amplifiedit,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
- Clean Active AD Users in a group (Nested)
(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=GLS-GAFE-AllStaff,OU=Security Groups,OU=GAFETest,DC=testlab,DC=amplifiedit,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
To use these samples, you need to replace the bold text with the full distinguished name of your group. Also, test the LDAP query in GCDS to confirm the numbers equate to what you expect. Be sure to add your account and any other specific accounts to your licensing group, as GCDS will remove the license from any user who is not a group member. There is no exclusion process for this at this time.
Important reminders
Before applying your license rule, be sure to simulate any changes in the GCDS Configuration Manager GUI to ensure no unintended impact on your domain. Lastly, be sure you are not auto-provisioning licenses via the Admin Console. GCDS will attempt to assign licenses if you are; it calls back to check.
Resources
Document Version | Date | Description of Change |
1.0 | 2/20/2024 | Verified article |