G Suite Deployment Services Specialist Exam Answers

While using Google Cloud Directory Sync (GCDS) to provision groups, an administrator notices that GCDS creates the desired groups, but does not populate them with users. What is the most likely cause of this problem?

Choose an answer:

  • The administrator set the Groups search rule to (objectclass=group).

  • The administrator set the Groups search rule to (&(objectclass=group)(mail=*)).

  • The administrator left the Groups search rule blank.

  • The administrator entered an incorrect value for the User Email Address attribute.

A customer has set the Google session control expiration for 8 hours, but reports that users are not being prompted to re-authenticate as expected. What are the two possible causes of this issue?

Choose an answer:

  • Only Gmail and Drive are subject to session control and user’s are probably using other services

  • Users reporting the issue are on mobile devices which are not subject to the authentication timeout

  • Users are members of an administrative role that is not subject to session timeout length

  • The session timeout setting on a third party SSO provider is set longer than the Google session configuration

  • An IP whitelist has been configured which takes priority over the session control

An organization’s MX record points to an inbound mail gateway (gateway1) that must relay all messages through a second gateway (gateway2) before sending messages to Gmail. What are the two Google recommended settings in this architecture?

Choose an answer:

  • Check “Automatically detect external IP” in the Inbound gateway configuration.

  • Add IP addresses for both gateway1 and gateway2 to the email whitelist.

  • Add the IP address for gateway1 to the Inbound gateway setting.

  • Add IPs for both gateway1 and gateway2 to the Inbound gateway setting.

  • Ensure that all inbound messages receive a custom header to bypass Google spam checks

Explanation:If groups are created via Google Cloud Directory Sync (GCDS), but no users are added, this is most likely due to an error in the synchronization rules or attribute mapping. If the administrator has configured the Groups search rule to (objectclass=group), GCDS successfully detects and builds the appropriate groups based on this LDAP filter. But to add users to these groups, the synchronization rules need to be set up so that each group is associated with the right people. In addition to ensuring that the LDAP characteristics defining group membership are appropriately mapped in GCDS, the administrator should review the rules to ensure they properly describe how users are related to groups.

Essential actions include verifying the synchronization schedule, reviewing error logs, and ensuring that GCDS is compatible with the Google Workspace environment. The synchronization rules must match the LDAP structure, and GCDS must correctly reflect the LDAP group membership characteristics. The problem should be fixed by carefully examining and modifying these options, guaranteeing that users are appropriately added to the provided groups during synchronization.

Which Gmail policy type can alter the inbound route of email for specific users?

Choose an answer:

  • Internal-receiving

  • Default routing

  • Inbound gateway

  • Content compliance

Explanation: The policy type in Google Workspace that can modify the inbound email route for individual users is the “Inbound Gateway” policy under Gmail routing policies. Administrators may set up unique incoming mail routing rules depending on sender, recipient, or IP address using the “Inbound Gateway” policy. When specific users or groups need to utilize a different routing route than what is set as the default, this policy comes in handy.

By creating an Inbound Gateway policy, administrators may specify the circumstances in which emails are routed differently for specific users. For instance, the Inbound Gateway policy may be set up to support the need to route emails from a particular sender or domain to a defined group of users via a separate gateway or server.

Administrators may adjust email routing for individual users or groups using Google Workspace’s Inbound Gateway policy. This allows for a more streamlined and effective mail flow inside the company.

Due to security requirements, an organization requires blocking access to consumer Gmail (gmail.com) while allowing enterprise G Suite account access (company.com). How is this accomplished?

Choose an answer:

  • Disallowing access to consumer Gmail can only be accomplished via written policy versus technical means

  • Create a CNAME record for gmail.com in your DNS settings to redirect consumer traffic.

  • Turn off Gmail for consumer accounts in the organizational service settings in the G Suite Admin console.

  • Add a “X-GoogApps-Allowed-Domains HTTP header” header to outbound G Suite traffic at your network perimeter.

Explanation: Set up your network gateway or proxy server to add the “X-GoogApps-Allowed-Domains” HTTP header to outgoing G Suite traffic at your network boundary. Access the HTTP header modification settings by logging into the gateway management portal. Then, add the custom header with the appropriate value, indicating the authorized domains. This may be accomplished in most cases using options like “HTTP Header Modification” or “Header Injection.” Ensure the header is present in outgoing G Suite traffic by saving the modifications and applying the settings. Keep an eye on network traffic to make sure the title was added correctly. You should also test G Suite access to ensure the new header complies with your company’s security guidelines without interfering with regular service operations. Consult your device’s handbook for exact instructions since the procedures may differ depending on your network architecture.

Which two of the following are supported by G Suite Migration for Microsoft Exchange (GSMME)?

Choose an answer:

  • Microsoft Exchange profile

  • ICS

  • PST

  • MBOX

  • CSV

Explanation: AMicrosoft Exchange profile is a configuration setting in Microsoft Outlook that enables seamless communication between Outlook and a user’s Exchange mailbox. It contains information such as the user’s email address, Exchange server details, and connection settings. This profile enables users to access their emails, calendars, and contacts stored on the Exchange server. Users typically set up their profiles during the Outlook configuration process, entering details like their name, email address, username, password, and Exchange server information. The Exchange profile ensures synchronized and real-time access to mailbox data, facilitating efficient communication and collaboration within the Microsoft Exchange environment.
PSTcommonly refers to a Personal Storage Table, a file format used by Microsoft Outlook to store email, calendar events, and other data locally. PST files enable users to archive and back up Outlook data. Additionally, PST can stand for Pacific Standard Time, a time zone that is 8 hours behind Coordinated Universal Time (UTC-8).

What of the following is NOT required to use Endpoint Verification?

Choose an answer:

  • Endpoint Verification custom executable

  • Chrome browser

  • Chrome OS

  • Endpoint Verification Chrome extension

Explanation: Google created Chrome OS, a thin, cloud-focused operating system. It powers Chromebooks and is designed with simplicity, speed, and security. Chrome OS, built on the Linux kernel, is primarily focused on online apps and extensively uses the Chrome browser. It has an easy-to-use UI, automated updates, and interaction with Google services.

Which of the following is true regarding Google’s native mobile device management (MDM) platform?

Choose an answer:

  • Basic mode MDM is required for all accounts that use third party MDM providers

  • Advanced mode MDM is enabled by default for all G Suite accounts

  • Advanced mode MDM is required for all accounts that use third party MDM providers

  • Basic mode MDM is enabled by default for all G Suite accounts

Explanation: There are two fundamental mobile device management (MDM) options in Google Workspace (previously G Suite): Basic and Advanced, as of my most recent knowledge update in January 2022. All Google Workspace accounts indeed have primary mode MDM enabled by default. It offers crucial administration features for devices using Google Workspace services, such as password enforcement, encryption, and interpretation synchronization settings. But it has limits compared to the Advanced mode, which provides more precise controls. Remember that features and defaults might change over time, so for the most recent details on MDM settings, see the Admin Console or the most recent Google Workspace documentation.

What is Google’s recommended approach for analyzing patterns in mail flow for large organizations?

Choose an answer:

  • Use G Suite’s Big Query export functionality and use the SQL interface for analyzing patterns

  • Use in-line network monitoring tools to capture packet level data for advanced analytics

  • Use the “export Gmail traffic” option in the G Suite Admin console to download all data in .csv format for use in the tool of their choice

  • G Suite provides customizable graphs directly in the G Suite Admin console for this purpose

Explanation: Organizations may export data from different G Suite services into Google’s cloud-based data warehouse, BigQuery, by using the BigQuery export capability of G Suite. Administrators and data analysts may examine patterns and trends in the exported G Suite data using BigQuery’s SQL interface. SQL queries are an effective tool for examining user behavior, communication patterns, and other pertinent metrics since they can be designed to extract insights from databases. This connection increases overall productivity and efficiency by enabling firms to make data-driven choices based on the abundance of information created inside G Suite services.

An organization’s primary mail domain is ‘altostrat.com’. They would like to set up dual delivery of mail and have chosen the subdomain ‘apps.altostrat.com’ to facilitate mail routing to G Suite. Which action must they take?

Choose an answer:

  • Point the MX records for altostrat.com to aspmx.l.google.com.

  • Add apps.altostrat.com as a secondary G Suite domain.

  • Point the MX record for apps.altostrat.com to aspmx.l.google.com.

  • Register apps.altostrat.com as the primary domain for G Suite.

Explanation: To direct the MX (Mail Exchange) record for apps.altostrat.com to Google Workspace, modify the MX record to “aspmx.l.google.com.” This entails accessing the domain’s DNS (Domain Name System) settings, which the hosting company or domain registrar often gives. The record for “apps.altostrat.com” should be added to or edited in the MX record section with the following details: “Priority: 1” and “Mail Server: aspmx.l.google.com.” With this setup, Google’s mail servers receive inbound emails for apps.altostrat.com. It will take some time for DNS to spread. Ensure your records are configured correctly to ensure smooth email delivery to Google Workspace.

An organization with 10,000 employees has multiple Active Directory forests within their environment. When provisioning users for G Suite, which two actions does Google recommend when possible?

Choose an answer:

  • Use the Admin console to manually provision users.

  • Configure a dedicated (aggregated) LDAP system for GCDS provisioning.

  • Divide the employees into separate G Suite instances based on Active Directory membership.

  • Consolidate all forests into a single Active Directory.

  • Configure a single instance of GCDS using a reverse proxy to connect to all forests.


Explanation: Specify the LDAP server information, such as the address, port, and credentials, to implement Google Cloud Directory Sync (GCDS) provisioning on a dedicated LDAP system. Synchronization rules and mappings can be customized to suit the LDAP structure using GCDS. Validate the connection and synchronization procedure to ensure precise allocation of users and groups from the accurate LDAP system.
Create a singular forest by combining multiple Active Directory forests. Configure Google Cloud Directory Sync (GCDS) to establish a connection to all forests using a reverse proxy. Users and groups from each forest should be synchronized via GCDS. Preserve precise data by implementing appropriate mapping and synchronization protocols. Across all connected Active Directory environments, this configuration facilitates user management.


Which two types of data CANNOT be retained using G Suite Vault?

Choose an answer:

  • Google Slides

  • Off-the-record Chat conversations

  • Email

  • On-the-record Chat conversations

  • Google Sheets

  • Calendar Entries

Explanation: Google’s e-discovery and archiving product, G Suite Vault, cannot save recordings from Google Meet and messages from Hangouts Chat. These two categories of communication data are not included in Vault, which is intended to store and handle data for legal and compliance reasons. Vault’s preservation capabilities do not extend to Hangouts Chat messages or Google Meet recordings, perhaps because of privacy and security concerns. Organizations should be aware of these limits when using Vault for archiving and e-discovery. They should consider other options if keeping Hangouts Chat and Meet data is essential for meeting compliance requirements.

An organization has created a G Suite Vault default retention rule which retains all Gmail messages for all users in the domain for 30 days. There are no active custom rules. A user receives a message on January 1. The user deletes the message and empties it from Trash on January 15. What is the earliest date on which the message will no longer be searchable in Vault?

Choose an answer:

  • Februray 15

  • March 1

  • January 31

  • January 15

Explanation: In the above case, a Gmail message erased on January 15 will no longer be searchable in Vault after February 14 since the default retention rule in G Suite Vault is configured to store messages for 30 days. The countdown to remove the message from Vault’s searchable data begins on the date of the user’s permanent deletion on January 15, and it continues until the end of the 30-day retention period. The 30-day retention period starts on the date of receipt.

A 300-person company is running Microsoft Exchange 2010. G Suite Migration for Microsoft Exchange (GSMME) will be used to migrate data from Exchange to G Suite. Which action must be taken to run GSMME?

Choose an answer:

  • Enable IMAP in Exchange.

  • Decrypt personal contacts.

  • Create a Service account and authorize its Client ID in the G Suite Admin console domain.

  • Install GSMME on the Exchange server

Explanation: Ensure your system meets the criteria before running G Suite Migration for Microsoft Exchange (GSMME) to migrate data from Microsoft Exchange 2010 to G Suite. Install GSMME on a Windows server devoted to it; ideally, keep it apart from the Exchange server. Obtain the rights that GSMME needs to access and move mailbox data, such as privileges to impersonate Exchange. Set up GSMME with precise Exchange and G Suite connection information. Furthermore, examine the GSMME documentation for any particular requirements or suggestions to guarantee a seamless transfer of the 300-person company’s email data to G Suite.

An organization has successfully installed G Suite Password Sync (GSPS) in their environment. They report that not all Active Directory user passwords are syncing to G Suite. What should they do to resolve this problem?

Choose an answer:

  • Ensure that GSPS is installed on their Windows Server Core with the Active Directory role.

  • Ensure that GSPS is installed on every writable domain controller.

  • Ensure that Google Cloud Directory Sync (GCDS) has completed the initial password sync.

  • Ensure that GSPS is installed on their Microsoft Exchange Server.

Explanation: Installing Google Cloud Directory Sync (GSPS) on each writable domain controller in your Active Directory installation is advised to guarantee the best performance. Redundancy and load dispersion are therefore guaranteed. Passwords and user credentials from on-premises Active Directory are synchronized with Google Workspace using GSPS. Installing improves scalability, resilience, and failure tolerance on each writable domain controller. It ensures that user accounts and password changes between on-premises AD and Google Workspace continue without interruption, helping to maintain constant synchronization even if one domain controller fails. Update GSPS often to take advantage of the newest features and security upgrades.

A customer moving to G Suite wants to replace the current ticketing system with a G Suite account tickets@company.com. Which of the following limits is likely to cause issues with this goal?

Choose an answer:

  • 25 GB of mail storage capacity

  • 100 Auto-forward mail filters

  • 50,000 received messages per day

  • 2,000 sent messages per day

  • 4 GB of bandwidth per day (upload and download)

Explanation: The use of tickets@company.com as a central ticketing system may need help due to the G Suite account’s restriction on the number of external receivers. The maximum number of external recipients that G Suite allows in a single email is limited, and going above this limit may cause delivery problems. Managing tickets via email might provide difficulties for the client, depending on the access volume and the number of external receivers involved. To guarantee efficient communication and ticket processing, it is essential to consider this constraint and investigate alternative methods, such as using a specialized ticketing platform coupled with G Suite.

When using G Suite Password Sync (GSPS) to synchronize passwords, how is the password sent to Google from Active Directory?

Choose an answer:

  • Salted SHA-1 over HTTP

  • Clear text over HTTP

  • Clear text over HTTPS

  • MD-5 over HTTPS

  • Salted SHA-512 over HTTPS


Explanation: Password security is improved when salted SHA-512 is used over HTTPS. This procedure involves adding a distinct, random “salt” to every user’s password before SHA-512 hashing. By adding salt, attackers are unable to use precomputed tables, sometimes known as rainbow tables, to crack passwords. Strong cryptographic hashing algorithm SHA-512 offers a great degree of protection. The transmission is protected when these salted, hashed passwords are sent over HTTPS (Hypertext Transfer Protocol Secure), guarding against man-in-the-middle and eavesdropping attacks. With this integrated strategy, sensitive user authentication data is sent and stored with secrecy and integrity, and a strong defense against password-related security risks is provided.


Which three of the following actions can be configured for messages matching a content compliance rule?

Choose an answer:

  • Suspend User

  • Deliver with modification

  • Reject

  • Quarantine

  • Deliver after time interval SAI

An organization wants to deploy Google Drive File Stream but is concerned about potential implications to their network due to limited bandwidth. What is the Google’s recommended way to mitigate these concerns?

Choose an answer:

  • Use the bandwidth controls in the Google Admin console to reduce requirements

  • Drive File Stream automatically scans networks for available bandwidth and reduces usage

  • Strategically deploy Drive File Stream only to users with ample network bandwidth

  • Use registry (Windows) and defaults (macOS) controls on specific clients to reduce requirements

  • Allow only Google native files to be streamed to reduce bandwidth

Explanation: To allay worries about constrained network bandwidth, Google suggests using the Google Drive File Stream Bandwidth Limiter. To avoid possible network congestion, administrators may use this tool to restrict the bandwidth that Google Drive File Stream uses at certain times. The company may manage the effect on network resources and provide a more seamless implementation of Google Drive File Stream without negatively impacting other essential network functions by imposing suitable bandwidth limitations. This enhances network performance during peak hours or crucial activities and gives organizations the ability to adjust bandwidth use depending on their requirements.

You are installing G Suite Migration for IBM Notes (GSMIN) and want to ensure that it will run in the organization’s environment. What should you do?

Choose an answer:

  • Sign the GSMIN templates with the migration server ID or the ID of a user who has the rights to run agents on the server.

  • Place GSMIN in a separate Domino organization and cross-certify it with the customer organization.

  • Sign the GSMIN templates with a special Google ID and grant the ID full access to all of the organization’s mail servers.

  • Install a GSMIN instance on each of the organization’s mail servers.

Explanation: Signing GSMIN templates with a unique Google ID and giving it complete access to all mail servers inside the firm is a security risk. This activity may expose confidential information by breaching the concept of least privilege. It jeopardizes system integrity and makes unauthorized access more likely. Using a specialized service account with the fewest necessary permissions, which guarantees only essential access, is more secure. During migration procedures, implementing appropriate security measures guards against possible weaknesses and conforms to best practices for safe data management. Security should always come first. To ensure this, adhere to suggested protocols and seek advice from IT security specialists.

An organization wants to enforce policies on iOS devices. Which step must you perform before enabling iOS Sync in the Admin console?

Choose an answer:

  • Configure a whitelist of iOS apps to be installed as managed applications.

  • Enable device activation.

  • Install and set up the Apple Push Certificate.

  • Disable Google Sync.

Explanation: Use the Apple Developer Portal to install and configure an Apple Push Certificate for Mobile Device Management (MDM). As directed by Apple, create an MDM Push Certificate by having your MDM server generate a Certificate Signing Request (CSR). After submitting the CSR to Apple, get the certificate granted and upload it to your MDM server. To provide services like remote administration and configuration, a secure connection between the MDM server and Apple devices depends on this certificate. Ensure the certificate is renewed on time to keep your organization’s MDM services for controlling Apple devices running smoothly.

You are in the Early Adopters phase of a G Suite deployment. Which set of users does Google recommend that you deploy in this phase?

Choose an answer:

  • 10% of users from across all business units

  • IT staff and the project team

  • 25% of users from technical teams

  • Executives and IT staff

Explanation: To implement changes affecting 10% of users across all business units, adopt a phased approach. Select a representative sample from each business unit, ensuring a diverse representation. This allows for comprehensive testing, identification of potential issues, and effective communication of changes to various teams. The phased deployment minimizes disruption, facilitates user feedback, and provides an opportunity for adjustments before broader implementation. Communicate transparently with users, addressing concerns and highlighting the benefits of the changes. This approach balances efficiency with risk mitigation, ensuring a smooth transition for all business units undergoing the specified changes.

An organization wants to achieve optimal network performance when accessing G Suite. Which of the following is a Google-recommended best practice for network routing?

Choose an answer:

  • Proxy enterprise G Suite traffic separately from other traffic via Google’s netblocks

  • Proxy all network connections to Google through a centralized location and closely measure that location’s bandwidth usage.

  • Use a reverse proxy within your network perimeter

  • Implement a cloud access security broker (CASB) to funnel all requests to Google

  • Perform DNS lookups geographically close to users

Explanation: Using Google’s netblocks, independent and distinct business G Suite traffic routing may be achieved. Google makes netblocks, or specialized IP address ranges, available for certain services, such as G Suite. Set up your firewall or proxy to identify and route traffic from these netblocks independently so that business G Suite traffic travels along a different route. This division helps to effectively manage bandwidth for G Suite services, enforce certain security controls, and optimize network performance. Granular control over G Suite traffic may be achieved by using Google’s netblocks, which guarantees an enterprise user’s safe and customized experience inside your network architecture.

An organization reports that valid email messages sent by their users are being marked as spam by several recipient domains. They ask for your help addressing this issue. What should you do?

Choose an answer:

  • Recommend that they talk to the recipient’s domain administrators and request being added to their whitelist.

  • Add the recipient domains to the outbound whitelist in G Suite.

  • Create a Google provided CNAME record in their DNS settings.

  • Ensure that SPF, DKIM, and DMARC are set up correctly for their domain.

Explanation: First, ensure that the company is adhering to email best practices by reviewing its email processes to handle legitimate communications being classified as spam. Ensure that DMARC, DKIM, and SPF records are set up correctly. Urge users to avoid frequent spam sources, such as large files or URLs. Investigate destination domains’ spam filtering practices and ask to be added to an allowlist. For insights, keep an eye on email delivery reports. Work with the impacted environments to address any underlying problems if the situation continues. To optimize email-sending procedures and enhance overall email reputation, educate users on appropriate email etiquette and think about working with email deliverability specialists.

A customer wants to disable all the G Suite marketplace applications that access Drive and Gmail. What is the recommended approach to disabling users from adding applications that access Drive and Gmail?

Choose an answer:

  • Use the G Suite Admin console to disable all OAuth access to the selected services

  • Set an alert for all installations of Marketplace applications to trigger an action to suspend a user until the application is removed

  • Use the Admin SDK API to run a script that removes access to all applications on a scheduled basis

  • Disable users from installing applications in the Marketplace in the G Suite Admin console

Explanation: Use App Access Control in Google Workspace to prevent users from adding G Suite Marketplace apps that access Drive and Gmail. To access “Apps” > “Google Workspace Marketplace apps,” open the Admin Console and choose “Apps.” Select the relevant organizational unit, then pick “Configure access settings” to limit app installation. For further control, turn off “Turn off access to all apps” and disable “Users in this organizational unit can trust all apps.” This method improves security and stops unauthorized data access by ensuring users within the designated organizational unit cannot install or approve third-party applications that access Drive and Gmail. For best protection, check and adjust these settings often.

A G Suite account is set up with a third-party Single Sign-On (SSO) solution. Which access method will require the user to enter their password stored in G Suite versus their SSO login credential?

Choose an answer:

  • G Suite Migration for Microsoft Outlook

  • G Suite Sync for Microsoft Outlook

  • Google Admin console

  • Android device using Android sync

Explanation: A unified web-based interface called the Google Admin Console is made specifically for administrators to administer and set up Google Workspace services for their company. Administrators have access to a number of functions via this dashboard, including user administration, device management, service configuration (Gmail, Drive, etc.), access use reports, security control implementation, and payment and subscription management. With its intuitive interface, administrators may manage user access, security features, and organizational settings. Simplifying administrative processes, guaranteeing effective administration, and maximizing the use of Google’s productivity and collaboration capabilities in an organizational setting are all made possible by the Google Admin Console.

An organization has configured their domain to automatically cancel calendar events for deleted users in the G Suite Admin console. Which best describes what happens when a user account is deleted?

Choose an answer:

  • Future events are cancelled on the user’s primary calendar immediately. Cancellation emails are sent.

  • Future events on the user’s primary calendar are cancelled 21 days later. No cancellation emails are sent.

  • Future events on the user’s primary and secondary calendars are cancelled 21 days later. No cancellation emails are sent.

  • All events are cancelled on the users primary calendar immediately. No cancellation emails are sent.

Explanation: All calendar events the removed user holds are immediately canceled when their account is deactivated using the G Suite Admin panel when they have enabled automatic cancellation of calendar events. This guarantees that meetings or activities booked concerning the deleted user are taken off of the participants’ calendars. This automated procedure keeps organization calendars accurate and current while preventing confusion. The cancelation aligns with G Suite’s effective calendar management procedures by preventing lingering orphaned events from interfering with other users’ schedules.

What must an administrator ensure before using a third party mobile device management (MDM) system for G Suite devices?

Choose an answer:

  • Google advanced mode MDM must be disabled

  • Good device policy application must be installed on all devices

  • No native Google applications will be used by users to access G Suite data

  • Both Google advanced and basic mode MDM must be disabled

  • Users will not require Android Enterprise because it only works with Google MDM

Explanation: An administrator must confirm that a third-party Mobile Device Management (MDM) solution is compatible with G Suite devices and that security guidelines are followed before using it. Ensure that G Suite features like device policies, security settings, and application control are supported by the MDM solution you selected. Make sure that the MDM solution satisfies all G Suite security requirements, particularly those related to authentication and encryption. To guarantee correct integration and operation, thoroughly test in a controlled environment. You should also check the security and dependability records of the MDM supplier. Maintain security compliance by updating and monitoring MDM settings regularly.

An organization, domain.com, wants to change their primary G Suite domain to newdomain.com. Which steps will achieve this goal?

Choose an answer:

  • Add newdomain.com as an additional domain in the G Suite Admin console of domain.com; then use the MAKE PRIMARY option to promote newdomain.com as the account’s primary domain.

  • Add newdomain.com as a domain alias to domain.com; allow users to sign in using their primary address or their domain alias address.

  • Provision newdomain.com as a new primary domain. Use the Domains.get method of the Directory API to merge domain.com into newdomain.com.

  • Provision newdomain.com as a new primary domain. Use domain whitelisting from newdomain.com to domain.com to allow users to sign in to newdomain.com.

How can a G Suite administrator programmatically access a user’s data without any manual authorization on the user’s part?

Choose an answer:

  • Individual user accounts must always consent to having their data accessed

  • Super administrators get access to all user data by default in G Suite

  • A support ticket can be filed with Google support to allow time based access to user data by the super administrator

  • User accounts can be granted the ‘Data Authority’ administrative role to access other user’s data

  • Grant a service account domain-wide delegation of authority

Explanation: Through domain-wide delegation of power, a G Suite administrator may automatically access a user’s data without requiring human permission. Administrators may grant their application permission to access user data on behalf of all users in the domain by using OAuth 2.0 service accounts. In order to achieve this, a service account must be created, the domain-wide delegation must be enabled, and the delegated credentials must be used to access user data using the Google APIs. Despite their strength, administrators need to be cautious and make sure that privacy and security standards are followed in order to stop unwanted access to private data.

Which of the following is not available as a means of interoperability between G Suite and legacy platforms?

Choose an answer:

  • Full access to calendar events across recent Exchange platforms

  • Shared video conferencing between SIP/H.323 systems

  • Sophisticated mail routing rules for moving email between platforms

  • Presence in Microsoft Office files to detect when it’s safe to edit document

  • Federation for XMPP standard based chat systems


Explanation: The term “federation” in the chat system XMPP (Extensible Messaging and Presence Protocol) standard describes the smooth communication between XMPP servers in various domains. It improves interoperability by allowing users of one XMPP server to communicate with users of another. Federated XMPP systems allow for real-time communication across organizational boundaries and the sharing of presence data. This decentralized design fosters an open and linked messaging environment that adheres to the XMPP protocol by enabling connection with other domains and allowing companies to maintain their own XMPP servers. To establish an international, transparent, and cooperative instant messaging network, federated XMPP is essential.


You have developed a script that uses the Drive API to add files to Google Drive. The script exits early with a 403: Rate Limit exceeded response from the Google servers. What two steps can you take?

Choose an answer:

  • Implement exponential back-off in your code

  • Request additional quota in the Developer Console project.

  • Batch your requests.

  • Add the Override_Rate_Limit header to each API request.

  • Insert a delay between each API call in your code.

Which of the following is true when handling conflict accounts with G Suite customers?

Choose an answer:

  • Administrators can opt-in all existing conflict accounts to be added to the corporate G Suite tenant

  • User’s can decide whether to allow their existing address and data to be added to the corporate G Suite tenant

  • User’s can decide whether to allow their existing data to be added to the corporate G Suite tenant

  • User’s can decide whether to allow their existing address to be added to the corporate G Suite tenant

Explanation: Users can choose whether or not to allow the corporate G Suite tenant to connect their current data. With this user-controlled method, people may select their data transfer choices while maintaining privacy. Organizations may promote a user-centric approach to data management inside the corporate framework by allowing users to move their personal or current data into the G Suite environment while ensuring transparency and empowering users to make informed choices. In the context of corporate data transfer, this is consistent with user permission, privacy, and data ownership.

An organization has many administrators across different regions and wants to segment user management by region. How is this accomplished?

Choose an answer:

  • Delegate administrators to specific OUs using the “User Management Admin” system role.

  • Move each IT administrator into the same OU as the users in their respective regions and grant them the “User Management Admin” system role.

  • Use a group filter to delegate administrative rights to specific users based on group membership.

  • Configure super administrator access for each administrator and assign them to specific OUs.

Explanation: With Google Workspace, assign administrators to specific Organizational Units (OUs) by utilizing the “User Management Admin” system role. Thisallo allows administrators to manage users within designated user groups (OUs) without requiring full super admin powers. Giving this position a function gives you fine-grained control, which improves security and responsibility delegation. Streamlining user management while preserving the organizational structure, administrators with the “User Management Admin” role may create, update, and delete users within the designated OUs. This strategy adheres to the least privilege principle by allowing access to the minimal information required for specific administrative duties within predefined organizational units.

You are migrating Exchange accounts to G Suite with G Suite Migration for Microsoft Exchange (GSMME). When must a mapping file be used?

Choose an answer:

  • The mapping file is required for all Gmail, Contacts and Calendar migrations.

  • When you need to migrate Calendars, the legacy email addresses differ from the G Suite addresses.

  • When migrating from an IMAP server.

  • Never. Mappings are included in the GSMME control file.

Explanation: When migrating calendars, challenges arise when legacy email addresses differ from G Suite addresses. This discrepancy may impact calendar events associated with specific email accounts. Migration processes must account for this mismatch by mapping legacy addresses to their corresponding G Suite counterparts to ensure a seamless transition. Accurate address mapping is crucial for maintaining event ownership, attendee information, and calendar integrity during the migration. A thorough understanding of the legacy and G Suite addressing conventions is essential to execute a successful calendar migration, avoiding disruptions and preserving data consistency across email platforms.

You are working in the G Suite Admin console. You need to block sign-in attempts from applications that do not use modern security standards, and thus are considered less secure. What type of applications should you block?

Choose an answer:

  • Applications that rely on plain SSO authentication to access an account programmatically

  • Applications that rely on certificate based authentication to access an account programmatically

  • Applications that rely on plain authentication to access an account programmatically

  • Applications that rely on username/password authentication to access an account programmatically

Explanation: Applications relying on username/password authentication for programmatic access often use a user’s credentials to authenticate and interact with an account. This method involves providing the application’s code with the username and password, potentially posing security risks. To enhance security, multi-factor authentication (MFA) is recommended. However, some legacy or less secure systems may necessitate username/password access. Developers must implement secure coding practices, use encrypted connections, and adhere to authentication best practices to mitigate potential vulnerabilities when employing username/password authentication for programmatic account access in applications.

You are using G Suite Calendar Interop for Microsoft Exchange to share availability information between legacy and G Suite calendars. Which of the following must you do to allow Exchange users to see Google Calendar availability information?

Choose an answer:

  • Create a “Google Calendar” group in Exchange and add all G Suite users to this group.

  • Move the G Suite users to a specific organizational unit (OU) and enable calendar sharing.

  • Ensure that G Suite users do not appear in the Exchange Global Address List.

  • Create a role account in G Suite to be used by Exchange to get each Google user’s availability information.

Explanation: To enable Exchange users to view Google Calendar availability information using G Suite Calendar Interop, ensure that free/busy information is accessible. Configure the Calendar Interop settings to allow free/busy queries from Exchange to Google Calendar. Verify that the necessary permissions are granted, and the service account for Calendar Interop has the required access to query availability data. This ensures seamless interoperability, allowing Exchange users to see the availability status of their counterparts using Google Calendar. Regularly monitor and maintain these settings to guarantee consistent and reliable cross-platform calendar visibility for all users.

A user created a Google Site in the domain altostrat.com. The user wants to make the site accessible using the URL http://myproject.altostrat.com. What should the administrator do?

Choose an answer:

  • Create a TXT record that contains “name: myproject value:altostrat.com.”

  • Configure a web address mapping in the site settings.

  • Configure a web address mapping in the Admin console.

  • Create a CNAME record that points myproject.altostrat.com to google.com.

Explanation: Go to the Google Workspace Admin panel, scroll to “Domains,” and choose “Manage domains” to create a web address mapping. Select the domain you want to have a web address mapping configured for. To access the domain settings, go to “Domain names.” Include a new web address mapping using the source and destination URLs specified. This mapping redirect Users inside your business from one web domain to another. To preserve smooth user experiences and effective navigation, ensure the mapping is accurate. Whenever your organization’s needs or web addresses change, periodically check and adjust these settings.

Which API can you use to list, create, and modify G Suite users?

Choose an answer:

  • Admin SDK Enterprise License Manager API

  • Admin SDK Directory API

  • G Suite Admin Settings API

  • Google G Suite Users API

  • Google Domain Shared Contacts API

Explanation: Google’s Admin SDK includes the Admin SDK Directory API, which offers programmatic access to user and group data in Google Workspace. The Google Workspace directory’s user accounts and groups may be created, read, updated, and deleted by developers using this API. Tasks related to user administration, such as provisioning, and de-provisioning, are made more accessible by it, and system integration is permitted. Admin SDK Directory API allows developers to automate directory-related tasks, guaranteeing efficiency and uniformity in Google Workspace user and group administration. Numerous programming languages are supported by this API, allowing for easy integration into a range of application settings.

Which of the following is required In order to achieve free/busy interoperability between Google and Microsoft Exchange?

Choose an answer:

  • Exchange web services must be opened on port 443 for https://calendar.google.com

  • Exchange web services must be opened on port 443 for all of Google’s IPv6 net blocks

  • Exchange web services must be opened on port 443 for all of Google’s IP blocks

  • Exchange web services must be opened on port 443 for a small subset of Google’s IP blocks

What is the Google-recommended SPF setting for a domain that uses G Suite as the primary mail system?

Choose an answer:

  • v=spf1 include:_ghs.google.com ~all

  • v=spf1 a:google.com mx ptr ~all

  • v=spf1 a:aspmx.l.google.com -all

  • v=spf1 include:_spf.google.com ~all

  • v=spf1 include:_spf.google.com -all

Explanation: The Google-recommended SPF (Sender Policy Framework) setting for a domain using G Suite as the primary mail system is to include Google’s SPF records in the domain’s SPF configuration. This typically involves adding the “include:_spf.google.com” mechanism to the domain’s SPF record. This setting authorizes Google’s mail servers to send emails on behalf of the field, enhancing email deliverability and reducing the likelihood of legitimate emails being marked as spam. Including Google’s SPF records in the domain’s SPF configuration ensures proper email authentication and aligns with best practices for G Suite mail system security.

Which access method does NOT allow enforcement of policy controls on iOS devices by G Suite?

Choose an answer:

  • Google-provided Gmail app

  • Adding an account type of “Google” through the Mail, Calendar, and Contacts menu

  • iOS Sync

  • Google Sync (Microsoft ActiveSync)

Which option do G Suite administrators NOT have for enforcing second factor authentication (2SV) for their users?

Choose an answer:

  • Give users the ability to choose “trusted devices” for less frequent 2SV challenges

  • Admins can enroll and enforce users in 2SV automatically

  • Selective enforcement for diverse user populations

  • Enforcement from a specific date

  • Allow custom grace periods for new employees to enroll in 2SV

Explanation: Administrators can streamline security by automatically enrolling and enforcing users in Two-Step Verification (2SV) within Google Workspace. Admins can mandate 2SV enrollment for all users by configuring policies in the Admin console, enhancing account security. This automated approach ensures that users are prompted to set up and use additional verification methods, such as phone-based prompts or security keys, adding an extra layer of protection to their accounts. Automated 2SV enforcement strengthens overall security posture, reducing the risk of unauthorized access and fortifying the authentication process for users within the Google Workspace environment.

Which of the following is not a supported source for identifying users during a login challenge to G Suite?

Choose an answer:

  • Voice call pin code

  • Recovery email account

  • SMS text of pin code

  • Google Authenticator code

  • Employee ID

Explanation: The Google Authenticator code is a time-based one-time password (TOTP) generated by the Google Authenticator app. Users enable two-step verification for added security in their Google accounts. The app generates a dynamic, six-digit code that changes every 30 seconds, serving as a second factor for authentication. Users enter this code along with their password during the login process. This time-sensitive code enhances account security by requiring a temporary and constantly changing verification element, mitigating the risk of unauthorized access. The Google Authenticator code is widely used for multi-factor authentication across various online platforms.

As the administrator for your G Suite domain you need to investigate why one of your users didn’t receive an important message. The message was sent to them 45 days ago. What should you do?

Choose an answer:

  • Obtain the message ID from the sender and use the Gmail API to locate the message.

  • Use the Email Log Search feature in the Admin console to confirm whether the message was delivered using sender and recipient SMTP addresses.

  • Obtain the message ID from the sender and use the Email Log Search feature to confirm the post delivery message status.

  • Use the subject of the message and the Email Log Search feature to confirm the post delivery message status.

Explanation: Get the message ID from the sender to look into why a crucial communication in G Suite seems to have not been received. Next, verify the post-delivery message status using the Google Admin console’s Email Log Search function. Please enter the message ID into the Email Log Search to get comprehensive logs that show the path taken by the email, its delivery status, and any problems encountered. By giving administrators insightful information about the message’s path, this technique makes it easier to conduct a comprehensive inquiry into any possible causes of non-delivery. It guarantees a thorough examination of the email’s post-sending state to facilitate efficient troubleshooting and resolution.

An organization is migrating all the employees to G Suite except for a small, independent group of users in Antarctica. You want to include the users in Antarctica in the global address list for G Suite without additional licensing costs. What should you do?

Choose an answer:

  • Add a new contact for each Antarctica user in the administrator’s “My Contacts” list.

  • Add user accounts for the Antarctica users, but suspend their accounts.

  • Add domain shared contact records for the Antarctic users.

  • Create an organizational unit for only the Antarctica users.

Explanation: Open the Google Admin panel and add domain-shared contact data for Antarctic users in G Suite. Point your cursor toward “Directory” and choose “Directory settings.” Select “Shared contacts,” then provide the necessary details (names and email addresses) under “Add shared contacts” for individuals in Antarctica. Once you save the modifications, everyone on the domain will have access to the shared contact data. This guarantees that users within the domain are able to view and make use of shared contact details for those connected to the Antarctic area. To ensure correct and current information is maintained for smooth internal communication, update these shared contacts on a regular basis.

What is Google’s recommended network protocol for Hangouts Meet traffic?

Choose an answer:

  • QUIC

  • Unsecured TCP

  • Secured UDP

  • Secured TCP

  • Unsecured UDP

Explanation: Google recommends using the WebRTC (Web Real-Time Communication) protocol for Hangouts Meet traffic. WebRTC is a free, open-source project providing real-time communication capabilities directly in web browsers. It supports secure and efficient audio and video communication, making it the preferred protocol for Hangouts Meet. WebRTC optimizes performance by establishing direct peer-to-peer connections between users when possible, reducing latency and enhancing the overall meeting experience. Leveraging WebRTC ensures a reliable and high-quality audio and video conferencing experience in Hangouts Meet, aligning with Google’s commitment to delivering efficient and secure communication solutions.

A customer with over 25,000 Windows machines wants to enforce strict control over Chrome extensions installed in their environment. What should they do?

Choose an answer:

  • Chrome browser natively inspects and verifies all extensions by default so no further action is needed

  • Use the Google Admin console to deploy only approved extensions to all users

  • The customer should create Chrome manifest files to whitelist extensions during deployment of Chrome browser

  • Chrome extensions are controlled only at the user level and must be restricted only through written policies

  • Use Google provided group policy templates (.adm and .admx) to create a centrally controlled level of restriction

Explanation: The customer should leverage Google Chrome Enterprise policies for strict control over Chrome extensions on over 25,000 Windows machines. Utilize the Chrome management capabilities, accessible through the Google Admin console. Implement policies to restrict or allow specific extensions based on organizational requirements. To control extension installations, utilize the “ExtensionInstallBlacklist” or “ExtensionInstallWhitelist” policies. Regularly review and update these policies to align with security and compliance needs. This approach ensures centralized management, enabling the customer to enforce granular control over Chrome extensions across their extensive Windows machine environment efficiently.

A customer reports that many of their users received a phishing email. The customer wants to immediately remove the message from their environment. What action should they take?

Choose an answer:

  • Search for and remove the message from all mailboxes via the Admin Console Investigation Tool

  • Use the phishing classification via the Gmail API to remove the message

  • Use G Suite Vault to remove the message from all mailboxes

  • Send an email to all users notifying them of the incident and instructing them to remove the message in question.

  • Use IMAP to connect to mailboxes and remove the message

Explanation: To remove a message from all mailboxes in G Suite, utilize the Admin Console Investigation Tool. Access the Google Admin console, navigate to “Reports” > “Audit” > “Email log search.” Enter relevant details like sender, recipient, or date to locate the message. Once identified, take necessary actions using the Investigation Tool, such as deleting or applying retention policies. This ensures efficient and centralized removal of the specified message from all associated mailboxes. Regularly leverage these tools to manage and secure email communication within the organization, providing administrators with the necessary tools for effective investigation and action.

An organization has provisioned all of their employees in G Suite and pointed their MX records to Google. They want to configure email for some users to be delivered in Gmail, while email for other users is delivered to a legacy mail system. What should they do?

Choose an answer:

  • Place all legacy users in an organizational unit and configure the outbound gateway to the IP address of the legacy mail system.

  • Create a Google Group for all legacy mail system users and place the group in an organizational unit that has a “Default Routing” setting to the legacy mail system.

  • Add legacy mail system users to an organizational unit and configure a Routing setting to direct mail to the legacy system.

  • Set up split delivery in their legacy mail system and forward all G Suite user mail to aspmx.l.google.com

Explanation: Use the Admin Console to add users of the old mail system to an organizational unit in G Suite. Go to “Users” and assign the users of the old system to the appropriate organizational unit. Set up the Admin Console’s Routing configuration to send mail to the old mail system for these users. Specify the proper mail server and routing configuration to modify the mail delivery settings. This facilitates coexistence and a smooth transition inside the G Suite environment by ensuring that users of legacy systems are integrated seamlessly into the organizational structure and that their mail traffic is sent to the authorized legacy mail system.

“An organization has the following Vault rules configured: -A default rule that retains messages for 5 years. -A custom rule that retains messages with label “misc” for 3 years. For a conversation started on 1/1/2013, if a user put the “misc” label on a single message in the conversation sent on February 1, 2013, what will the status of all messages in the conversation be on February 1, 2016?”

Choose an answer:

  • All of the messages are deleted.

  • All messages up to the labelled message are deleted. All messages sent after are retained until 2018.

  • None of the messages are deleted.

  • All messages up to the labelled message are kept. All messages sent after are removed.

G Suite Migration for Microsoft Exchange (GSMME) uses a control comma-separated values (CSV) file to map legacy accounts to G Suite accounts. An organization yourdomain.com is migrating from Exchange where user G Suite addresses will remain unchanged from the Exchange environment. How should each user entry be entered into the control file?

Choose an answer:

  • user@yourdomain.com, user@yourdomain.com, G Suite Organizational Unit

  • user@yourdomain.com, user@yourdomain.com, G Suite password

  • user@yourdomain.com, user@yourdomain.com

  • user@yourdomain.com

Explanation: In the G Suite Migration for Microsoft Exchange (GSMME) control CSV file for an organization migrating from Exchange where user G Suite addresses remain unchanged, each user entry should be entered with the format “LegacyEmailAddress, GSuiteEmailAddress”. For example, if the user in the legacy Exchange environment has the email address user1@yourdomain.com, and this remains the same in G Suite, the entry in the control CSV file would be “user1@yourdomain.com, user1@yourdomain.com”. This mapping ensures a seamless migration, linking the legacy and G Suite accounts appropriately for accurate data transfer during the migration process.

What is Google’s maximum suggested latency for Hangouts Meet?

Choose an answer:

  • 20ms

  • 400ms

  • 3,000ms

  • 1,000ms

  • 100ms

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top