# User Management Module Overview In this module, you'll learn about provisioning and managing users in your Cloud Identity domain. The exercises cover how to add new users in various ways and how to configure user identities, settings, and privileges. **Important information before you get started:** 1\. About User Passwords In these exercises, as a G Suite administrator you have control over the user passwords. To avoid confusion or being locked out of an account, it's best to keep a consistent policy for password creation. (This isn't an issue in a real-world situation; your users, not you, will be setting their passwords the first time they sign in.) For these exercises, the default password for all new users is **hellohello1**, unless you choose the auto-generated temporary password option. To maintain consistency and to avoid forgotten passwords during these exercises, we suggest changing new user passwords to **G00gleidentity** (with zeros instead of letter Os) during the first sign-in process. Feel free to choose your own new password, but do remember to take note of it! # Adding Users Individually ## Introduction to Exercise Before people in your organization can begin using your Cloud Identity service, you need to create user accounts for each person. An account provides users with a name and password for signing in to their cloud services. Each user you add will require a user license. The deployment of a Cloud Identity domain will often be done in phases. In each deployment phase, you add different types of users based on their particular focus and unique needs. The first phase of your deployment is where you'll add your technical IT users, so that they can begin using your organization’s services and align the settings with your organization's IT policies. In this exercise, you'll manually add an individual user—Alexa Bell, your IT Manager. ### **Exercise Directions:** 1\. [Sign into your Google Admin console](https://support.google.com/cloudidentity/answer/182076?hl=en&ref_topic=7557903) as the administrator user using **your administrator account name and password**. 2\. Go to the **Users** section, then click **the yellow "Plus" button** and select **Add User**. Because this is a new domain, there's only one Organization (Org)—the parent org—named the same as your domain. We'll add more orgs later, but for now, we can add Alexa. Learn more about how to [Add users individually](https://support.google.com/cloudidentity/answer/33310?hl=en&ref_topic=7558554). 3\. In the **“Create a new user”** dialog box, create your company's IT Manager user account, entering the following information: First name: **Alexa** Last name: **Bell** Primary email address: **alexa.bell@yourdomain.com** **Note:** *If your account has multiple domains associated with it, use the domain (next to @) drop-down list to view the available domains. The domain you select will be the portion of the user's email address that appears after the @ symbol.* - Each user account requires a password. You can assign a temporary, randomly generated password or manually set a temporary password. Either way, the new user will change this when signing in for the first time. For this exercise, you should simply allow a temporary password to be assigned. 4\. You can also add more profile information for Alexa, such as her contact and employee details. This information is visible in the Admin console. Click Additional Info and enter the following user information: Secondary Email Address: (Leave this blank if you don't have one) Phone: 01 23 45 678 Address: 110 Main St, Cloud City Click Next to enter Employee Details: Employee ID: Employee Type: Title: IT Manager Department: IT Cost Center: 5\. Click Create to generate Alexa's account. Congratulations! You've added your first user in your new domain! Notice the Show Password link that allows you to see the temporary password generated. 6\. (Optional) Click Email instructions or Print instructions to deliver the account information to the new user. Use an email address that's currently accessible to the user. 7\. Exit out of the window. Now that you have a user, you can investigate some of the user-specific settings. 8\. Locate Alexa's name in the Users list, click her name, and click Account. 9\. In the Password section, ensure that the Require user to change password at next sign-in box is checked. # Add Several Users at Once ## Introduction to Exercise You've learned how to add users manually; however, when adding many users at once, this method is quite time consuming. Let's see how to bulk upload many users at once. Note: This task requires being signed in as a super administrator. For more information, see [Add several users at once](https://support.google.com/cloudidentity/answer/40057). ### **Exercise Scenario** You receive this mail from the IT Manager, Alexa: *Hi Admin!* *Thanks for creating my Google account. Now our next task is to get the rest of our users accounts created. Below is the list of people.*

First Name	Last Name	Email	Password	Employee Title
Ellie	Gray	ellie.gray@yourdomain.com	hellohello1	Executive Assistant
Jon	Baird	jon.baird@yourdomain.com	hellohello1	HR Contractor
Lars	Ericsson	lars.ericsson@yourdomain.com	hellohello1	Project Manager
Samantha	Morse	samantha.morse@yourdomain.com	hellohello1	CEO
Jennifer	Lee	jennifer.lee@yourdomain.com	hellohello1	Finance Manager
Tom	Edison	tom.edison@yourdomain.com	hellohello1	Support Engineer
Will	Marconi	will.marconi@yourdomain.com	hellohello1	Support Engineer

*Can you create these accounts using Cloud Identity for us?* *Thanks, Alexa Bell, IT Manager* ### **Exercise Directions** In this exercise, you'll add several users via a comma-separated value (CSV) file. To add several users at once: 1\. [Sign into your Google Admin console](https://support.google.com/cloudidentity/answer/182076?hl=en&ref_topic=7557903) as the administrator user using **your administrator account name and password**. 2\. Go to the **Users section**, hover over the yellow plus sign, and **select Add multiple users**. In the **Add multiple users** dialog box, click the **Download as .csv button** to download a copy of a sample spreadsheet to your local machine with the proper headers formatted. Leave this dialog box open to (later) upload the file after editing. 3\. Open the CSV file in a spreadsheet application, such as Microsoft Excel. 4\. Edit the file to add the user data. Copy the user information into the CSV file from the table Alexa provided. The file contains a column for each attribute that appears on the user profile in the Admin console and in your directory contacts. **Note:** *You must enter values in the **Email Address, First Name, Last Name**, and **Password columns**; that information is **mandatory** for each user. Don't forget to update the domain in the email addresses. The other columns aren't mandatory, so you can enter values or leave them blank. However, Alexa has also provided a column for **Employee Title** that requires information to complete.* 5\. Once the editing is complete, save a copy of the CSV file (in a CSV file format) back to your local machine. 6\. Return to the **Add multiple users** dialog box, click **Attach File**, and browse to the edited spreadsheet you just saved locally. By default, the **Require user to change password at next sign-in** checkbox is enabled. This requires the user to change the generic password you entered in the spreadsheet. 7\. Click **Upload** to initiate the creation of the user accounts. - If your file has formatting errors, a warning prompts that you may need to re-edit the file. Review the list of common errors. - If successful, a status bar prompts how many users will be uploaded and a full report will be sent when complete. 8\. Go to your email inbox associated with your Admin account and search for the email report of the bulk upload. In the Admin console, review the list of users and explore the user settings. (This can take a couple of minutes to appear.) Congratulations! You uploaded multiple users at once! If you're uploading more than 500 user accounts, you can optimize the experience by splitting your uploads into smaller batches. **Note:** *It can take up to 24 hours for new user accounts to appear in the searchable domain directory.* # Sync Users to Domain with GCDS ## Introduction to the Reading If your organization has a large, pre-established directory, Google Cloud Directory Sync (GCDS) is a secure tool that we provide that can help you sync your users into your Cloud Identity domain. GCDS allows you to synchronize your user data in your Cloud Identity domain with your Microsoft® Active Directory® or LDAP server. GCDS will ensure that your Google users, groups, and shared contacts are synchronized to match the information in your LDAP server. The data will never be modified nor compromised. **Important Note:** *Because we’re unable to provide a practice instance and ensure that everyone is able to practice using GCDS during this training, and it also requires advanced and more complex setup, use the information below to learn more about GCDS. If your organization would like more information about setting up your Cloud Identity instance using GCDS, please reach out to our support channels!* ### **Read through the following** **Step 1:** Get acquainted with the GCDS [This help center article](https://support.google.com/cloudidentity/answer/106368?hl=en&ref_topic=7558747) will help you understand: a) how GCDS works; and b) the key benefits of GCDS. After reading through this article, your organization should be able to gauge the necessity of using GCDS. **Step 2**: [Walk through how to install and prepare to use GCDS](https://support.google.com/cloudidentity/answer/6120989) The steps outlined in this series of articles will explain to you how to download GCDS, and also, they will explain how to prepare your current system to use the toolset. Remember, you must first ensure that your system meets the [system requirements](https://support.google.com/cloudidentity/answer/6123896). As you read through these help center steps, ensure that you are looking through each of the points that apply to your current system. **Step 3:** [Configure your system to use GCDS](https://support.google.com/cloudidentity/answer/6126578) As you configure your systems, remember that GCDS will sync all of the user data and settings that you configure. It’s important that these steps are carefully executed, and this is a more advanced and intensive process. [This article](https://support.google.com/cloudidentity/answer/6120130?hl=en&ref_topic=7558747) will outline all of the data that is able to be synced using GCDS. Take notice of the data that is not able to be synced. Also, take advantage of the other articles that are linked here to learn more. ### **Other FAQs for GCDS** [This article](https://support.google.com/cloudidentity/answer/7177266?hl=en&ref_topic=7558747) answers many of the most popular questions that come up when considering the use of GCDS. **Remember:** For this training, we will not be practicing using this tool. This is simply a guided reading to serve out our knowledge base articles that exist to help you if your organization needs to do a large migration of users into your Cloud Identity domain. We will provide a larger set of advanced resources at the end of this training to point you in the direction of these more advanced toolsets and use cases. # Admin Roles and Privileges ## Introduction to Exercise In this exercise, you'll grant the super administrator role to Alexa Bell, the IT Manager. The super administrator role is an example of a pre-built administrator role that's standard in the Admin console and where you can create custom roles to suit your needs. **NOTE:** *To grant the super administrator role and privileges to a user* *You can assign an administrator role to a user on the Users account information page, or on the Admin roles page where you define the administrator roles. On the Admin roles page, you can assign a role to multiple users at the same time. Because we're adding a role to just one user, we'll use the Users method.* ### **Exercise Directions** 1\. [Sign into your Google Admin console](https://support.google.com/cloudidentity/answer/182076?hl=en&ref_topic=7557903) as the administrator user using **your administrator account name and password** 2\. Click the **Users icon** 3\. Locate **Alexa Bell** and click to enter her **user page** 4\. Scroll down and select the **Admin roles and privileges option**. (You may need to click **Show more at the bottom of the profile**.) - The user currently has no Admin roles assigned 5\. In the **Manage roles list**, select the predefined **Super Admin role** and click **Save** - In the Admin roles and privileges section, you should now see the super administrator role for all organizations. - Now you can investigate the specific privileges you have granted to the user. 6\. Go to to the main **Admin console dashboard** and click the **Admin Roles icon**. - If you don't see this icon on your dashboard, click the **More controls pull-down option** (at the bottom of the page), and then click the Admin Roles icon. 7\. Click the **Super Admin link** to view the current users with Super Admin role. - At this point, this should only be your initial administrator account, plus Alexa Bell's account. You can always see this list by going to Admin Roles control. 8\. In the **Super Admin list of users**, select the **Privileges tab** and review the assigned privileges. - Because this is a pre-defined role, note how the Super Admin has all possible privileges selected and how these privileges aren't customizable. - Now that you've granted the super administrator role to Alexa, she can sign in to the Admin console with full administrator privileges. ### **Further Notes:** - *When Alexa signs in to the Admin console, she'll see the default dashboard. Any previous customizations you made as your own administrator account aren't visible. Your customizations only apply to your administrator account.* - *Creating more than three super administrators for your domain can affect some* [*administrator account recovery options*](https://support.google.com/cloudidentity/answer/3033063)*. At least one user in a domain must be a super administrator, and only a super administrator can assign administrator roles to other users.* - *In some cases you may want to create custom user roles. For example, you want your help desk person to do only password resets. This is not necessarily in-scope for this particular training, but if you’re interested in learning more* [*check out this article*](https://support.google.com/cloudidentity/answer/2406043?hl=en&ref_topic=7558754)*.* # Custom Admin Privileges ## Introduction to Exercise In this lesson, you will practice creating custom roles that have a custom set of privileges. ### **Exercise Scenario** A little later you receive a request from the Project Manager, Lars Ericsson. *Hello Admin,* *I would like to understand more about how our users are interacting with our cloud-based applications. That way I can create a customized training plan for the company. Is there any way I can run reports that track apps usage and user behaviors?* *Regards, Lars Ericsson* You decide that, rather than giving him a pre-built role with extra privileges he doesn't need, it's best to create a custom role. That way you can delegate the ability to run reports, but not give Lars any other administrator privileges. **Note:** *You can assign more than one administrator role to a user. Creating multiple roles with fewer privileges is, therefore, more versatile than one role with many privileges. If a user handles multiple tasks, just assign multiple roles.* ### **Exercise Directions** 1\. [Sign into your Google Admin console](https://support.google.com/cloudidentity/answer/182076?hl=en&ref_topic=7557903) as the administrator user using your **administrator account name and password**. 2\. Click the **Admin Roles icon**. - If you don't see this icon on your dashboard, click the More controls pull-down option (at the bottom of the page), and then click the Admin Roles icon. 3\. Click **Create a new role**. 4\. In the Create New Role dialog box, enter the **Reporting Role name**, give a **description for the role**, and click **Create**. 5\. In the **Privileges tab**, you can select the privileges you want users to have with this role. - Assigning a custom role to a user grants them access to the Admin console. The privileges determine which dashboard controls are in their console, what information the user can access, and which management tasks they can perform. Learn more about [administrator privilege definitions](https://support.google.com/cloudidentity/answer/1219251). - Investigate here exactly what Lars has access to once he's given Reports privileges in this role. 6\. Because you want this custom role to just assign privileges for reporting only, check the **Reports box**, and click **Save**. - You should now see **Reporting Role** in the **User Created Roles list**. 7\. Creating the role is the first step in this process, but for Lars to be assigned the privileges, we must also [assign the administrator role to his user account](https://support.google.com/cloudidentity/answer/172176). - In the **Users section**, go to Lars' user account page, scroll to the bottom of the page, and click **Show more > Admin roles and privileges**. - Choose the **Reporting Role role** from the list and click **Save**. The Admin roles page lists the user's current privileges, and you should now see the new role assigned to Lars. - Scroll down to **Privileges** in order to view combined privileges granted by all the user's roles. Congratulations! You've now built and assigned a custom administrator role to one of your users, which allows you to better delegate administrator tasks in your domain. # Resetting a User's Password ## Introduction to Exercise Now that users are signing in and using the tools, you're likely to come across a scenario where a user needs a password reset: - A user forgets their password - A user's account is compromised (security concerns) ### **Exercise Scenario** Jennifer Lee (from Finance) has just come back from holidays, she calls to ask you to reset her password, because she's forgotten it and is now locked out of her account. ### **Exercise Directions** 1\. [Sign into your Google Admin console](https://support.google.com/cloudidentity/answer/182076?hl=en&ref_topic=7557903) as the administrator user using **your administrator account name and password**. 2\. Click the **Users** icon. 3\. Access the **reset password function** by one of two ways: - In the **user list**, click **Jennifer Lee**. When her page has loaded, click the **Reset password icon**. - In the user list, **hover over Jennifer Lee** and view the available options that display. **Click Reset password**. 4\. In the **Reset password for jennifer.lee** dialog box: - Fill in a temporary password or click Auto-generate password to let Google create one for you. - Check the **Ask for a password change at the next sign-in** in the next sign in box. - Click **Reset > Done**. 5\. Provide the user with **new sign-in information**. If you have auto-generated the password, there'll be a show password option. The next time the user signs in, they'll be prompted to supply the current password and enter a new password. When they enter the password, the Password strength field evaluates the security level of the password. They can click the link if they want tips for creating strong passwords. Google requires a password that's at least eight characters. As the administrator, inform Jennifer Lee that her password is now reset and she can now sign in to change it. You can also give her [some tips on creating a secure password](https://accounts.google.com/PasswordHelp) in line with your company's security policy. # Rename a User ## Exercise Introduction When you are using Cloud Identity as your primary identity provider (IdP), you may make mistakes when entering user data into the console. If for some reason you need to change a user's name in the Google Admin Console, this exercise will walk you through how to rename a user. ### **More Information** See this [help center article](https://support.google.com/cloudidentity/answer/182084?hl=en&ref_topic=7558749) to learn more about renaming users. ### **Exercise Scenario** You receive this mail from the CEO: *Hello Patrick,* *Thanks for creating my Google account. However I have to ask for a minor change. My username is samantha.morse@\[yourdomain.com\] but really most people know me as just “Sam”. Is there anyway to just have my name as Sam Morse?* *Regards, Samantha Morse, CEO* ### **Exercise Directions** 1.[ Sign into your Cloud Identity Admin console](https://support.google.com/cloudidentity/answer/182076?hl=en&ref_topic=7557903) as the administrator user using your **administrator account name and password.** 3\. Click the **Users icon**. 4\. Search or browse to find the user. If you created an organizational structure, select the organization to which the user belongs. - In our case, Samantha is in the top-level organization. 5\. In the user list, find Samantha, click the **pencil icon**. 6\. In the **Rename user dialog box**, read the warning message and enter the following: - First name: Sam - Last name: Morse Note: The First and Last name settings represent the Display Name. 7\. Click **Rename user**. If successful, you should see a banner stating that the changes have been saved. It can take up to 10 minutes for a new primary email address to be reflected throughout the system, 24 hours for domain and personal contact changes to take effect, and up to 3 days before the user can use chat. # Suspend a User ## Introduction to Exercise As a Cloud Identity administrator, you can temporarily block a user's access to your organization's cloud services by suspending the user's account. This disables the account without deleting the user's profile and related information, such as documents, calendar events, and email. If the user has shared any documents, sites, or secondary calendars, these shared assets are still accessible to collaborators. A suspended user can't sign in to the account, and new information, such as emails and calendar invitations, are blocked. **Note:** *A suspended user still requires a user license; therefore, a fee still applies.* ### **More Information** - [Suspend a User Help Center Article](https://support.google.com/a/answer/33312?hl=en) ### **Exercise Scenario** After setting up your initial directory in Cloud Identity, you receive an email from Lars Ericsson: *Hey Cloud Identity Admin,* *I had a contractor working with me last week for a project, his name is Jon Baird. He has an account to sign in to our system but for the next few weeks he'll be working somewhere else. Is there a way to prevent him from signing in without losing all the work he's done already? He'll be back to work with us soon.* *Regards,* *Lars Ericsson* ### **Exercise Directions** 1\. [Sign into your Google Admin console](https://support.google.com/cloudidentity/answer/182076?hl=en&ref_topic=7557903) as the administrator user using **your administrator account name and password**. 2\. Click the **Users icon**. 3\. To suspend Jon Baird, find **his name** on the user list, click the three-dot elipsis, and choose Suspend user in the drop-down menu. 4\. Click **Suspend**. On Jon Baird's user account page, an exclamation point indicates Jon's suspended status. 5\. Return to the **main user list**. In the **Filters list** at the side (if you don't see this list, click the Filters button), choose **Suspended users** in the **User Type drop-down list**. The list now should contain user Jon Baird and any other currently suspended users. ### **Exercise Scenario Continued** A few weeks later, you receive another email from Lars Ericsson: *Hey Patrick,* *I have a contractor, Jon Baird, who will be working with us again next week. He had an account before but is locked out at my request. Can you please re-enable him?* *Regards, Lars Ericsson* As a Cloud Identity administrator, you can restore a user you (or another administrator) suspended. Exercise Directions Continued 1\. In the **user list**, filter for **suspended users**. Locate Jon Baird in the suspended users list and **click his name** to enter his account page. 2\. To restore Jon’s suspended account, click the exclamation point and select **Reactivate**. After Jon's user account is restored, his name should no longer be in the Suspended users list—he should now be back in Active users. Restored users can sign in and regain full access to their services. ### **Further Notes** - Administrators manually suspending users is just one way that a Google account can be suspended or disabled. If the user is manually suspended by an administrator, it's possible for an administrator to restore their account immediately. - You can't restore an account that was suspended for abuse or for breaching the [Google Terms of Service](http://www.google.com/apps/intl/en/terms/user_terms.html). - You can't re-enable any user with an abusive account status. Administrators can contact Google Support for more information. These users won't be able to sign in to their Google Account. - To see why a user was suspended, click the red exclamation point on their account page and view the error message. See [Restore a suspended user](https://support.google.com/cloudidentity/answer/1110339?hl=en&ref_topic=7559006) for your corresponding recovery options. # Delete a User ## Introduction to Exercise If a user leaves your organization, you might want to delete their Google account. Data is purged within a matter of days. It's important to understand the different implications of suspending and deleting users, build a process for users leaving the company, and create a deletion policy that best suits your business needs. However, be aware that there are [many other considerations](https://support.google.com/cloudidentity/answer/33314?hl=en&ref_topic=7559006) that should be handled before deleting an account; there may be many other types of data that could be lost without following proper steps. ### **Exercise Scenario** After some time working in your Cloud Identity domain, you get another email from Lars Ericsson: *Hey Admin,* *That contractor I had working with me, Jon Baird, has finished up his project. Can you please delete his account from the system as he won't be working here anymore?* *Regards,* *Lars Ericsson* ### **Exercise Directions** 1\. [Sign into your Google Admin console](https://support.google.com/cloudidentity/answer/182076?hl=en&ref_topic=7557903) as the administrator user using **your administrator account name and password**. 2\. Click the **Users icon**. 3\. To delete Jon Baird, find his name on the user list, **click the check box to the right of his name,** **click the three-dot ellipsis in the right hand corner**, and **choose Delete** user in the drop-down menu. **Note:** *Because the user is suspended first, if you restore a deleted user, the Admin console restores the user as a suspended user*. 4\. Return to the **user list** and confirm that Jon Baird is no longer listed. Search for the user in the **user search bar**. You should see the result: **There are no results to display.** # Restore a Recently Deleted User ## Introduction to Exercise You can [restore a recently deleted user account](https://support.google.com/cloudidentity/answer/1397578?hl=en&ref_topic=7559006) for up to 20 days. After this period, the Admin console permanently deletes the user account and it can't be recovered, even if you contact Google technical support. In most cases, restoring a deleted user account also restores the user's associated data, however, Google doesn't guarantee full data recovery for a deleted user. Important: - You must have super administrator privileges to restore a recently deleted user. - You can't restore a recently deleted user if the deleted username matches an existing group name, another active username, or another user's [email alias](https://support.google.com/a/answer/33327). If it does, you'll see a username already exists error message. - You can't exceed your maximum number of user licenses. If you try to restore a deleted user when you don't have an available license, you'll see a domain is over user limit error message. ### **Exercise Scenario** The next day you get a high priority email from Lars Ericsson: *Hello Cloud Identity Admin,* *I'm afraid I was a little premature in getting you to delete our HR contractor Jon Baird. We've decided to extend his contract and hire him as a full-time employee.* *Is there any way you can restore his user account?* *Regards, Lars Ericsson* ### **Exercise Directions** 1\. [Sign into your Google Admin console](https://support.google.com/cloudidentity/answer/182076?hl=en&ref_topic=7557903) as the administrator user using **your administrator account name and password**. 2\. Click the **Users icon**. 3\. In the **Filters list** (click the **Filters button** if you don't see this list), choose **Recently deleted** users in the User Type drop-down list. **Note:** *If you have multiple organizations in your domain, stay at the top-level organization—deleted users lose their organization details and are moved to the top-level organization.* 4\. Locate **Jon Baird** in the list and check the box next to his name. If a deleted user's name isn't in this list, the account has been fully deleted and can no longer be restored. 5\. Click **Recover** user to restore Jon's user account and choose the organization to place him. **Note:** *You can restore only one user at a time*. - If the account restore is successful, you may see a banner message similar to “User account restore has been initiated, please wait for 2 hours for complete restore of the account.” - It may take some time for the user to be visible again in the user list. - If a user was suspended at the time the account was deleted, such as when you transfer ownership of a user's files, the user will still be suspended after the account is restored. 6\. In the **Filters list**, choose **Suspended users** in the User Type drop-down list. 7\. Restore the suspension and put Jon Baird back in the Active users list: - In the Suspended users list, **find and click Jon's username**. - On Jon's user account page, click the exclamation point and select **Reactivate**. Jon should now be back on the Active users list. # Create an Organization Unit ## Introduction to Exercise As a Cloud Identity administrator, you may want to create an organizational structure within your domain. There are several reasons why you would do this: - To control which applications and services are available to users - To configure the available services differently for different sets of users - To configure different Chrome OS device settings for different sets of devices Learn more about how [user and device policies](https://support.google.com/cloudidentity/answer/182433?hl=en&ref_topic=7558424) and [organizational structures](https://support.google.com/cloudidentity/answer/4352075?hl=en&ref_topic=7558424) work. ### **Exercise Scenario** You receive a new email from the IT Manager, Alexa Bell, requesting to restructure your domain. *Hey Admin,* *As you know we now have two people working in Support, their names are Will and Tom (see below for details). I want to set up a helpdesk to offer technical support to our employees and customers.* *Is there any way you can set these guys up with some different settings than the rest of the employees? For example they will need access to some different services like chat, that I want blocked for everyone else.* *Thanks, Alexa Bell*

Employee	Position
Will Marconi	Support
Tom Edison	Support

### **Exercise Directions** 1\. [Sign into your Google Admin console](https://support.google.com/cloudidentity/answer/182076?hl=en&ref_topic=7557903) as the administrator user using **your administrator account name and password.** 2\. Click the **Users icon**. 3\. In the toolbar, click the **Filters icon** to see your organizations (also called orgs or organizational units). 4\. Hover over the **top-level parent org**, most likely called yourdomain.com, to add a new sub organization, and **click the elipses that appears to the right**. 5\. Click **Add sub organization**. 6\. In the **Create new organization dialog box**, fill in the details of the new Support organization and **click Create Organization**. 7\. Return to the parent organization users page, and from the list, select your two Support users: Will Marconi and Tom Edison. 8\. In the toolbar on the top right, click the **Move to another organization** icon and choose your new Support org. 9\. When the confirmation prompts, click **OK**. You should now see your two users moved to your designated Support org. - Users can move from one org to another. - A user can only be in one organizational unit at a time unlike, for example, groups where a single user can be in multiple groups at once. # Create an Admin-Managed Group ## Introduction to Groups This lesson will take you through the different types of groups available in G Suite, and you'll work through how to create groups for your organization. Google Groups make it easy for your users to communicate with people they contact often. As the administrator, you can create and manage groups in the Google Admin console. ### Help Center Articles Review the following Help Center Articles in order to learn more about Groups - [Which groups best suit your service?](https://support.google.com/cloudidentity/answer/33329?hl=en&ref_topic=7558942) - [Groups administrator FAQ](https://support.google.com/cloudidentity/answer/167085?hl=en&ref_topic=7558942) - [Create a group](https://support.google.com/cloudidentity/answer/33343?hl=en&ref_topic=7558943) - [Add users to groups](https://support.google.com/cloudidentity/answer/6191469?hl=en&ref_topic=7558943) - [Add all users to a group](https://support.google.com/cloudidentity/answer/66338?hl=en&ref_topic=7558943) ## Introduction to Exercise Read through the scenario and directions below in order to practice creating admin-managed groups. ### **Exercise Scenario** The company wants to create the following groups that can be managed only by the system administrators as follows: - OurCompany: An internal group of everyone in the company - Management: A private or restricted group of all executives and managers ### **Exercise Directions:** 1\. Sign into your Google Admin console as the administrator user using the **your administrator account name** and **password**. 2\. From the dashboard, click **Groups** 3\. Click the **plus button** at the bottom of the groups page. 4\. Enter the following details in the Create new group box: - A **name** for the group: for this exercise, you’ll create 2 groups one named “OurCompany” the other “Management.” - An **email address** for your new group. Ensure that you choose the appropriate domain from the list. - **\[Optional\]** Add a **description** for your group. - Choose an **Access Level** from the drop down list. See more about these options [here](https://support.google.com/a/answer/170452). For this first group, choose **Team**. This will allow anyone within your domain that has an associated Google Account you're managing from the Admin console to post messages and view the members list. - For the first group, **OurCompany**, check the box that **adds all users in the organization** to your new group 5\. Click **Create**. You’ll be taken to the group’s page in the Admin console. 6\. For the following group, **Management**, repeat the steps above, but do not add all users from the organization to this group. - For this group, choose the **access level** restricted, which will only allow members of the group to post messages and view the member's list. - Do **not** choose the option to add all users within your domain. - Press **create.** 7\. Once on the **Management** groups page, click **Manage users in Management**. 8\. In the **"Add new members"** box, add the following users by typing their full Google accounts, including the domain, into the box. Ensure that you are adding them as "members." - Samantha Morse - CEO - samantha.morse@\[your domain\] - Ellie Gray - Lead Developer - ellie.gray@\[your domain\] - Lars Ericsson - HR Manager - lars.ericsson@\[your domain\] **NOTE:** *After you’ve create a group in the Admin console you can edit it to add or remove members, change a member’s group role, change a group’s name or description, and more.*