Google Professional Google Workspace Administrator Exam Dumps & Practice Test Questions

Question 1:

You are the Workspace Administrator and have set up Google Cloud Directory Sync (GCDS) to manage Google Group memberships based on your LDAP directory. However, some Google Groups are managed manually and should not be impacted by synchronization. After running GCDS, you observe that these manually managed groups are being removed.

What configuration change should you make to prevent GCDS from deleting these manually created groups?

A. Modify the group deletion policy in GCDS to "don’t delete Google groups not found in LDAP."
B. Use the Directory API after every sync to restore deleted group memberships.
C. Ensure the base DN for group emails matches the user email base DN.
D. Adjust the user deletion policy in GCDS to delete only active domain users not found in LDAP.

Answer: A

Explanation:

Google Cloud Directory Sync (GCDS) is designed to reflect LDAP directory structure within Google Workspace by synchronizing users, groups, and other directory attributes. By default, GCDS assumes that the LDAP directory is the source of truth. This means that if a group exists in Google Workspace but is not found in LDAP, GCDS interprets it as obsolete and removes it during synchronization. This behavior is problematic when you have manually managed Google Groups that are intentionally not part of LDAP.

To prevent the deletion of these manually managed groups, the correct approach is to modify GCDS’s group deletion policy. Specifically, in the GCDS Configuration Manager, you need to update the setting to “don’t delete Google groups not found in LDAP.” This tells GCDS to retain any groups in Google Workspace that are not represented in LDAP, effectively preserving manually managed groups.

The alternative options are ineffective for solving the core issue:

• B suggests using the Directory API post-sync, which is a reactive workaround and does not prevent the deletion during sync. It’s inefficient and prone to human error.

• C relates to configuration of DNs, but matching base DNs does not influence whether GCDS deletes groups. It’s unrelated to group deletion policy.

• D applies to user deletion behavior and has no impact on group deletion, making it irrelevant for this scenario.

By selecting Option A, you adopt a proactive, policy-based solution that aligns with best practices and protects your manually created Google Groups from unintended deletion during synchronization.

Question 2:

Your company’s marketing team wants an easy and secure way to share Google Drive files using links, but only with members of the marketing department—not the entire organization.

Which two actions should you take to support this requirement? (Choose two.)

A. Create a shared drive accessible to the whole organization.
B. Modify Drive sharing settings to limit access to only internal users.
C. Set up a shared drive specifically for the marketing department.
D. Change the default link sharing to automatically target the marketing team.
E. Define a target audience for link sharing that includes all marketing staff.

Answer: C, E

Explanation:

When a department such as marketing wants to collaborate efficiently while maintaining control over access, Google Workspace offers several tools that can help. The main goal here is to enable link-based sharing within the marketing department while avoiding exposure of files to the entire company.

The first key step is to create a dedicated shared drive (Option C) for the marketing department. Shared drives offer a centralized location where all team members can access, contribute to, and organize documents. Members are assigned roles such as Viewer, Commenter, or Contributor, ensuring proper control over file actions. With a shared drive, documents are inherently accessible to all members of the group, minimizing the need for repeated individual file sharing.

The second critical step is to use the target audience feature in Google Workspace Admin Console (Option E). A target audience is a predefined group—such as the marketing department—that users can choose when sharing a file via link. This limits the visibility of shared links to that audience only. Once this is configured, employees can easily choose “Marketing Team” from the sharing options, which is both intuitive and secure.

Let’s examine why the other options aren’t suitable:

• A suggests a shared drive open to the entire organization, which contradicts the need for restricting file access to just the marketing team.

• B talks about restricting Drive sharing internally, which is useful for preventing external access but does not help in limiting sharing within the organization.

• D mentions setting a default link sharing option for a specific team. However, Google Drive does not support assigning a team as the default sharing target. Target audiences must be selected manually by users during the sharing process.

Together, creating a marketing-specific shared drive and setting a target audience for that department create a secure, scalable, and user-friendly way to enable intra-team collaboration without risking broader visibility.

Question No 3:

You need to ensure that your organization's security team has the appropriate access to use the Security Investigation Tool, without granting broader administrative rights. 

What is the best way to achieve this using the Google Admin Console?

A. Assign the pre-built security admin role to the security team members
B. Create a custom admin role with Security Center permissions and assign it to the team
C. Grant the Super Admin role to all security personnel
D. Build a custom admin role with only security settings privileges and assign it

Correct Answer: A

Explanation:

When managing a diverse IT administration team with specific responsibilities, adhering to the principle of least privilege is essential. In this case, your security team needs access specifically to the Security Investigation Tool within Google Workspace. The most effective and secure way to provide this access is to assign the pre-built Security Admin role (Option A) to those users.

The Security Admin role is designed by Google to include the necessary permissions for working within the Security Center, including full access to the Security Investigation Tool, alert monitoring, and threat detection features. This role is both convenient and secure because it is maintained by Google and automatically updated with any changes or improvements in security tools and permissions. Assigning this pre-built role ensures consistent access without the risks or overhead of manually managing permissions.

Now, let’s examine why the other options are not suitable:

• B: While creating a custom admin role with Security Center access might accomplish the same goal, it introduces complexity. Custom roles require precise configuration, continuous oversight, and may not include new privileges introduced by Google in future updates—making them less reliable long-term.
  
  

• C: Granting the Super Admin role gives unrestricted access across all administrative features, including billing, user management, and services. This violates security best practices and exposes your system to unnecessary risk.
  
  

• D: A role with only security settings privileges may allow users to modify general security configurations but does not grant access to advanced tools like the Security Investigation Tool, rendering it insufficient.

Therefore, A is the most secure and efficient solution. It enables proper access while limiting privileges strictly to the scope required, enhancing operational integrity and supporting robust role-based access control (RBAC).

Question No 4:

Your organization must comply with a new security mandate that restricts users from transferring data from managed Google Workspace apps to personal or third-party apps on iOS devices. 

What action should an administrator take in the Google Admin Console to meet this requirement?

A. Go to the Data Protection section and disable the “Allow users to copy data to personal apps” setting
B. Turn off “Open Docs in Unmanaged Apps” in the device management settings
C. Enable Basic Mobile Management under Devices > Mobile and endpoints > Universal Settings
D. Uncheck the “Allow items created with managed apps to open in unmanaged apps” option

Correct Answer: D

Explanation:

To prevent data from being copied or shared from Google Workspace apps—such as Gmail, Docs, Sheets, or Drive—to personal apps on iOS devices, organizations must implement strict mobile data controls. The best method to enforce this on managed Apple devices is to utilize Google Workspace’s Advanced Mobile Management features in conjunction with Apple’s Managed Open In framework.

The correct action is to clear the checkbox labeled “Allow items created with managed apps to open in unmanaged apps” (Option D). This setting restricts the flow of content between managed and unmanaged apps on iOS. When this setting is disabled, users are prevented from using features like copy/paste, share, or "Open in" to transfer data outside of approved, managed environments—effectively stopping unauthorized data exfiltration.

Let’s review why the other choices fall short:

• A: Although this option sounds relevant, the setting described does not exist verbatim in the Admin Console, making it misleading. Data protection policies are enforced through more specific app management features, not a generic "disable copy" checkbox.

• B: Disabling “Open Docs in Unmanaged Apps” only applies to how users open documents and does not provide complete protection against copying or sharing content. It’s not comprehensive enough for this security requirement.

• C: Enabling Basic Mobile Management only provides limited control—such as enforcing passwords or performing device wipes. It lacks the granular capabilities needed to control app-level data sharing between managed and unmanaged environments.

By clearing the appropriate setting (Option D), administrators enforce a strict data boundary, protecting company data from leaving the secure, managed app ecosystem. This ensures compliance with security policies aimed at preventing data leakage while maintaining usability for legitimate business purposes.

Therefore, the best and most precise action to meet the requirement is D.

Question 5:

Some employees at your company can still access Google Drive from personal, unmanaged devices—even though you’ve implemented Context-Aware Access policies to restrict access to only corporate-managed desktops. 

What two initial troubleshooting steps should you take to determine why the restrictions aren't working? (Choose two.)

A. Confirm the user has a Google Workspace Enterprise Plus license
B. Delete and reconfigure the Context-Aware Access policy
C. Check if the device policy app is installed on their devices
D. Verify the user has a Google Workspace Business license
E. Confirm Endpoint Verification is installed on the desktops

Answer: A, E

Explanation:

When users are able to bypass Context-Aware Access (CAA) restrictions, the root cause is often due to licensing issues or missing client-side tools that validate device posture. To effectively troubleshoot this, two critical factors should be verified first:

A. Confirm the user has a Google Workspace Enterprise Plus license
Context-Aware Access is not available to all Google Workspace users—it is restricted to specific subscription tiers, such as Enterprise Plus, Education Plus, and Enterprise Essentials Plus. If users don't have the right tier, even correctly configured CAA policies won’t apply. Ensuring users have the appropriate license is the first step in confirming that policy enforcement is even possible.

E. Confirm Endpoint Verification is installed on the desktops
Endpoint Verification is a lightweight agent that must be installed on user devices for Google Workspace to assess whether a device is corporate-managed. It feeds essential data—like operating system, encryption status, and domain membership—back to Google for evaluation against your access policies. If this component is missing or inactive, Google cannot validate the device’s trust level, causing the policy to be bypassed.

Now, let’s examine why the other options are less suitable for initial diagnosis:

B. Delete and reconfigure the Context-Aware Access policy may be considered later, but it's premature until you've verified foundational requirements like licensing and device configuration.

C. Check if the device policy app is installed is relevant for mobile devices or Chrome OS management—not for desktops, where Endpoint Verification is the key component.

D. Verifying a Business license doesn’t help, as CAA requires a higher-tier license. A Business license alone is insufficient, making this an unhelpful troubleshooting step.

In summary, checking for both proper licensing and the presence of Endpoint Verification is the most effective starting point for understanding why CAA restrictions may not be working as intended.

Question 6:

Your organization recently enabled spoofing protection to block unauthenticated emails. Now, you’re receiving multiple complaints from users about missing emails from external partners. You discover that these emails are being quarantined. 

What should you do next to allow users to access these messages while keeping security controls in place?

A. Add your partner domains’ IP addresses to the Inbound Gateway
B. Adjust spoofing protection to send flagged emails to spam instead of quarantine
C. Add your partner IP addresses to the email allowlist
D. Change the spoofing protection to deliver emails to inboxes with a warning banner

Answer: D

Explanation:

In this case, spoofing protection was activated to ensure that only authenticated messages are delivered to users. However, this policy has unintentionally caused legitimate messages from partner organizations to be quarantined—likely due to those partners lacking proper SPF, DKIM, or DMARC configurations. While this helps protect against email spoofing, it can lead to communication issues and user frustration.

The most appropriate and balanced approach is to modify the spoofing policy to allow flagged emails into user inboxes with a clear warning message. This is represented by Option D.

Delivering these emails with a custom warning banner ensures that:

• Security is maintained: The email is still flagged, alerting users to potential issues.

• Visibility is improved: Users can access emails they might need, reducing internal helpdesk complaints and productivity losses.

• User awareness increases: The banner educates users to be cautious but doesn’t block access entirely.

• Temporary mitigation is possible: This allows time for IT to work with partner organizations to update their SPF/DKIM/DMARC records without completely halting communication.

Here’s why the other options are less suitable:

A. Adding IPs to the Inbound Gateway is meant for trusted, internal mail relays, not third-party partner IPs. Misusing this setting may inadvertently open security loopholes.

B. Delivering messages to spam makes them hard to find and might still lead to user complaints. Spam folders are often ignored or cleaned out automatically.

C. Creating IP-based allowlists can pose a serious security risk. If a partner’s IP is ever compromised, it could bypass your security entirely. Without solid trust and monitoring, this is a poor long-term strategy.

In conclusion, modifying spoofing protection to allow email delivery with a warning banner (Option D) provides a secure yet user-friendly compromise. It lets users receive important messages while the organization works toward a more permanent, secure resolution.

Question 7:

You're managing Google Workspace and need to delete a temporary user from the Marketing team. This user created several documents in their personal Drive (My Drive), and the Marketing Manager needs ongoing access to these files after the user account is removed. The files should only be accessible to the manager. 

What is the best way to handle this situation before deleting the user account?

A. During the deletion process, choose “Transfer” under the data transfer section and enter the manager’s email
B. Use Google Vault to apply a retention policy to the user's organizational unit
C. Add the user to a shared drive as a contributor and move the documents there before deletion
D. Have the user move the documents to a folder and share that folder with the manager

Answer: A

Explanation:

When deleting a user account in Google Workspace, it is critical to handle data preservation properly—especially if the user has created valuable documents in their My Drive. If a user account is deleted without transferring ownership of their files, all content tied to their Drive is permanently deleted and cannot be recovered.

The correct approach is Option A, which leverages Google Workspace’s built-in admin console functionality to transfer data ownership. During the deletion process, admins are given the option to transfer Drive and Gmail data to another user. By selecting this option and entering the Marketing Manager’s email address, all files from the user’s My Drive are securely moved to the manager’s account. This ensures continuity and access while meeting the requirement that only the manager can view the content.

Option B refers to Google Vault, which is designed for data retention and legal holds, not file access or ownership transfer. It allows archived data to be held for compliance, but does not help with daily usability or visibility by the manager.

Option C involves shared drives, which can preserve files after a user is deleted because shared drive content is owned by the organization. However, shared drives offer broader visibility to all members, violating the request for exclusive access by the manager. Also, not all file types can be moved to shared drives, and it depends on proper setup ahead of deletion.

Option D relies on the user to move and share files manually. This process is risky and prone to human error, especially if the user forgets or is unavailable. Sharing also doesn’t transfer ownership, meaning that deletion of the account could still result in inaccessible data.

Thus, using the admin console’s data transfer option during deletion ensures complete, private, and reliable file ownership transfer to the intended recipient.

Question 8:

As a Google Workspace administrator, you’ve been asked to identify which third-party applications have been granted access to Workspace data before implementing access controls. What is the correct way to begin this review?

A. Go to Admin Console > Security > API Controls > App Access Control > Manage Third Party App Access
B. Go to Admin Console > Security > API Controls > App Access Control > Manage Google Services
C. Go to Admin Console > Security > Less Secure Apps
D. Go to Admin Console > Security > API Controls > App Access Control > Settings

Answer: A

Explanation:

Before enforcing new policies on third-party app access within Google Workspace, administrators must first assess which applications have already been authorized by users. This step helps identify potential risks and informs decisions on whether to allow, block, or trust certain applications.

Option A is the correct procedure. Within the Admin Console, the correct navigation is: Security > API Controls > App Access Control > Manage Third Party App Access. This section displays all third-party applications that users have authorized via OAuth 2.0 to access services such as Gmail, Drive, or Calendar. The page includes crucial details like the app’s name, developer, number of users who have authorized it, and the scopes of access each app has.

This view allows administrators to:

• Detect apps with excessive access privileges

• Audit who is using which apps

• Decide whether to block or trust specific apps

• Ensure the organization's security policies are properly enforced

Option B is misleading—it refers to Manage Google Services, which is meant for enabling or disabling access to native Google tools like Gmail or Docs, not third-party apps.

Option C, "Less Secure Apps," applies to legacy applications that don’t support OAuth 2.0. It does not show a list of currently authorized third-party applications and is becoming obsolete as Google phases out support for such apps.

Option D leads to general App Access Control settings, where you define whether users are allowed to authorize third-party apps. While useful for policy creation, it does not give visibility into the specific apps that have already been approved.

To ensure a thorough security review before implementing restrictions, administrators must begin with "Manage Third Party App Access", where they can analyze current authorizations and maintain better data governance.

Question 9:

Your organization needs to monitor the activities of Google staff, particularly when they access support cases involving your data. Which feature in the Google Admin Console provides this detailed visibility?

A. From Google Admin Panel, go to Audit, and select Access Transparency Logs
B. From Google Admin Panel, go to Audit, and select Login Audit Log
C. From Google Admin Panel, go to Audit, and select Rules Audit Log
D. From Google Admin Panel, go to Audit, and select Admin Audit Log

Answer: A

Explanation:

Organizations that rely on Google Workspace often require insight into how Google’s internal personnel access and interact with their data, especially during support or troubleshooting engagements. The Access Transparency Logs feature in the Google Admin Console is specifically designed to meet this need by providing detailed records of Google staff activity.

Access Transparency logs document important details such as the exact time Google employees accessed your content, the reasons behind the access (including related support case numbers), and obfuscated but traceable identifiers for the personnel involved. This level of visibility is critical for compliance-driven organizations, those with strict data governance policies, and anyone concerned with data sovereignty and zero-trust security principles. It enables auditing and accountability by showing what actions Google staff performed on your data.

Let’s briefly review why the other options do not fit this use case:

• Login Audit Log (B) records user sign-in attempts across your domain, providing details about devices and IP addresses, but it does not track actions taken by Google support staff.

• Rules Audit Log (C) monitors changes and triggers related to Admin Console rules (like alerts or automated responses) but does not record Google personnel activities.

• Admin Audit Log (D) captures actions by your organization’s administrators within the Admin Console but doesn’t track external access by Google employees.

Therefore, if your goal is to audit and gain transparency into the exact activities of Google’s support and engineering teams accessing your data—especially in the context of support cases—Access Transparency Logs are the most appropriate and comprehensive tool. This feature is typically available to Google Workspace Enterprise Plus and Education Plus customers and is essential for maintaining high trust and compliance standards.

Question 10:

After suffering a sophisticated malware attack via embedded macros in email attachments, what additional security measure should your Workspace administrator implement to protect against unknown future threats?

A. Run queries in Security Investigation Tool
B. Turn on advanced phishing and malware protection
C. Enable Security Sandbox
D. Enable Gmail confidential mode

Answer: C

Explanation:

When an organization has been targeted by a sophisticated malware attack delivered through embedded macros in email attachments, conventional antivirus or malware scanning features are often insufficient. Such attacks are frequently zero-day or novel threats designed to evade signature-based detection. To address these advanced risks, Google Workspace offers the Security Sandbox feature, which is the best additional protective layer to enable.

Security Sandbox works by isolating email attachments in a virtual, controlled environment before they reach users. Within this sandbox, suspicious files are executed and monitored for any malicious behavior, such as launching macros, network connections, or file manipulations that typical malware scanning might miss. If suspicious activity is detected, the attachment is flagged or blocked before it can cause harm. This behavior-based analysis is crucial in identifying zero-day exploits and evasive threats, giving your organization proactive defense beyond traditional malware scanning.

The other options, while useful in their own contexts, do not provide this proactive, advanced protection:

• Security Investigation Tool (A) is a reactive forensic tool that helps administrators investigate and respond after an attack, but it cannot prevent threats from reaching users initially.

• Advanced phishing and malware protection (B) enhances baseline Gmail defenses with machine learning and reputation filters but may still fail to detect novel, macro-enabled malware lacking known signatures.

• Gmail confidential mode (D) protects message content from unauthorized sharing and forwarding but does not scan or block malware threats.

In conclusion, enabling Security Sandbox is the most effective way for Workspace administrators to add a robust, proactive security layer. By executing suspicious attachments in a secure environment and analyzing their behavior, Security Sandbox helps stop advanced malware before it can infiltrate your organization, significantly improving your defense against future unknown threats.