# 第一章 GWS介绍
首先要申请一个14天的试用版来学习,有多个版本可以试用,如
* Individual
* Business
* Business Starter
* Business Standard
* Business Plus
* Enterprise
参考链接:[[https://support.google.com/a/answer/6043576?sjid=17394347976087183016-AP]]
1.因为Enterprise版本要联系谷歌销售,所以我只申请了功能次高的Business Plus
{{:resources:courses:pasted:20250119-094613.png}}
2.输入基本信息,选择试用14天,然后输入信用卡,验证手机输入验证码后即可开始使用。
{{:resources:courses:pasted:20250119-095241.png}}
3.然后是域所有权验证,在Xserver管理面板,添加DNS记录(一条TXT,一条CNAME)
不到1分钟,就显示通过验证
{{:resources:courses:pasted:20250119-095630.png}}
4.为了从Xserver的Webmail切换到Gmail,需要替换MX记录
原MX记录的值就是trident365.com,而不是SMTP.GOOGLE.COM
{{:resources:courses:pasted:20250119-100327.png}}
## 练习1 创建OU,添加用户
{{:resources:courses:pasted:20250119-095932.png}}
首先创建3个OU,分别是
* Executive
* Employees
* Contractors
路径是Admin Console>Directory>Organizational units
然后点击Create organizational Unit
为方便起见,将界面语言设置为英文。
{{:resources:courses:pasted:20250119-102351.png}}
然后是批量添加用户,下载空白csv模板,输入必须信息,注意密码设置要求8位以上。
{{:resources:courses:pasted:20250119-103808.png}}
很快就完成了
{{:resources:courses:pasted:20250119-103835.png}}
## 练习2 登录Admin Console
过于简单,略
## 练习3 确认DNS记录
Admin>Domains>Manage Domains
如果是从Google Domains处购买的域名,则可以设置Advanced DNS Settings,但我不是,所以不需要。
添加SPF记录(TXT)
参考链接:[[https://support.google.com/a/answer/33786#spf-add-record]]
## GWS各功能介绍
- Users: 添加和管理用户
- Domains: 验证域名,添加域名别名等
- Billing 添加支付方式(如信用卡,查看订单,管理订阅,分发Licenses等)
- Groups: 创建组和邮件列表
- Apps: 管理GWS的应用,如Gmail和Calendar
- Devices: 保护组织管理下的设备
- Account: DIY组织的详情,设置沟通优先选,也可以查看合规性要求,如GDPR,HIPAA等
- Organizational Unit (OU):设置组织构架(如组和部门)
- Security: 管理安全设定,如强制2步验证,监视,强制密码等
- Reports: 查看报告和监查日志,监视用户和管理员活动
- Building and Resources: 管理和监视建筑,房间和资源
- Rules: 创建规则和报警
- Admin roles:添加管理员并设置权限
- Data migration: 数据迁移服务,如导入邮件,日程,联系方式等
- Support:支持与帮助
## 练习4: 查看公司Profile
Admin>Account>Account Settings>Profile
再点击Profile Settings,可以设置一些初始设定,
{{:resources:courses:pasted:20250119-134601.png}}
比如Support Message会显示在用户登录User Dashboard时,帮助用户获得IT支持。
还可以设置各用户的默认语言和地区/时区。
再点击Preferences,
用于设置各新功能和产品的可用时间,
- New features,可以选择Rapid release和Scheduled release(默认)
- New products,默认是ON,即发布时所有用户都可以使用,也可以设置为OFF,发布时大家都不能用。
- Communication preferences,用于设置是否接收Google发来的推送邮件,默认全OFF
{{:resources:courses:pasted:20250119-135200.png}}
在Personalization里设置个性化,如公司Logo,已经换上了网站Logo。
在Supplemental data storage里设置备用数据存储位置,只有一个可选项,俄罗斯。
这个可以为各OU单位设置,也可以为全公司设置。
这里有谷歌数据中心的清单 [[https://www.google.com/about/datacenters/locations/?hl=en]]
日本只有一个,在印西市(去往成田机场方向的路上,在千叶)
Conflicting accounts management,用于管理冲突账户,这个类似于微软的组织账户和个人同名账户的冲突,可以选择transfer,replace或是合并。
{{:resources:courses:pasted:20250119-140109.png}}
Legal and Compliance
可以查看关于GWS合规性的一些链接,类似于SaaS评估时查看的那些东西。
还可以设置组织的Privacy代表,Data Protection代表,合规专员,以及对于CDPA(Cloud data processing Addendum)和GDPR的遵守情况。
Custom URLs,用于把各GWS服务的地址,替换为公司域名下的短地址。
## 测试1:
What type of DNS record allows receiving mail servers to verify that the sending servers are authorized to send mail on your domain’s behalf?
- Mail Exchanger (MX) record.
- CNAME (Alias) record.
- Google Site Verification record.
- **Sender Policy Framework (SPF) record.**
What must you do before you can start to use Google Workspace services?
- **Verify that you own the domain that you want to associate with Google Workspace.**
- Configure MX records to point to Google.
- All these.
- Provide Google with proof of identity.
Typically how long after new features are released to the Rapid release track will they be released on the Scheduled release track?
- At least 2 weeks
- **At least 1 week**
- At least 1 month
- At least 3 months
## Provisioning
有4种方式可以添加用户(每个用户都需要License)
- 手动添加
- 批量添加(csv文件)
- 通过Admin SDK Directory API
- 通过Provisioning工具,如Google Cloud Directory Sync
## 练习1
单独添加用户,因为试用版只能放10个用户,前面已批量添加过了,这次只记录下要点。
密码要求是8到100位之间,并且要求用户初次登录时要变更密码。
## 练习2
批量添加用户,之前已经实践过了,略。使用csv文件新建用户,一次是200名。
## Admin SDK and LDAP API
可以将Google用户和权限与本地LDAP(如微软的AD)进行同步,而且这个同步是单向的。
对于重复性工作,要中以使用Admin SDK和API进行自动化。
## 测试2
Which of the following are required when adding multiple users via a CSV file? (Choose 2)
- Home Address
- Job Title
- Middle Name
- **Password**
- **Last Name**
Your company just acquired a 100-employee startup and you quickly need to add the new employees to your domain. Using the Admin console, which is the most efficient way to add new users all at once?
- **Add all the new users at once from a .csv file.**
- Use GCDS to provision your new users.
- Add the new users manually
- Have them create their own accounts with the “Invite users” option.
How does GCDS sync directory information?
- It provides a two-way sync that relies on object modified dates to determine which directory wins.
- GCDS is used for provisioning only.
- It updates the local LDAP directory with Google Workspace information.
- **It updates Google Workspace with information from the local LDAP directory.**
When adding users individually, how are passwords established?
- None of these.
- **The admin can enter a password manually or allow the console to generate a temporary password for the new user.**
- Admins need to upload a default password to Google Workspace before adding any users.
- Google Workspace requires the admin to manually add passwords for every single user that is added to the domain.
What is the minimal amount of characters required of Google Workspace passwords?
- 10 characters
- 12 characters
- 6 characters
- **8 characters**
## 练习1 创建Groups
要求,仅CEO才可以向全公司发通知
Admin>Groups>Create Group>
{{:resources:courses:pasted:20250119-212133.png}}
设置**Access Type**为Announcement only(其他只发不可回复的Group也可以这么选)
{{:resources:courses:pasted:20250119-212353.png}}
Access设定保持默认,只有Group Owners和Managers可以发布消息。
{{:resources:courses:pasted:20250119-212453.png}}
添加所有用户到该Group
{{:resources:courses:pasted:20250119-212606.png}}
稍等片刻,显示所有用户(如果未来新增也会自动加入)
{{:resources:courses:pasted:20250119-212833.png}}
再手动添加Sam,并把他的Role改为Manager,点SAVE保存。
{{:resources:courses:pasted:20250119-213100.png}}
继续创建另一个Group
{{:resources:courses:pasted:20250119-213308.png}}
这次有一个Owner是Sam,并且组标签勾选Security。Access设定保持默认,添加组成员
Sam,Alex,Lars
再把Sam的角色从Owner降级为Manager
退出当前账户,使用Sam的账户登录Gmail
分别给everyone的组邮件和management的组邮件发送一份邮件
{{:resources:courses:pasted:20250119-214049.png}}
{{:resources:courses:pasted:20250119-214114.png}}
然后从9个点中打开Group服务,查看我的群组,点击每个群组查看刚才发的邮件。
{{:resources:courses:pasted:20250119-214244.png}}
然后再退出,并切换到Will的账户,查看收件箱。
{{:resources:courses:pasted:20250119-214432.png}}
同样,给2个组邮箱分别发邮件,因为Will没有权限(Sam是管理者权限),所以他只会收到错误通知。
但只收到了发给everyone群组的错误通知,**发给management的还没有回复。**
再切换到Lars的账户登录,查看邮件,因为Lars是Managment群组的成员,所以他会收到Sam发的2封邮件,而Will发的他也收到了,因为群组权限Who can post里有整个组织,所以Will虽然不是组成员,也能发邮件到该组。
{{:resources:courses:pasted:20250119-220144.png}}
同时,再发邮件给2个群组,会收到Everyone群组的未达通知,因为只有CEO才有权限,
{{:resources:courses:pasted:20250119-215340.png}}
{{:resources:courses:pasted:20250119-215641.png}}
## 测试3
Which method can NOT be used to create a Google Group?
- Using the Groups for Business service at groups.google.com.
- From the admin console.
- Using GCDS.
- **Using Gmail.**
You have created an Announcement group and you want to ensure that all users in your organization receive emails sent to the group. How would you do this?
- Once you have created the group, use GCDS to update membership.
- **Check the 'Add all current and future users of**
- Add all members to the group individually. As new people join the organization you must manually add these.
- Once you have created the group, use the Admin SDK to update membership.
## 测试4
Which of the following statements are true? (Choose 2)
- Features (such as video, audio equipment) are associated with a Building.
- **Features (such as video, audio equipment) are associated with a Resource.**
- Resources are normally associated with a building so it is recommended that buildings are defined first and you choose the building when adding the resource.
- **Resources belong to a building so you cannot add a resource without a building definition.**
Once you have created your resources, how do you manage the resource calendar settings?
- From the Calendar service settings in the admin console.
- From the Buildings and Resources area in the admin console.
- From the admin console or Google Calendar.
- **From Google Calendar.**
What can be defined when creating a Resource? (Choose 2)
- **Capacity.**
- Email address.
- Physical address.
- **Name.**
## 练习1
{{:resources:courses:pasted:20250120-205435.png}}
为用户Samantha Morse添加别名邮箱,同事一般称呼他为Sam。可以添加多个别名邮箱。
{{:resources:courses:pasted:20250120-205527.png}}
如果为公司域名添加别名的话,则所有用户都会自动新增一个新域名的别名邮箱。
## 练习2
重置用户密码。长期休假回来的用户,忘记了自己的密码,导致账户被锁,需要重置。
{{:resources:courses:pasted:20250120-210408.png}}
2选1,然后复制新密码,
{{:resources:courses:pasted:20250120-210440.png}}
UK52hnhDnqYR6bU*
1.如果用户知道自己的密码,他们可以自行重置密码
2.如果管理员设置了Self-Service重置密码,用户即使忘记密码也可以进行重置,但如果是SSO登录,比如使用Hennge One,则用户不能自己重置PW
{{:resources:courses:pasted:20250120-210931.png}}
## 练习3
重命名用户
即变更PrimaryEmail的名字
变更主邮箱地址需要10分钟生效,而域名和联系人需要24小时生效,使用新邮箱进行Chat则需要等3天
## 练习4
封号操作,也不能给该用户发送会议邀请或是邮件。比如对于休假的人?
{{:resources:courses:pasted:20250120-212250.png}}
如果只想查看被封号的用户,可以使用Filter筛选。
{{:resources:courses:pasted:20250120-212433.png}}
解封操作如下:
{{:resources:courses:pasted:20250120-212519.png}}
如果用户使用Gmail超过了发送限制,会自动被Google限制Gmail使用,但他仍然可以使用其他服务。
如果用户违反了谷歌的服务条款,如滥用,则管理员也不能解封,需要联系技术支持。
## 练习5
删除一个用户。注意该用户的数据需要迁移。
{{:resources:courses:pasted:20250120-213049.png}}
具体选项如下:
{{:resources:courses:pasted:20250120-213226.png}}
删除用户有20天的恢复期。
## 练习6
撤销删除操作。
添加User Filter,选择[Recently delete],然后选择Jon
{{:resources:courses:pasted:20250120-213430.png}}
选择Recover,然后选择最高组织级别。
如果是用户被封号的情况下被删除,则撤销后用户仍然是被封号状态,需要Reactivatet才能正常使用。
## 测试5
How are site-based licenses assigned to users?
- Site-based licenses can be manually or automatically assigned by the administrator.
- **Site-based licenses are automatically assigned to all users in the organization.**
- They are manually assigned by the administrator.
When you delete a user, which of the following can be transferred to a new owner?
- **Calendar.**
- Contacts
- **Email Address**
- Items in Trash
- Sites
To allow a single user to receive email in their Gmail inbox addressed to multiple addresses you would add?
- A new account pointing to the existing user's inbox.
- **An email alias.**
- A domain alias.
- Any of the other options.
What is the behavior for a suspended user? (Choose 2)
- **A suspended user cannot login to their account.**
- The user can log in and view their account but not add any new content (emails, docs, calendar events, etc..)
- **Email and new calendar invites are blocked on a suspended user's account.**
- A suspended user cannot log in to Google Workspace but they do continue to receive email and calendar invites.
Under what conditions can a forgotten password be recovered by a user?
- Only if the organization is using SSO.
- **Only if the administrator has enabled non-admin password recovery.**
- By default every user can recover their password from the Google Workspace sign in page.
- Never. Only administrators can recover a forgotten password.
## 练习1
创建新OU,然后选择对应的用户到OU中,这个在最开始批量导入用户的时候已经完成了,所以不需要再练习了。
如果是转岗伴随的部门变更,需要24小时时间生效。
## 练习2
限制访问GWS服务
对于谷歌翻译,要求只对执行役员有效,则先对全员OFF,再对役员ON即可。
{{:resources:courses:pasted:20250120-215541.png}}
{{:resources:courses:pasted:20250120-215701.png}}
## 测试6
Which of these statements are true about Google Workspace OUs? (Choose 2)
- A user may belong to multiple OUs.
- **A Google Workspace account may contain multiple OUs.**
- **A user may belong to one OU only.**
- OUs are comprised of groups.
You want to enable Blogger for your full-time employees but restrict access to your contractors. Which method could be used to do this?
- Create a Google group, add the contractors to the group, and turn off Blogger for the group.
- Disable the Blogger service in the user profile for each contractor.
- **Move the contractors into an OU and turn off Blogger for that OU.**
- Restrict access to Blogger in the Blogger profile for each contractor.
How do settings inherit across OUs?
- All settings for all OUs, no matter the hierarchy, start out the same.
- You must manually configure the settings for each new organizational unit you add to your account.
- **Each child OU inherits settings from its parent, which you can then customize.**
- All settings are the same for each level within the organizational hierarchy.
## 练习1
{{:resources:courses:pasted:20250120-220618.png}}
打开联系人分享,默认是开启的,另外谷歌账户基本信息分享,有2个选项,一个是包含,另一个是不包含组织基本信息。
更详细的设定可以点开查看。
{{:resources:courses:pasted:20250120-220828.png}}
如果关闭Directory,则公司内找人不会显示详细Profile,甚为不便。
## 练习2
更新用户的Profile
{{:resources:courses:pasted:20250120-221209.png}}
想要让用户可以自行更新Profile,点击Allow users to edit profile
{{:resources:courses:pasted:20250120-221334.png}}
具体项目在这里
{{:resources:courses:pasted:20250120-221433.png}}
## 练习3
只有一个域名的环境下,组织只有一个Directory,即Global Address List,但对于多域名环境,可以限制用户查看Directory的范围。
创建Contractors的OU,添加用户Mark,创建Group,名为HR Project
{{:resources:courses:pasted:20250120-221838.png}}
{{:resources:courses:pasted:20250120-222036.png}}
把Mark加入Group,把Lars加入Group,并将他变更为Manager
{{:resources:courses:pasted:20250120-222449.png}}
{{:resources:courses:pasted:20250120-222548.png}}
在可视化设定里,添加新的自定义Directory,命名为HR Project,选择HR Project,保存
这样Mark只能看到自己Directory的信息。
## 测试7
Where are custom directories defined for a user?
- **In the users OU.**
- In the user's domain settings.
- In a custom directory group in which the user is a member.
- On the user's profile page.
Users across your organization regularly email your suppliers and would like to have Google Workspace automatically auto-complete their email addresses in Gmail. What should you do?
- Create Google Workspace accounts in your organization for these contacts and configure a forwarding rule for each account.
- Place these external email addresses into a Google Group and ask your users to email the group.
- Ask your users to add this shared contact information to their personal contacts list.
- **Use the Domain Shared Contacts API to add these external users to your directory.**
What can you add to a user's profile that can be used by Google as a login challenge when they suspect that an unauthorized person is trying to access a user’s account.
- Job title.
- Work location.
- **Employee ID.**
- Birthday.
A user can change all the settings below from their About me page but which are editable by default? (Choose 2)
- **Work Location**
- Name
- Gender
- Photo
- **Birthday**
## 练习1
创建新的超级管理员,选择用户Alex,
{{:resources:courses:pasted:20250120-223751.png}}
选择Google预置的Supepr Admin
{{:resources:courses:pasted:20250120-223836.png}}
再查看
{{:resources:courses:pasted:20250120-223949.png}}
{{:resources:courses:pasted:20250120-224001.png}}
接下来查看Help Desk Admin
{{:resources:courses:pasted:20250120-224130.png}}
发现只有Read和ResetPW这两种权限。
如果为域设置了3个以上的超级管理员,若其中一位忘记了密码,他们无法使用自动恢复来恢复其账户,因为自动恢复需要辅助电子邮件或电话号码,Google无法确定哪个管理员有该辅助电子邮件或电话号码,但每个管理员都有一个iPhone,问题不大
## 练习2
创建自定义Role
{{:resources:courses:pasted:20250120-224639.png}}
只勾选Services下的Report功能
{{:resources:courses:pasted:20250120-224945.png}}
创建完后,为Lars分配该Role。
## 测试8
What’s the recommended way to create a custom administrator role for your domain?
- **Create a new role and choose the required privileges.**
- Duplicate an existing role and edit the privileges.
- Choose the custom administrator option when manually adding the user.
- Create a new role based on a role template.
You can assign more than one administrator role to a user.
- **True**
- False
Privileges in a pre-built administrator role can be customized.
- True
- **False**
When assigning an administrative role to a single user, where in the user's account page do you assign the role?
- **Admin roles and privileges**
- License
- Security
- Groups