GCP Professional Cloud Security Engineer Practice Question

You are implementing Google Cloud Directory Sync (GCDS) to synchronize 60,000 users and groups from the company's on-premises Microsoft Active Directory to a new Google Cloud organization. Security architects want to understand exactly how the tool will interact with the existing directory. Which statement accurately describes GCDS behavior that must be considered during the design?

By default, GCDS updates group memberships in both directions, so changes made in Google are automatically written to Active Directory.
GCDS requires secure LDAP to be disabled because it must make schema changes in Active Directory during synchronization.
GCDS performs a one-way read from Active Directory and writes changes only to Google; it never modifies the source directory.
GCDS establishes a trust that lets it push updated password hashes from Google back into Active Directory to keep credentials synchronized.

Report Issue

Answer Description

GCDS queries the on-premises LDAP directory, compares the results with the current state of Google accounts, and then uses Google administration APIs to create, update, suspend, or delete objects in Google Cloud. It never attempts to write, modify, or extend the schema of the source directory, so the risk of inadvertent changes to Active Directory is eliminated. GCDS also does not copy password hashes or perform bidirectional synchronization; any password verification still occurs against the identity provider used for authentication. Therefore, the correct choice is the statement that GCDS operates as a one-way, read-only consumer of LDAP data. The remaining options are incorrect because GCDS neither writes passwords back to AD, nor performs bidirectional updates, nor requires changes to the AD schema or disabling of secure LDAP.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.