Google-Workspace-Administrator Google Associate Google Workspace Administrator Free Practice Exam Questions (2025 Updated)

A dynamic group automatically manages its membership based on user attributes, such as job role. This approach ensures that employees are automatically added or removed from the group based on their role, minimizing manual effort and ensuring that the group always reflects the current team composition. Granting this dynamic group access to the shared drive ensures that the right users have the appropriate permissions without requiring constant manual updates.

To enforce different external sharing policies for different departments within the same Google Workspace domain, you should use Google Drive sharing policies configured at the organizational unit (OU) level. Drive trust rules are the mechanism within Google Workspace to control how users can share files inside and outside the organization.  

Here's why option A is correct and why the others are not the most appropriate solutions:

A. Create a Drive trust rule that allows external sharing for the Research and Development organizational unit (OU) and another rule that blocks external sharing for the Finance OU.

Google Workspace allows administrators to set specific Drive sharing settings for different organizational units. By creating a Drive trust rule (or more accurately, configuring the external sharing options within Drive and Docs settings for each OU), you can enable external sharing for the Research and Development OU while simultaneously restricting or completely blocking external sharing for the Finance OU. This granular control at the OU level directly addresses the requirement of having different policies for the two departments.  

Associate Google Workspace Administrator topics guides or documents reference: The official Google Workspace Admin Help documentation on "Control how users can share Drive files externally" (or similar titles) explains how to manage external sharing options at the organizational unit level. This includes:Setting sharing options by organizational unit: The documentation details how to navigate to Apps > Google Workspace > Drive and Docs > Sharing settings in the Admin console and then select a specific organizational unit to customize its sharing permissions.  

Controlling sharing outside your organization: This section explains the various settings available, including allowing sharing with anyone, only with specific domains, or completely preventing external sharing.

While the term "Drive trust rule" might be used in more advanced contexts related to trusted domains, the core functionality of controlling external sharing based on OUs is the key here. The settings within the Drive and Docs sharing configuration for each OU achieve the desired outcome.

B. Enable Vault for the Finance organizational unit (OU) to ensure that all files shared externally are retained and auditable.

Google Vault is used for eDiscovery, legal holds, and retention of data. While it can retain and audit externally shared files (if sharing is allowed), it does not prevent external sharing. Enabling Vault for the Finance OU would not block them from sharing files externally; it would only ensure that if they do, those shared files are preserved and can be audited. This does not meet the requirement of blocking external sharing for the Finance department.  

Associate Google Workspace Administrator topics guides or documents reference: The Google Workspace Admin Help documentation on Google Vault clearly outlines its purpose and functionalities, which are focused on data retention, legal holds, and search/export for compliance and legal reasons, not on preventing sharing.  

C. Apply an organization-wide data loss prevention (DLP) rule that scans for sensitive information and prevents external sharing of those files. Apply that rule to the Finance organizational unit (OU).  

While DLP rules can prevent the external sharing of files containing sensitive information, they are triggered by the content of the files, not by a blanket restriction on all external sharing for a specific OU. The requirement is to block all external sharing for the Finance department, regardless of the content. Applying a DLP rule only to the Finance OU might be complex to manage for a complete block and is not the most direct way to achieve the stated goal. OU-based sharing settings are more straightforward for this purpose.  

Associate Google Workspace Administrator topics guides or documents reference: The Google Workspace Admin Help documentation on Data Loss Prevention (DLP) explains how to create rules based on content to prevent sensitive data leaks. While DLP can control sharing, it's not the primary mechanism for completely blocking all external sharing for an entire OU.  

D. Create a separate Google Workspace domain for the Finance organizational unit (OU) and disable external sharing for that domain.

Creating a separate Google Workspace domain for the Finance department is an overly complex and administratively burdensome solution. It would involve managing two separate domains, user accounts, billing, and potentially complicate internal collaboration between departments. Using organizational units within the same domain provides a much more efficient and manageable way to apply different policies.

Associate Google Workspace Administrator topics guides or documents reference: Google Workspace's organizational unit structure is specifically designed to allow administrators to apply different settings and policies to groups of users within a single domain, avoiding the need for separate domains for policy enforcement.  

Therefore, the most direct and appropriate solution is to configure the Google Drive sharing settings at the organizational unit level, allowing external sharing for the Research and Development OU and blocking it for the Finance OU.

Switching the former employee’s account to an Archived User license ensures that their data and documents are preserved, and access is retained for the manager and team without incurring the full cost of an active Workspace license. Archived User licenses are a cost-effective way to maintain access to documents while preventing unauthorized access to the account.

Enforcing the use of physical security keys for 2-Step Verification (2SV) provides a highly secure method of protecting user accounts from unauthorized access. Physical security keys are one of the most robust forms of two-factor authentication because they cannot be easily phished or stolen, even if an attacker knows the user's password. Google recommends using physical security keys as the 2SV method, as they provide strong protection against unauthorized access attempts.

If legitimate emails are being misidentified as spam across the organization, it suggests that there may be a broader issue with the spam filtering system. Contacting Google Workspace support to investigate and resolve the problem is the recommended approach. Disabling spam filtering or adjusting individual settings may not resolve the root cause and could potentially lead to further issues.

By creating separate organizational units (OUs) for each department, you can apply different external sharing settings based on the department's requirements. For example, you can configure the sales and marketing department's OU to allow external sharing, while configuring the engineering department's OU to restrict external sharing. This approach allows you to enforce departmental policies efficiently without impacting other departments.

The security investigation tool allows you to search for and take action on suspicious emails within your organization. Marking the email as phishing helps to flag the email as malicious and prevents further emails from the same sender from being delivered to users' inboxes. This also ensures that the email is properly categorized for review and investigation by your security team.

Since the presenters' microphones are working, the issue likely lies with the affected employees' laptops. The first step in diagnosing the problem is to verify that the audio drivers on the affected laptops are up-to-date and functioning correctly. Outdated or malfunctioning audio drivers can cause issues with hearing sound during video conferences. Once the drivers are confirmed to be functional, further troubleshooting steps can be taken if necessary.

When a third-party application from the Google Workspace Marketplace is installed, it requests specific permissions (OAuth scopes) to access Google Workspace data and services. If the marketing team is unable to access customer contact information or send emails, the most likely cause is that the installed email marketing platform was not granted the necessary OAuth scopes for Contacts and Gmail during the installation or approval process.

Here's why other options are less likely to be the first step:

A. Verify that the email marketing platform's subscription is active and up-to-date. While important for continued use, a "free" platform from the Marketplace generally doesn't have a subscription that would prevent initial access to basic functions like contacts and sending emails unless it's a trial that expired, which isn't indicated as the primary problem. This would be a later troubleshooting step if scope issues are ruled out.

C. Confirm that the "Manage Third-Party App Access" setting in the Admin console is enabled. This setting controls whether users can install any third-party apps from the Marketplace. If it were disabled, the app likely wouldn't have been installed in the first place. If it was enabled and then disabled, the app would stop working, but the specific problem points to data access, not app disablement.

D. Use the security investigation tool to review Gmail logs. The security investigation tool is excellent for reviewing security events, but it's more for post-incident analysis or suspicious activity. In this scenario, the problem is a lack of functionality for a newly installed app, not a security breach or misconfiguration that would necessarily show up in Gmail logs immediately as an access issue for the app itself. The OAuth scopes are the more direct and initial point of failure.

References from Google Workspace Administrator:

Manage third-party app access to data: Google Workspace administrators can control which third-party apps can access their organization's data. This includes reviewing and managing OAuth API access for configured apps.

Advanced mobile management in Google Workspace provides the necessary features for securing mobile devices without the need for third-party apps or additional licenses. This includes enforcing passcodes and enabling remote account wipe functionality for both iOS and Android devices. Advanced management ensures that both security requirements are met while keeping the setup efficient and within the organization's existing licenses.

By organizing participants into an organizational unit (OU) in the Admin console, you can control access to live streaming and ensure that only users from affiliated Google Workspace domains are allowed to participate in the live-streamed meetings. Turning on live streaming within this context will ensure that the meeting is restricted to the appropriate participants from the specified domains.

The core of the problem is to identify the responsible users and the extent of past unauthorized sharing. The Security Investigation Tool is designed precisely for this purpose. It allows administrators to search and analyze various audit logs, including Drive logs, to pinpoint specific events, users, and data.

Here's why the other options are less appropriate as the first or most direct action for this specific problem:

A. Review the organization's sharing policies in the Admin console, and update the policies to prevent external sharing. This is a crucial preventative measure for the future, and a necessary step after identifying the scope of the problem. However, it won't help you identify who shared what in the past.

B. Use the security health page to identify misconfigured sharing settings in Drive. The security health page provides an overview of your security posture and can highlight general misconfigurations. While useful for identifying potential vulnerabilities, it won't give you the granular details of specific users and shared documents that have already occurred, which is what the question asks for.

D. Create an activity rule in the Security Center to alert you of future external sharing events. Similar to option A, this is a future-oriented preventative and monitoring measure. It will help catch future violations but won't provide information about the past unauthorized sharing that has already happened.

References from Google Workspace Administrator:

Security investigation tool: This tool is explicitly designed for identifying, triaging, and taking action on security issues. It allows administrators to search and analyze logs from various Google Workspace services, including Drive, to investigate specific events like external sharing.

To implement industry-standard email authentication protocols as part of a layered security approach for Gmail, you should configure DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) records for your domain. These protocols are crucial for verifying the sender's identity and ensuring the integrity of email messages.

Here's a breakdown of why options C and E are correct and why the others are not primarily email authentication protocols or best practices in this context:

C. Configure DKIM to digitally sign outbound emails and verify their origin.

DKIM adds a digital signature to the headers of outbound emails. This signature is verified by receiving mail servers using a public key published in your domain's DNS records. DKIM helps to confirm that the email was indeed sent from your domain and that its content has not been altered in transit. It is a key email authentication protocol that enhances deliverability and protects against email spoofing.

Associate Google Workspace Administrator topics guides or documents reference: The official Google Workspace Admin Help documentation on "Help prevent email spoofing with DKIM" (or similar titles) explains how to set up DKIM for your domain. It details the process of generating a DKIM key, adding the public key as a TXT record in your DNS, and enabling DKIM signing in the Google Admin console. The documentation emphasizes DKIM's role in authenticating outbound mail and improving email security.

E. Set up SPF records to specify authorized mail servers for your domain.

SPF is a DNS-based email authentication protocol that allows you to specify which mail servers are authorized to send emails on behalf of your domain. Receiving mail servers check the SPF record in the sender's domain's DNS to verify if the sending server's IP address is listed as authorized. This helps to prevent spammers from forging the "From" address of your domain.

Associate Google Workspace Administrator topics guides or documents reference: The Google Workspace Admin Help documentation on "Help prevent spoofing with SPF" (or similar titles) guides administrators on creating and publishing SPF records in their domain's DNS. It explains the syntax of SPF records and how they help receiving servers validate the sender's origin, thus reducing spoofing and improving deliverability.

Now, let's look at why the other options are not the primary choices for implementing industry-standard email authentication protocols:

A. Enable a default email quarantine for all users to isolate suspicious emails and determine if the messages haven't been authenticated.

Email quarantine is a security feature that holds potentially harmful or suspicious emails for review. While it can help manage unauthenticated emails, it is a response to potential authentication failures or suspicious content, not an authentication protocol itself. Quarantine helps in handling emails that fail authentication checks (like SPF or DKIM) or are flagged by other security measures.

Associate Google Workspace Administrator topics guides or documents reference: Documentation on Gmail quarantine settings explains how to configure them to manage suspicious emails, including those that may not be properly authenticated. It's a post-authentication handling mechanism.

B. Configure a blocked senders rule to block all emails from unknown senders.

Blocking all emails from "unknown senders" is an overly aggressive and impractical approach for most organizations, as you will likely receive legitimate emails from new contacts or domains. While you can create blocklists, it's not a standard email authentication protocol and can lead to significant disruption of email flow.

Associate Google Workspace Administrator topics guides or documents reference: Gmail's blocking features allow users and administrators to block specific addresses or domains, but blocking all unknown senders is not a recommended security practice.

D. Disable IMAP for your organization to prevent external clients from accessing Gmail.

Disabling IMAP can enhance security by limiting how users access their email, potentially reducing the risk of compromised third-party applications. However, it is not an email authentication protocol that verifies the sender of an email. It controls access to the mailbox, not the authentication of emails received or sent.

Associate Google Workspace Administrator topics guides or documents reference: Documentation on managing IMAP and POP access explains how to enable or disable these protocols for users, focusing on access methods rather than email sender authentication.

Therefore, the two correct answers for implementing industry-standard email authentication protocols are configuring DKIM to sign outbound emails and setting up SPF records to specify authorized sending servers.

Transferring ownership of the departing employee’s files to the manager ensures that the manager retains access to all the files, including those stored in My Drive, without requiring additional steps like downloading or sharing files. This method follows Google-recommended practices and ensures that the files remain under proper management even after the employee's account is deleted. This process can be done efficiently during the offboarding process to ensure continuity of access.

Google Workspace offers Archived User licenses, which allow you to retain access to the data and communications of former employees without paying for a full user license. This option ensures compliance with the policy of retaining project data and communications in Google Vault while minimizing costs by avoiding unnecessary full user licenses.

When there's a legal investigation, the priority is to ensure that relevant data is preserved and not deleted, regardless of retention policies or user actions. A "hold" (also known as a litigation hold or legal hold) in Google Vault is specifically designed for this purpose. It overrides all retention rules (both default and custom) and prevents any data covered by the hold from being purged, even if a user attempts to delete it.

Here's why the other options are not the correct or best solution:

A. Change the Vault default retention rule to one year instead of five. Changing the default retention rule would affect all Drive data in your organization, not just this specific employee's. It's a broad change and not suitable for a targeted legal hold. Moreover, it wouldn't guarantee preservation against user deletions.

B. Place the employee into a separate organizational unit (OU). Create a custom one-year retention rule for this OU. While creating custom retention rules for OUs is possible, it's not the primary mechanism for a legal hold. Retention rules define when data can be deleted, but a hold prevents deletion irrespective of the retention period. If the employee deletes the data, a retention rule won't stop it from moving to trash (and eventually being purged) unless a hold is in place. Furthermore, a one-year retention rule isn't the goal; the goal is to preserve for "at least one year" (meaning indefinitely until the hold is released). The default five-year rule is already longer than one year, but doesn't override user deletion.

D. Confirm that the Vault default retention rule is set for five years. The question states that the default retention rule for Drive is already set for five years. While this is good for general data retention, it does not prevent a user from deleting their own files from Drive, nor does it specifically address the need for a legal hold where data must be absolutely preserved. A default retention rule does not override user deletion or ensure data preservation for legal purposes.

References from Google Workspace Administrator:

Holds in Google Vault: This is the core concept. Holds prevent data from being purged from Google systems, regardless of retention rules or user actions, until the hold is released. They are specifically used for legal discovery or investigation purposes.

To create document templates with pre-populated sections that the sales team can easily access and use to streamline their proposal process, the most efficient and centrally managed approach is to utilize the Google Workspace template gallery. This involves enabling organization branding (though not strictly required for basic templates, it's often associated with organizational templates) and then adding the created templates to the default themes and templates for the entire organization or specific groups.

Here's a breakdown of why option C is correct and why the others are not the ideal solutions:

C. Enable organization branding in the Admin console. Create the templates in Google Drive. Add the templates to default themes and templates for the entire organization.

This option leverages the built-in template gallery feature of Google Workspace. By creating the templates in Google Docs (which are stored in Google Drive) and then adding them to the organization's default themes and templates through the Google Admin console, you make these templates easily discoverable by all users (or a specific organizational unit) when they go to create a new document from the template gallery. Enabling organization branding can help customize the look and feel, but the crucial part is adding the templates to the gallery.

Associate Google Workspace Administrator topics guides or documents reference: The official Google Workspace Admin Help documentation provides detailed instructions on "Create and manage document templates for your organization." This documentation explains how to prepare a document as a template in Google Drive and then submit it through the Admin console to the template gallery, making it available to users within the organization. Topics covered include:Submitting templates to your organization's gallery: This process involves going to Apps > Google Workspace > Drive and Docs > Templates in the Admin console.

Setting up a custom template gallery: The documentation guides administrators on how to manage the templates that appear for their users.

Organizational units: Templates can often be made available to specific organizational units, allowing for tailored templates for different teams like the sales team.

A. Create the templates in Google Drive. Grant edit access to the sales team.

Granting edit access to the sales team on the master templates is problematic. It could lead to accidental or intentional modifications of the original templates, causing inconsistencies and requiring ongoing management to ensure the templates remain in their intended state. Users should ideally create copies of the template to work on, leaving the original template untouched.

Associate Google Workspace Administrator topics guides or documents reference: Best practices for file sharing and collaboration in Google Drive emphasize providing appropriate levels of access. For templates, the goal is usually for users to use the template to create new documents, not to edit the original.

B. Create the templates in Google Drive. Make a copy for each sales representative. Transfer ownership of each template to the sales representatives.

This approach is inefficient and difficult to manage. Creating and transferring ownership of individual copies of the template to each sales representative would be time-consuming for the administrator. Furthermore, if the template needs to be updated, each individual copy would need to be modified, leading to version control issues and inconsistencies across the sales team.

Associate Google Workspace Administrator topics guides or documents reference: Google Drive's sharing and ownership features are designed for collaborative work on documents, not for distributing and managing templates in this manner. Centralized management through the template gallery is the recommended method.

D. Create the templates in Google Drive and download the files as PDFs. Upload PDF files to a drive shared with your sales team.

Saving the templates as PDFs defeats the purpose of having editable templates. The sales team would not be able to easily modify the pre-populated sections or add their specific proposal details to a PDF. Templates are meant to be starting points for new, editable documents.

Associate Google Workspace Administrator topics guides or documents reference: Google Docs is designed for creating and editing documents. Templates are a feature within this editable format, allowing users to start with a pre-structured document that they can then customize. PDFs are for final, non-editable versions.

Therefore, the correct approach is to leverage the Google Workspace template gallery to provide a streamlined and centrally managed way for the sales team to access and use the proposal templates. This is achieved by creating the templates in Google Drive and then adding them to the organizational templates through the Admin console. While enabling organization branding is mentioned in option C, the core functionality relies on the template gallery feature.

By creating a custom admin role with security center privileges, you can ensure that the security team has the necessary access to investigate unauthorized external file sharing while adhering to the principle of least privilege. This approach provides the security team with the specific permissions they need without granting unnecessary broader privileges, such as those associated with the super admin role.

AppSheet is a no-code platform that allows users to create custom applications without the need for software development skills. It is capable of building applications that can be used both on the web and mobile devices. AppSheet would allow the organization to create the approval application efficiently, meeting the requirements of the purchase process, and would be a cost-effective solution that does not require hiring developers or using a third-party application provider.