What does the Google Workspace Administrator certification exam cover?
The Google Workspace Administrator certification exam covers managing users and organizational units, configuring Google Workspace services (Gmail, Drive, Meet, Calendar), implementing security and compliance controls, managing devices with endpoint management, and troubleshooting Google Workspace environments. The exam costs $200 USD.
The Google Workspace Administrator certification (formerly G Suite Administrator) validates expertise in managing Google Workspace environments for organizations. Workspace Admins configure user accounts, enforce security policies, manage applications, and support thousands of users accessing Google's productivity suite.
This certification is particularly valuable for IT administrators at organizations that have migrated from Microsoft 365 to Google Workspace or are running both environments.
Exam Overview
| Detail | Information |
|---|---|
| Certification | Google Workspace Administrator |
| Provider | |
| Number of Questions | 50 |
| Time Limit | 2 hours |
| Passing Score | Not published |
| Cost | $200 USD |
| Prerequisites | None |
| Validity | 2 years |
The exam covers four domains:
- Managing users, groups, and organizational units (30%)
- Managing Google Workspace services (27%)
- Implementing Google Workspace security (27%)
- Managing devices and endpoints (16%)
"Workspace Admin certification requires breadth across all Workspace services and depth in the Admin Console. Hands-on experience administering a real Google Workspace tenant is essentially required — the exam tests specific Admin Console navigation, report interpretation, and troubleshooting scenarios that are very difficult to learn purely from documentation. Use the Google Workspace trial or a personal Google Workspace account for hands-on practice." -- Google Workspace certified administrator community
Users and Organizational Units
Organizational Unit (OU) Structure
OUs group users to apply different policies and service settings:
Organization: company.com
├── /Employees
│ ├── /Engineering
│ │ └── /Contractors
│ ├── /Finance
│ └── /Marketing
├── /Partners
└── /Kiosk-Devices
OU inheritance: Settings flow from parent to child OUs. Child OUs can inherit or override parent settings.
Common OU design patterns:
- Separate contractors from full-time employees (restrict sharing, access)
- Kiosk/shared device OUs with restricted application access
- Executive OU with enhanced security settings (advanced phishing protection, DLP)
- Department OUs matching organizational structure
User Management
Admin Console → Directory → Users
Key user management tasks:
- Create users individually or via CSV bulk import
- Suspend/delete users when offboarding
- Reset passwords and manage 2-Step Verification
- Assign licenses (Workspace editions have per-user licensing)
- Manage user aliases (alternate email addresses)
- Set recovery email for admin lockout prevention
Directory sync with Google Cloud Directory Sync (GCDS):
- Sync users from on-premises Active Directory or LDAP to Google Workspace
- One-way sync: AD is the master; changes in Workspace overwritten on next sync
- GCDS runs on-premises and connects to both AD and Google
Google Workspace Services Configuration
Gmail Administration
Gmail routing: Control how email flows within and between organizations:
| Setting | Purpose |
|---|---|
| Default routing | Route all messages through specific relay |
| Recipient address map | Redirect mail for specific addresses |
| Spam filter | Configure spam sensitivity and approved senders |
| Email archiving | Route copies to Vault or external archiver |
| Outbound gateway | Route outbound email through on-premises relay |
Email authentication:
SPF (Sender Policy Framework):
TXT record: v=spf1 include:_spf.google.com ~all
DKIM (DomainKeys Identified Mail):
Add DKIM keys in Gmail Settings → Authenticate Email
TXT record: google._domainkey.example.com
DMARC (Domain-based Message Authentication):
TXT record: _dmarc.example.com
Value: v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@example.com
Drive and Storage Management
Shared Drive administration:
- Shared Drives are organization-owned; files persist when members leave
- Manager role can manage membership and settings
- Content Manager can add/edit/delete files
- Viewer can only view
Drive DLP (Data Loss Prevention):
- Scan Drive files for sensitive content (SSN, credit card numbers, custom patterns)
- Apply labels to matching files
- Block sharing, require justification, or notify admins
- Available in Workspace Business Plus and Enterprise editions
Security and Compliance
2-Step Verification (2SV) Enforcement
Admin Console → Security → Authentication → 2-Step Verification
Options:
- Allow users to turn on 2SV (optional)
- Require 2SV for all users (enforcement)
- Require security keys only (phishing-resistant hardware keys)
- Allow grace period (days before enforcement)
- Exempt specific OUs from enforcement
Advanced Protection Program: Google's strongest phishing protection for high-risk users:
- Requires physical security key (hardware token)
- Only approved apps can access account data
- Enhanced malicious download scanning in Chrome
Context-Aware Access
Context-Aware Access (a BeyondCorp implementation) grants access based on device and user context:
| Access Level Condition | Description |
|---|---|
| IP subnet | Only allow access from corporate IP ranges |
| Device policy | Require device to be managed and compliant |
| OS version | Require specific OS version or newer |
| Screen lock | Require screen lock to be enabled |
Example: Restrict Drive access to corporate devices only
Access level: "corporate-device"
Condition: Device managed + Screen lock enabled
Drive access policy:
Apply access level "corporate-device" to Google Drive
Effect: Users on unmanaged personal devices cannot access Drive
Vault (eDiscovery and Archiving)
Google Vault provides eDiscovery, legal hold, and archiving:
| Function | Description |
|---|---|
| Matters | Cases containing holds, queries, and exports |
| Holds | Preserve data for specific users or OUs beyond retention |
| Queries | Search Gmail, Drive, Meet, and Chat data |
| Exports | Download data for legal review |
| Retention rules | Set how long data is retained before deletion |
Endpoint Management
Mobile Device Management (MDM)
| Management Level | Control | Device Types |
|---|---|---|
| Basic (agentless) | Screen lock, account wipe | Android, iOS |
| Advanced (agent required) | Full device wipe, policy enforcement, app management | Android |
| Endpoint verification | Chrome browser management, device inventory | Chrome OS, Windows, Mac |
Device compliance policies:
- Require device encryption
- Require PIN/password complexity
- Block compromised (rooted/jailbroken) devices
- Require minimum OS version
- Block screen capture (Android enterprise)
Frequently Asked Questions
What is the difference between Google Workspace Business and Enterprise editions? Business editions (Starter, Standard, Plus) target small to mid-size organizations with per-user pricing. Enterprise editions add advanced security (enhanced DLP, Security Center), extended Vault capabilities, more cloud storage per user, and dedicated customer support. Business Plus and Enterprise Starter are the most common upgrades from smaller plans. For certification purposes, understand which features require Enterprise editions (advanced DLP, Security Center, SIEMintegration, Google Meet recording in all editions, etc.).
How does GCDS (Google Cloud Directory Sync) differ from LDAP sync? GCDS is Google's free tool for syncing from on-premises Active Directory or LDAP to Google Workspace. It is one-way: your on-premises directory is the source of truth, and GCDS writes changes to Google Workspace. GCDS runs as an on-premises application on a scheduled basis. LDAP sync is a generic term for any LDAP-based synchronization. Many organizations also use third-party tools (Okta, Azure AD Connect) instead of GCDS to handle both SSO and provisioning. GCDS is tested because it is Google's native solution.
What is Context-Aware Access and how does it relate to BeyondCorp? BeyondCorp is Google's zero-trust access model, which grants access based on user identity and device context rather than network location. Context-Aware Access is the Workspace implementation of BeyondCorp principles — it allows admins to define access levels (conditions like device compliance, network, OS) and apply them to Google Workspace apps. Users on compliant corporate devices get full access; users on unmanaged personal devices get restricted access or no access, regardless of being on the corporate network.
References
- Google. (2025). Google Workspace Administrator Certification. https://workspace.google.com/certification/
- Google. (2025). Google Workspace Admin Help. https://support.google.com/a/
- Google. (2025). Google Cloud Directory Sync. https://support.google.com/a/answer/106368
- Google. (2025). BeyondCorp Enterprise. https://cloud.google.com/beyondcorp-enterprise
- Google. (2025). Google Vault. https://support.google.com/vault
- Google Workspace. (2025). Google Workspace Learning Center. https://workspace.google.com/learning-center/