Why use GCDS?
GCDS has a distinct advantage over a CSV file upload for licensing because GCDS is able to remove licenses when a user is suspended in AD (or rather, when a user falls out of the scope of your LDAP query) when you use the check box option below the license drop-down:
Considerations with GCDS licensing
The first step with GCDS licensing is to ensure that you're on the latest version of GCDS. Older versions do not include the Google Workspace for Education SKU in the licenses tab.
Next, ensure you have a way, via a single LDAP search rule, to target all users that need the staff license assigned, and another single LDAP rule to assign the student licenses. You cannot create an LDAP rule to license a specific OU without passing a base DN, which GCDS does not support. We recommend using a Group in AD to assign these licenses to your users, one group for all your staff licenses, and one group for all your student users.
You'll input the appropriate single LDAP Query and choose the correct license type from the dropdown. For licensing students with Standard or Plus, use the non-specified license name, not the Extra Student license.
Sample queries
You can use these sample queries to get you up and running quickly if they help. The first one is applicable if you have a security group in AD with no nested groups (i.e. flat user membership) and the second one recurses groups for members of nested groups too.
- Clean Active AD Users in a Group (Non nested)
(&(objectCategory=person)(objectClass=user)(memberOf=CN=GLS-GAFE-AllStaff,OU=Security Groups,OU=GAFETest,DC=testlab,DC=amplifiedit,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
- Clean Active AD Users in a group (Nested)
(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=GLS-GAFE-AllStaff,OU=Security Groups,OU=GAFETest,DC=testlab,DC=amplifiedit,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
To use these samples, you need to replace the bold text with the full distinguished name of your group. Also, make sure you test the LDAP query in GCDS to confirm the numbers equate to what you expect. Be sure to add your own account and any other specific accounts to your licensing group, as GCDS will remove the license from any user that is not a member of the group. There is no exclusion process for this at this time.
Important reminders
Before applying your license rule, be sure to simulate any changes in the GCDS Configuration Manager GUI to be sure there is no unintended impact to your domain. Lastly, be sure you are not auto provisioning licenses via the Admin Console. GCDS will attempt to assign licenses if you are; it calls back to check.