Home‎ > ‎

Security Exception Groups

Google Apps allows the domain administrator to apply some security settings to some accounts in OUs while not applying those settings to other users in the OUs.  Google refers to this concept as Exception Groups, although the group names the users to whom the policy WILL be applied.  Google's documentation of the process is a bit terse and uses outdated terminology for the Admin Console.

It appears that the only security policy that can use this feature is to require specific users to use 2-step verification.

Below is a general description of what can be done (as I understand it) and links to the pages that document the process - step by step.

Some key points:
  • A Google Group created and managed through the Admin Console is used to identify users to which the policy will be applied.  (The term Exception Group seems counter-intuitive to me.)
    • The users in the group can be in any number of OUs within the domain.
  • Allowing users to activate 2-step verification is a feature that is turned on or off at the domain level.
    • It appears that it is not possible to allow (or required) 2-step verification for some OUs and prohibit it for other OUs.  
      • If 2-step verification is allowed for any user, it is allowed for all users.
  • Requiring users to activate 2-step verification CAN be limited to users in a specific OU (and optionally by its children OUs).  
    • By using an Exception Group, requiring 2-step verification can be limited to specific uses within an OU (and its children OUs).
If you enforce 2-step verification on an OU and apply an exception group, then 2-step verification will be required only for the users who are in the OU AND are a member of the exception group.

The process for implementing 2-step verification and using an exception group to require specific users (but not all users) is:
  1. Create a Google Group and add members who will be required to use 2-step verification
  2. Allow 2-step verification for users (if not already active)
  3. Enforce 2-step verification on an OU, and specify the exception group to require only members of the exception group to use 2-step verification