Deciding what to synchronize
You do not need to synchronize all of the groups and users in your LDAP-compliant directory. Instead, synchronize only groups that are useful to the cloud service.
Consider this Active Directory (AD) example:
If you are going to set up a policy for members of a US Telesales department that gives them special permission to access certain websites, you should synchronize the "US Telesales" group. There is no need to sync the "London" group if you are not going to set up geographical policies in the cloud service, even if the London users are going to be using the service.
Sometimes when users are synchronized to the cloud service, they are members of multiple AD groups, but only a subset of those groups is synchronized. This is not a problem: the cloud service is designed to accept users with group references that are not on the service.
You specify which groups to synchronize using an LDAP search facility on the Directory Synchronization Client. There is great flexibility in selecting the appropriate data to synchronize. For example, you can use the membership of an LDAP group attribute to select the users you want, even though you may not select that group in the group synchronization setup itself.
Regardless of how many groups you synchronize, user detail must be sent as part of a separate user synchronization. When you synchronize a group, you transfer information about the group but not about its contents. User synchronizations include details of the group(s) to which users belong. When you apply a web policy or an email policy to a synchronized group, that policy is applied to all synchronized users who are members of that group.
Please refer to the Directory Synchronization Client Administrator's Guide in the Technical Library for more information on using the LDAP search feature to target only those users and groups that are required.

