Google

Associate-Google-Workspace-

Administrator
Associate Google Workspace Administrator Certification

QUESTION & ANSWERS

https://www.dumpscollege.com/exam/Associate-Google-Workspace-Administrator
QUESTION: 1

An executive at your organization asked you to give their executive administrator access to their Workspace
account. You need to ensure that this executive administrator can manage emails in the executives account.
You need to maintain security and privacy of the executives account. What should you do?

Option A : Assist the executive in setting up email forwarding to their executive administrator.
Option B : Instruct the executive to share their password with their executive administrator.
Option C :

Create a Google Group, and add all executive administrators. Enable delegated access to the Group.

Option D :

Grant delegated access to the executive's Gmail account, and assign access to their executive
administrator in Gmail settings.

Correct Answer: D

Explanation/Reference:

Granting delegated access allows the executive administrator to manage the executives emails without requiring access to the

executives password. This solution ensures security and privacy by limiting the permissions to email management only, while

keeping the executives account secure. The executive administrator will be able to send, read, and delete emails on behalf of

the executive, but they wont have access to other aspects of the account.

Download Now: https://www.dumpscollege.com/exam/Associate-Google-Workspace-Administrator

QUESTION: 2

You are responsible for ensuring that new employees are automatically provisioned with Google Workspace
accounts when they are onboarded in your company. Which two actions will achieve this objective? (Choose
2)

Option A : Use the Google Admin SDK Directory API to programmatically add new users when triggered by
a custom workflow.
Option B : Configure Google Cloud Directory Sync (GCDS) to synchronize users from your on-premises
Active Directory or LDAP server.
Option C : Manually create a CSV file with new user details and upload it to the Admin Console.
Option D : Set up an App Script that automatically creates users when a Google Form submission is
detected.
 Correct Answer: A,B

Explanation/Reference:

The Admin SDK Directory API allows programmatic user provisioning, enabling automation based on custom workflows (e.g.,

onboarding systems). This option is highly flexible and suitable for organizations looking to integrate with third-party HR

systems or internal tools.

Download Now: https://www.dumpscollege.com/exam/Associate-Google-Workspace-Administrator

QUESTION: 3

The organization wants to reduce the risk of phishing attacks by ensuring that only authorized senders can
send emails on behalf of your domain. Which configuration should you implement to meet this requirement?

Option A : Set up a custom Gmail filter to block emails with suspicious subject lines.
Option B : Enable DMARC and configure it with a "none" policy.
Option C : Configure an MX record to point to Gmail's servers.
Option D : Add SPF records to your domain's DNS and configure DKIM signing for outbound emails.

Correct Answer: D

Explanation/Reference:

Custom Gmail filters are useful for managing spam and unwanted messages but are not a substitute for authentication

protocols like SPF, DKIM, and DMARC. Filters cannot prevent spoofing or phishing from unauthorized senders.

Download Now: https://www.dumpscollege.com/exam/Associate-Google-Workspace-Administrator

QUESTION: 4

Your company operates several primary care clinics where employees routinely work with protected health
information (PHI). You are in the process of transitioning the organization to Google Workspace from a legacy
communication and collaboration system. After you sign the Business Associate Agreement (BAA), you need
to ensure that data is handled in compliance with regulations when using Google Workspace. What should
you do?

Option A :

Implement a third-party backup service that is also compliant with Google Workspace core services.
 Option B : Create a label for Google Drive content to help employees identify sensitive data.
Option C :

Instruct the staff to not store any PHI in Google Workspace core services, including Google Drive. Docs.
Sheets, and Keep.

Option D : Disable integrations with third-party apps and turn off non-core Google services.

Correct Answer: B

Explanation/Reference:

To ensure compliance with regulations when handling protected health information (PHI) in Google Workspace, creating labels

for sensitive data, such as PHI, helps employees identify and manage this information properly. Labels can be used to mark

files that contain sensitive data, providing an additional layer of organization and protection. This approach aligns with

regulatory requirements by ensuring that employees can easily distinguish PHI from other data and apply the necessary

policies and security measures.

Download Now: https://www.dumpscollege.com/exam/Associate-Google-Workspace-Administrator

QUESTION: 5

A user reports that an entire shared folder was accidentally deleted from Google Drive. The folder was
deleted five days ago, and it contained collaborative files critical to a current project. You need to restore the
folder quickly, ensuring that sharing permissions and metadata are preserved. What should you do?

Option A : Enable Google Takeout for the user and instruct them to export and restore the deleted folder
content from their Google Drive archive.
Option B : Open a ticket with Google Support to request recovery of the deleted folder.
Option C : Use Google Vault to search for the folder. Export the folder content in a compressed format,
then upload the folder back into the user’s Drive.
Option D : Search for the user’s account in the Google Workspace Admin console. Select the user account.
Click Restore Data, then select the correct date range. Select More Options, Drive as the application, and
click Restore.

Correct Answer: D

Explanation/Reference:

Google Takeout is a data export tool and cannot restore deleted files. It is unsuitable for this scenario.
QUESTION: 6

One of your users is experiencing issues sending emails from their Google Workspace account. You want to
identify and resolve the problem using support resources. Which of the following actions should you take?

Option A : Suggest the user clear their browser cache and cookies.
Option B : Verify if the user’s email address is blocked in the Google Workspace Admin console.
Option C : Search the Google Workspace Community Forum for similar cases.
Option D : Check the Google Workspace Status Dashboard for any outages related to Gmail.

Correct Answer: D

Explanation/Reference:

While clearing the browser cache can resolve browser-related issues, it is unlikely to address a problem with sending emails.

This step is better suited for interface problems rather than functional issues with Gmail.

Download Now: https://www.dumpscollege.com/exam/Associate-Google-Workspace-Administrator

QUESTION: 7

A user has legally changed their name, and you need to update their Google Workspace account to reflect
this. You also need to update their primary email address to match their new name. Which of the following
actions are required to correctly update the user’s information? (Choose 2)

Option A : Notify the user that the old email address will immediately stop receiving messages.
Option B : Add the updated email address as an email alias for the user.
Option C : Delete the existing user account and create a new account with the updated name and email
address.
Option D : Update the user’s primary email address from the Account Settings in the Admin Console.
Option E : Navigate to Users in the Admin Console, locate the user, and edit their name.

Correct Answer: D,E

Explanation/Reference:

The old email address automatically becomes an alias when updating the primary email, ensuring that messages sent to the

old address are not lost.

 Download Now: https://www.dumpscollege.com/exam/Associate-Google-Workspace-Administrator

QUESTION: 8

Your organizations users are reporting that a large volume of legitimate emails are being misidentified as
spam in Gmail. You want to troubleshoot this problem while following Googlerecommended practices. What
should you do?

Option A : Adjust the organizations mail content compliance settings in the Admin console.
Option B : Advise users to individually allowlist senders.
Option C : Disable spam filtering for all users.
Option D : Contact Google Workspace support and report a suspected system-wide spam filter
malfunction.

Correct Answer: D

Explanation/Reference:

If legitimate emails are being misidentified as spam across the organization, it suggests that there may be a broader issue with

the spam filtering system. Contacting Google Workspace support to investigate and resolve the problem is the recommended

approach. Disabling spam filtering or adjusting individual settings may not resolve the root cause and could potentially lead to

further issues.

QUESTION: 9

Your organization wants to monitor and secure desktop and laptop devices accessing Google Workspace.
After enabling endpoint verification in the Google Workspace Admin console, some devices are not showing
up in the devices list. What is the most likely cause of this issue?

Option A : Endpoint verification requires that all devices be enrolled in Advanced Mobile Management.
Option B : The Endpoint Verification Chrome extension has not been installed on the devices.
Option C : Endpoint verification requires manual installation of an agent on each device.
Option D : Users have not signed into their Google Workspace accounts on the affected devices.

Correct Answer: B
Explanation/Reference:

Advanced Mobile Management is specific to mobile devices and is unrelated to endpoint verification for desktops and laptops.

Associating it with endpoint verification reflects a misunderstanding of the two features.

 Download Now: https://www.dumpscollege.com/exam/Associate-Google-Workspace-Administrator

QUESTION: 10

You are tasked with creating a new user account for a contractor in your Google Workspace domain. The
contractor only needs limited access for three months. How can you best manage their account lifecycle?

Option A : Add the contractor to the organization as a shared user without creating a full account.
Option B : Assign the contractor a permanent license and delete their account when the contract ends.
Option C : Assign a temporary license, set an account expiration date, and automatically suspend the
account after three months.
Option D : Set a calendar reminder to manually delete the account after three months.

Correct Answer: C

Explanation/Reference:

Google Workspace does not support shared user access without creating a full account. Sharing access to resources like shared

drives without proper user accounts can violate organizational security policies.

Download Now: https://www.dumpscollege.com/exam/Associate-Google-Workspace-Administrator

QUESTION: 11

Your organization is required to retain all email communications related to financial transactions for seven
years to comply with regulatory requirements. How should you configure Google Vault to meet this
requirement?

Option A : Create a custom retention rule in Google Vault for Gmail that targets messages with financial
keywords and sets the retention period to seven years.
Option B : Create a custom retention rule in Google Vault for Gmail that applies to all messages in specific
organizational units and sets the retention period to seven years.
Option C : Set up a custom retention rule in Google Vault for Drive files containing financial keywords and
configure the retention period to seven years.
Option D : Configure a matter in Google Vault to monitor financial communications for seven years.

Correct Answer: B

Explanation/Reference:

While targeting messages with financial keywords might seem appropriate, Google Vault's retention rules do not support

keyword-based retention. Retention rules are applied based on services, OUs, or accounts, not specific content.
QUESTION: 12

Your company is rolling out a new Gmail compliance rule to prevent employees from sending emails with
unapproved attachments. The compliance team needs to ensure the rule is functioning correctly without
causing issues for users in production. What is the best way to test the rule?

Option A : Create a Gmail routing rule that automatically forwards emails with unapproved attachments to
an admin email for review during testing.
Option B : Enable the compliance rule for the top-level organizational unit but add a condition that only
applies it to test accounts for a limited time.
Option C : Use the “Try it now” feature in the Admin console to simulate the rule and analyze its potential
impact on test emails.
Option D : Apply the compliance rule to a specific test organizational unit that contains non-production
accounts and use Email Log Search to analyze the results.

Correct Answer: D

Explanation/Reference:

Forwarding emails to an admin email is not a comprehensive testing approach and does not simulate the actual rule's effect on

users.

Download Now: https://www.dumpscollege.com/exam/Associate-Google-Workspace-Administrator

QUESTION: 13

Your company has set up a group hierarchy with a parent group for the “Engineering” department and sub-
groups for “Frontend,” “Backend,” and “DevOps” teams. The Engineering managers want all announcements
sent to the parent group to propagate to the sub-groups, but they also want to prevent sub-group members
from replying to these announcements. How should you configure the groups?

Option A : Configure all groups as “Announcement-only” and use email filters to manage communication
flow.
Option B : Set all sub-groups to “Discussion” mode and manually restrict reply permissions for each sub-
group.
Option C : Set the parent group to “Restricted posting,” and configure sub-groups to block incoming
messages from the parent group.
Option D : Set the parent group to “Announcement-only” and ensure sub-groups are configured to inherit
messages from the parent group.

Correct Answer: D
Explanation/Reference:

Making all groups “Announcement-only” prevents sub-group members from discussing among themselves, defeating the

purpose of sub-groups. Email filters are not a scalable or efficient method to manage group communication

QUESTION: 14

Your organization collects credit card information in customer files. You need to implement a policy for your
organizations Google Drive data that prevents the accidental sharing of files that contain credit card
numbers with external users. You also need to record any sharing incidents for reporting. What should you
do?

Option A :

Create a data loss prevention (DLP) rule that uses the predefined credit card number detector, sets the
action to œblock external sharing , and enables the œLog event option

Option B :

Enable Gmail content compliance, and create a rule to block email attachments containing credit card
numbers from being sent to external recipients.

Option C :

Implement a third-party data loss prevention solution to integrate with Drive and provide advanced
content detection capabilities.

Option D :

Configure a data retention policy to automatically delete files containing credit card numbers after a
specified period.

Correct Answer: A

Explanation/Reference:

A data loss prevention (DLP) rule with the predefined credit card number detector will help you identify and prevent the

accidental sharing of files that contain sensitive credit card information. Setting the action to "block external sharing" ensures

that such files cannot be shared externally. Enabling the "Log event" option will record any incidents of external sharing for
auditing and reporting purposes, fulfilling both the security and reporting requirements.

QUESTION: 15

You are tasked with setting up a context-aware access policy to block users from accessing Google Drive
unless they are using company-approved devices. Which configuration must you apply to enforce this policy
correctly?

Option A : Apply a shared drive restriction to enforce the policy on all shared drives within the
organization.
Option B : Configure a group-based policy that blocks access to Google Drive for all unmanaged devices.
Option C : Use Google Workspace DLP to scan devices for compliance and block non-compliant devices
from accessing Google Drive.
Option D : Create a context-aware access level that includes only trusted devices in the access conditions
and apply it to Google Drive.

Correct Answer: D

Explanation/Reference:

Shared drive restrictions apply to specific drives and control file access permissions but do not enforce device compliance for

accessing Google Drive as a whole.

QUESTION: 16

A user reports that they cannot share their Google Calendar with an external email address (e.g.,
[email protected]). What should you check or do first to resolve this issue?

Option A : Ask the user to export their calendar and manually share it as a file.
Option B : Ensure the user's calendar sharing settings allow only internal sharing.
Option C : Check if the external email address is added to the organization’s trusted list.
Option D : Verify that external calendar sharing is enabled in the Admin console.

Correct Answer: D

Explanation/Reference:

This is incorrect because exporting a calendar and sharing it as a file is a workaround and does not resolve the issue with real-
time sharing. This approach would not allow live updates or interaction with the calendar.

QUESTION: 17

Your company has implemented a strict external sharing policy across Google Workspace. The HR
department wants to share a Google Sheet containing employee satisfaction survey results with an external
consultant for analysis. The file is stored in a shared drive. What should you do?

Option A : Enable external sharing on the shared drive and add the consultant’s email with Viewer access
to the specific file.
Option B : Update the HR department's organizational unit to override the external sharing restriction and
allow "Anyone with the link" sharing for their shared drive.
Option C : Change the Google Workspace domain-wide sharing setting to allow "Anyone with the link"
access.
Option D : Share the file via email attachment with the external consultant to bypass the sharing
restriction.

Correct Answer: A

Explanation/Reference:

Enabling external sharing for the shared drive and explicitly granting Viewer access to the consultant aligns with the principle

of least privilege, ensuring the external collaborator only accesses what they need. This option respects domain-wide sharing

settings and requires no unnecessary policy changes.

QUESTION: 18

Your organization uses Google Workspace and has set up organizational units based on departments (e.g.,
Finance, HR, IT). The organization recently acquired another company, and you’ve created a new parent
organizational unit for its users. To ensure that employees from the new company do not share Google Drive
files with employees in your existing organization unless explicitly approved, what should you do?

Option A : Turn on trust rules for Google Drive sharing and set rules to block sharing between the
organizational units of the two companies.
Option B : Enable target audiences for Google Drive and set each company’s users as the primary
audience for their respective company.
Option C : Turn off link-sharing options for the new company's organizational unit.
Option D : Create a Google Group for each company and configure sharing settings to restrict file sharing
based on group membership.
 Correct Answer: A

Explanation/Reference:

Trust rules allow granular control over sharing between organizational units, making them the ideal solution for restricting

sharing between the original organization and the newly acquired company.

QUESTION: 19

Your organization requires a complete export of all user data (Gmail, Drive, Calendar, etc.) for archiving
purposes before transitioning to another platform. You have been tasked with initiating the data export
process using the Data Export tool. Which prerequisite must you ensure before initiating the export?

Option A : Ensure the Google Workspace account has been active for at least 30 days.
Option B : Enable "Data Export" in the Admin Console and assign a Data Export role to the appropriate
admin.
Option C : Migrate all users to a single Organizational Unit (OU) to simplify data export.
Option D : Enable API access for all users in the Admin Console.

Correct Answer: A

Explanation/Reference:

The Data Export tool requires that the Google Workspace account has been active for at least 30 days to prevent abuse or

fraud, such as using the tool to export data from a newly created and potentially compromised account.

QUESTION: 20

You are configuring Google Vault for your organization to comply with data retention policies and ensure
eDiscovery requirements are met. Which of the following actions should you take to set up a retention rule
for all Gmail messages in your domain for 7 years, ensuring deleted emails are also retained for that
duration?

Option A : Use Google Vault to export all Gmail messages to Google Drive and configure a 7-year
retention period.
Option B : Enable "Archive Gmail" in the Google Admin Console to ensure emails are saved for 7 years
automatically.
Option C : Create a custom retention rule in Vault and specify Gmail as the data source with a retention
 period of 7 years.
Option D : Turn on "Keep Deleted Messages" in the Gmail settings under the Google Admin Console.

Correct Answer: C

Explanation/Reference:

Exporting data from Google Vault to Google Drive does not fulfill retention policy requirements. Google Vault's retention rules

must be configured within Vault to ensure compliance. Exported data cannot enforce automatic retention policies.

QUESTION: 21

Your organization is planning to implement a new Gmail configuration that modifies the routing for external
emails based on sender domains. The management wants to ensure the configuration works correctly and
doesn’t disrupt email traffic for production users. You need to test this new configuration before deployment.
What should you do?

Option A : Use the Gmail Test Configuration Tool in your production domain to simulate email delivery for
selected users.
Option B : Create a test domain that mirrors the production domain’s organizational unit structure and
implement the new configuration for testing.
Option C : Apply the new configuration to a small set of users within the production organizational unit
and monitor the logs for delivery behavior.
Option D : Deploy the new configuration globally but enable Email Log Search to monitor and revert any
unintended delivery changes.

Correct Answer: B

Explanation/Reference:

Gmail does not offer a specific "Test Configuration Tool" for simulating email delivery. This option is misleading and assumes a

feature that doesn't exist.

QUESTION: 22

An end user has thousands of files stored in Google Drive. Their files are well organized with Drive labels. You
need to advise the end user on how to quickly identify all files that are contracts. What should you do?
 Option A : Advise the user to use the Google Drive API to search for files with the keyword "contracts'
Option B :

Advise the user to search in Drive for files with the keyword "contracts', and use the "modified by me'
filter.

Option C : Advise the user to search for files that are labeled as "contracts'.
Option D :

Advise the user to use the Investigation tool to search for files with the keyword "contracts' and updated
by you.

Correct Answer: C

Explanation/Reference:

Since the files are already organized with labels in Google Drive, the most efficient way for the user to quickly identify all files

that are contracts is to search for files with the "contracts" label. This will filter and display only the files labeled as contracts,

making it the quickest and most straightforward method for locating the required files.

QUESTION: 23

Your organization needs to ensure that sensitive documents stored in Google Drive are shared only with
internal users. You want to monitor sharing activity and enforce compliance policies. Which two actions
should you take to achieve this? (Choose 2)

Option A : Enable Drive audit logs in the Admin Console.

Option B : Restrict external sharing in the Drive sharing settings for all OUs.
Option C : Use the Security Investigation Tool to review Drive sharing permissions.
Option D : Enable Google Vault holds for sensitive files.
Option E : Set up a data loss prevention (DLP) policy for Drive in the Admin Console.

Correct Answer: C,E

Explanation/Reference:

Audit logs provide visibility into user activity but do not actively enforce compliance policies. They are useful for monitoring but

not sufficient on their own.

QUESTION: 24

You are a Google Workspace administrator for a company that has recently acquired another business. Your
task is to add the new business's domain, newcompany.com, to your Google Workspace organization. Which
of the following steps must you complete to successfully add and verify the domain?

Option A : Add newcompany.com as a secondary domain in the Admin console.

Option B : Verify ownership of the domain newcompany.com using one of Google's verification methods.
Option C : Set newcompany.com as the primary domain for the organization.
Option D : Change the MX records of newcompany.com to point to Google Workspace mail servers.

Correct Answer: A

Explanation/Reference:

Adding the domain as a secondary domain in the Admin console is the first step to integrating the domain into your Google

Workspace organization. It ensures the domain is linked to your organization and can be managed within the same Admin

console.

QUESTION: 25

Several employees at your company received messages with links to malicious websites. The messages
appear to have been sent by your companys human resources department. You need to identify which users
received the emails and prevent a recurrence of similar incidents in the future. What should you do?

Option A :

Search the senders email address by using Email Log Search. Identify the users that received the
messages. Instruct them to mark them as spam in Gmail, delete the messages, and empty the trash.

Option B :

Search for the senders email address by using the security investigation tool. Mark the messages as
phishing. Add the senders email address to the Blocked senders list in the Spam, Phishing and Malware
setting in Gmail to automatically reject future messages.

Option C :

Collect a list of users who received the messages. Search the recipients email addresses in Google Vault.
Export and download the malicious emails in PST file format. Add the senders email address to a
quarantine list setting in Gmail to quarantine any future emails from the sender.
 Option D :

Search for the senders email address by using the security investigation tool. Delete the messages. Turn
on the safety options for spoofing and authentication protection in Gmail settings.

Correct Answer: B

Explanation/Reference:

The security investigation tool in Google Workspace allows you to identify the impacted users and messages. By marking the

messages as phishing, you acknowledge their malicious nature, helping to protect the users. Adding the senders email address

to the Blocked senders list ensures that future messages from this sender will be automatically blocked, preventing recurrence

of similar incidents.

QUESTION: 26

Your manager has asked you to enforce a context-aware access policy to restrict access to sensitive apps
based on users' location and device compliance status. What is the correct sequence of steps to achieve this
in the Google Workspace Admin console?

Option A : Turn on data loss prevention (DLP) policies, configure mobile device management (MDM), and
apply the policy to sensitive apps.
Option B : Enable two-factor authentication, configure mobile device management (MDM), and apply
context-aware access to individual user accounts.
Option C : Enable context-aware access in the Admin console, create an access level in the Security
section, assign users to the access level, and apply the access level to a group or organizational unit.
Option D : Create a new access level in the Admin console, assign IP restrictions directly to users, and
enforce two-step verification for all users.

Correct Answer: C

Explanation/Reference:

Data loss prevention (DLP) policies and MDM do not replace context-aware access. While they add layers of security, they do

not enforce access restrictions based on location or device compliance.

QUESTION: 27

Your organization recently deployed a policy in Chrome to restrict users from signing in to non-corporate
accounts while using the corporate network. After enabling the policy, some employees report they are
unable to access Google Workspace services, including Gmail and Google Calendar, despite using corporate
accounts. You need to fix this issue while maintaining the restriction for non-corporate accounts. What
should you do?

Option A : Create a whitelist of trusted IP addresses in the Admin console to bypass the restriction for
corporate users.
Option B : Add exceptions for Google Workspace services (e.g., Gmail, Google Calendar) to the Chrome
policy settings.
Option C : Disable the "Restrict sign-in to allowed domains" setting in Chrome to restore access.
Option D : Add the organization’s primary and secondary domains to the list of allowed domains under the
Chrome policy for sign-in restrictions.

Correct Answer: D

Explanation/Reference:

Incorrect because whitelisting IP addresses does not affect sign-in restrictions enforced by Chrome policies.

QUESTION: 28

You work at a large organization that prohibits employees from using Google Sites. However, a task force
comprised of three people from five different departments has recently been formed to work on a project
assigned by the Office of the CIO. You need to allow the users in this task force to temporarily use Google
Sites. You want to use the least disruptive and most efficient approach. What should you do?

Option A : Turn Google Sites access on for each of the 15 users in the task force.
Option B : Create a configuration group for the task force's 15 users. Grant Google Sites access to the
group.
Option C :

Place the 15 task force users into a new organizational unit (OU). Turn on Google Sites access for the OU.

Option D : Create an access group for the task force's 15 users. Grant Google Sites access to the group

Correct Answer: C
Explanation/Reference:

Creating a new organizational unit (OU) for the task force members and turning on Google Sites access for that OU is the least

disruptive and most efficient approach. It allows you to target only the users in the task force, granting them temporary access

to Google Sites without impacting the rest of the organization. This solution also provides clear control over the access, which

can be easily modified when the task forces work is completed.

QUESTION: 29

Your organization is using Google Cloud Directory Sync (GCDS) to synchronize user accounts between Active
Directory (AD) and Google Workspace. After running a test sync, you notice that some accounts were not
synchronized to Google Workspace. Upon investigation, you find that these accounts lack email addresses.
The organization requires all user accounts in AD to sync properly. What should you do to resolve this issue?

Option A : Add email addresses to the Mail attribute in AD for the user accounts that failed to sync. Ensure
the email domain matches your Google Workspace domain.
Option B : Create email aliases for the missing accounts directly in Google Workspace and map them to
AD user objects.
Option C : Set the base distinguished name (DN) in the GCDS configuration to include the entire domain
to capture all accounts, regardless of their attributes.
Option D : Manually create the missing user accounts in Google Workspace and configure them as
primary accounts to bypass the GCDS sync process.

Correct Answer: A

Explanation/Reference:

Google Workspace requires the Mail attribute in AD to be populated with a valid email address for user synchronization. Adding

email addresses that match the Workspace domain ensures successful synchronization.

QUESTION: 30

Your company has a large meeting room that is reserved exclusively for client presentations and cannot be
booked by employees for internal meetings. You need to ensure that only members of the sales and
marketing teams can book the room. What should you do?

Option A : Create a Google Group for the sales and marketing teams and assign it as a co-owner of the
resource calendar.
Option B : Create a shared calendar for the room. Add all members of the sales and marketing teams as
 collaborators with the “Make changes to events” permission.
Option C : Create a resource calendar for the room and set the default visibility to "Public" to allow easy
booking.
Option D : Create a resource calendar for the room and enable the “Restrict room usage to groups”
option. Add the sales and marketing teams to the allowed groups list.

Correct Answer: D

Explanation/Reference:

Assigning the group as a co-owner is unnecessary and doesn’t address the need to restrict usage.

QUESTION: 31

The IT security team has asked you to configure a policy that prevents external sharing of files containing
sensitive keywords, such as "confidential" or "SSN." What is the best way to implement this policy?

Option A : Create a DLP (Data Loss Prevention) rule in the Google Workspace Admin console to detect and
block external sharing of files with sensitive content.
Option B : Use the "Sharing permissions" setting in Google Drive to block all file sharing.
Option C : Use the Google Vault to search and delete files containing sensitive keywords.
Option D : Enable "External Sharing" restriction in Google Drive for all users.

Correct Answer: A

Explanation/Reference:

DLP rules allow administrators to create policies that automatically detect sensitive information in Google Drive and take

actions like blocking sharing or sending alerts. This is the most appropriate and scalable way to manage sensitive content

sharing in Google Workspace.

QUESTION: 32

Your IT department maintains a shared drive for internal training materials. A contractor is hired to update
these materials and requires Editor access to some files in the shared drive. The organization’s external
sharing policy is set to "Restricted." What action should you take?

Option A : Enable external sharing for the shared drive and grant the contractor Editor access only to the
 required files.
Option B : Change the organization's external sharing setting to "Anyone with the link" temporarily for the
contractor.
Option C : Add the contractor to the IT department’s shared drive with the Editor role.
Option D : Move the files the contractor needs to edit to their personal Google Drive and grant them
Editor access there.

Correct Answer: A

Explanation/Reference:

Enabling external sharing for the shared drive and granting Editor access to specific files adheres to the principle of least

privilege while addressing the sharing policy requirements. This approach minimizes the scope of access and ensures policy

compliance.

QUESTION: 33

A user reports that they accidentally deleted a shared folder from their Google Drive containing important
project files. They need the folder and its contents restored immediately, including all sharing permissions
and comments. The deletion occurred 20 days ago. How should you proceed?

Option A : Guide the user to their Drive Trash and ask them to restore the folder manually.
Option B : Search for the user in the Google Workspace Admin console. Use the Restore Data option,
specify the date range, select Drive, and restore the files.
Option C : Open a ticket with Google Support to request a full recovery of the deleted folder.
Option D : Enable Drive File Stream for the user, allowing them to sync their data and recover the folder
from their local device.

Correct Answer: B

Explanation/Reference:

The Trash folder only works if the user hasn’t permanently deleted the files. If the folder is gone, this option fails.

QUESTION: 34

You are tasked with managing access to Google Workspace core services such as Gmail, Drive, and Calendar
for a company. Different departments require tailored access policies. The Marketing team needs full access
to all services, while the Finance team should have access to Drive and Gmail only. How should you
configure access to meet these requirements? (Choose 2)

Option A : Use Groups to assign service access to Marketing and Finance users.
Option B : Apply an access configuration via the Google Workspace Admin API to enforce service
restrictions.
Option C : Create a custom admin role for each department and assign access permissions based on that
role.
Option D : Create separate organizational units (OUs) for Marketing and Finance, and assign service
access at the OU level.
Option E : Enable service access globally at the domain level, then restrict individual services for Finance
users.

Correct Answer: B,D

Explanation/Reference:

Groups are not designed for enforcing service access policies. They are better suited for email communication and

collaboration purposes. Using Groups for access management would not provide the necessary control.

QUESTION: 35

Your company has purchased Gemini licenses for a subset of employees. You need to ensure that only users
in the marketing and sales departments have access to Gemini features by using the most efficient
approach. What should you do?

Option A :

Create a script to assign a Gemini license to new users if they are in marketing or sales. Run the script
daily.

Option B :

Create an organizational unit (OU) for marketing and sales. Assign the Gemini licenses to that OU, and
enable Gemini for that OU only.

Option C : Assign Gemini licenses to each user in the marketing and sales departments.
Option D : Enable Gemini for the entire organization. Instruct users in other departments not to use
Gemini.

Correct Answer: B
Explanation/Reference:

Creating separate organizational units (OUs) for marketing and sales allows you to apply the Gemini licenses to only those

departments. By enabling Gemini for just that OU, you ensure that only the employees in marketing and sales have access to

Gemini features, ensuring an efficient and scalable solution. This avoids the need for manual assignment or unnecessary

instructions to users in other departments.

QUESTION: 36

Your organization has implemented a policy to classify emails based on sensitivity. How can you enforce
classification in Gmail using labels?

Option A : Create an organizational-wide filter to apply specific labels based on predefined criteria.
Option B : Manually apply labels to emails as they are sent.
Option C : Enable users to apply Gmail labels manually, ensuring compliance with classification policies.
Option D : Enable Data Loss Prevention (DLP) rules to automatically tag emails with Gmail labels.

Correct Answer: A

Explanation/Reference:

Administrators can set up filters in the Gmail Admin Console to apply labels automatically to emails that match specific

conditions (e.g., sensitive keywords, sender/receiver domains). This ensures consistency and reduces reliance on user

compliance for classification.

QUESTION: 37

You are tasked with enhancing security by enforcing 2-Step Verification (2SV) for your organization. A user
reports that they are unable to set up 2SV using a hardware security key. What is the most likely reason for
this issue?

Option A : The hardware security key is not compatible with Google Workspace.
Option B : The user’s account is not part of an organizational unit (OU) with 2SV enforcement enabled.
Option C : The user has not installed the Google Authenticator app on their mobile device.
Option D : The user is using an outdated browser that does not support WebAuthn.

Correct Answer: D
Explanation/Reference:

Google Workspace supports a wide range of hardware security keys that comply with FIDO standards. Compatibility is

generally not an issue unless the key is faulty or not properly configured, which is less common than browser compatibility

problems.

QUESTION: 38

Your organization is about to conduct its biannual risk assessment. You need to help identify security risks by
quickly reviewing all security settings for Gmail, Drive, and Calendar. What should you do?

Option A : In the reporting section of the Admin console, review the Gmail, Drive, and Calendar reports.
Option B : In the alert center, review all of the alerts.
Option C : In each individual organizational unit (OU), review the security settings.
Option D : In the Google Admin console, review the security health page.

Correct Answer: D

Explanation/Reference:

The security health page in the Google Admin console provides an overview of security settings and highlights potential risks

across various services, including Gmail, Drive, and Calendar. This page offers a consolidated view of the security posture of

your organization, making it the most efficient option for quickly identifying security risks in preparation for a risk assessment.

QUESTION: 39

An organization wants to ensure compliance with its data retention policies by configuring retention rules in
Google Workspace. Which of the following is the correct step to create a retention rule that applies to Gmail
data only, ensuring it does not unintentionally delete data from other services?

Option A : Configure a rule under Security > Rules > Retention in the Admin console and select Gmail as
the service.
Option B : In Google Vault, select Audit Logs, create a custom retention rule, and apply it to Gmail.
Option C : Use the Admin console to navigate to Reports > Usage, and set up a retention rule for Gmail
from there.
Option D : Use the Google Vault interface, go to Retention, and create a custom rule for Gmail.
 Correct Answer: D

Explanation/Reference:

The Admin console's Security > Rules section is for general security rules and does not support granular retention rules for

specific services like Gmail.

QUESTION: 40

A user in your Google Workspace organization recently changed their last name due to marriage. They
request that their email address reflects their new name while keeping access to their old emails. How
should you proceed to update the user’s email address and preserve access to their existing account and
data?

Option A : Create a new account with the updated name and delete the old account.
Option B : Update the user's primary email address in the Admin Console and automatically migrate data.
Option C : Rename the user's email address in the Admin Console and add their old email address as an
alias.
Option D : Delete the existing account and instruct the user to download their old emails and files before
creating a new account.

Correct Answer: C

Explanation/Reference:

Creating a new account disconnects the user from their existing emails, files, and permissions. Data migration between

accounts is manual and error-prone, making this an inefficient approach.

QUESTION: 41

A user is moving from one department to another, requiring a change in their Google Workspace license from
Business Standard to Business Plus. What is the most efficient way to update their license?

Option A : Manually remove the Business Standard license and add the Business Plus license in the user’s
profile.
Option B : Add the user to a group that automatically applies the Business Plus license and remove them
from the old group.
Option C : Move the user to an organizational unit (OU) configured to apply the Business Plus license.
 Option D : Delete the user’s account and create a new one with the Business Plus license.

Correct Answer: B

Explanation/Reference:

Manually removing and reassigning licenses works, but it is time-consuming and error-prone, especially for organizations with

many users.

QUESTION: 42

Your organization has implemented mobile endpoint management in Google Workspace. Which two actions
should you take to enhance monitoring and security of mobile endpoints? (Choose 2)

Option A : Enable IMAP access for all mobile users.

Option B : Allow unrestricted application installations on managed devices.
Option C : Configure automatic wipe for inactive devices after a set period.
Option D : Enable password enforcement for mobile devices.
Option E : Require encryption for all managed mobile devices.

Correct Answer: D,E

Explanation/Reference:

IMAP does not provide the same level of security controls as mobile endpoint management, making it an insecure choice for

corporate data access.

QUESTION: 43

A user reports that their Google Calendar events are not syncing correctly with Apple Calendar on their
macOS device. Which of the following steps should you take to resolve the issue?

Option A : Advise the user to switch their default browser to Safari.

Option B : Check if the Google Calendar API is enabled in the Google Cloud Console.
Option C : Verify that the correct Google account credentials are used in the Apple Calendar app.
Option D : Confirm that the user has enabled two-step verification in their Google account.
 Correct Answer: C

Explanation/Reference:

The browser setting has no impact on calendar syncing. This is a common misconception because some users believe all Apple

apps are tied to Safari.