I've previously posted about the ability to manage Windows PCs in the Google Admin Console. However, what if you are still managing your PCs via local active directory, but use Google Workspace for most things? Well you can have your cake and eat it - you just need to use Google Credential Provider for Windows and do a few configurations.
Step 1 - update your users on the Google Admin Console
You need to add a custom attribute to all of your users (at least those who use PCs) on the Google Admin console to link them with their local AD account. So you need to create a custom attribute in the Google admin console and populate this with the AD windows user details:
The custom attribute you need is Enhanced_desktop_security and the field is AD_account. Detailed instructions can be found here.
You can auto populate this field using GADS (Google Apps Directory Sync) if you use this to auto provision your accounts in Google from AD. Alternatively, you can populate them in bulk with a Google Sheets script or manually add them.
Step 2 - Deploy the GCPW and required registry settings
Download the MSI installer from here and deploy via Group Policy or SCCM as normal.
Deploy the following registry settings vis group policy:
Windows Registry Editor Version 5.00
The first key specifies the domain allowed to login. If you just put one domain in then the domain is auto-populated on the login screen. However, you can specify multiple domains.
The second key prevents GCPW from trying to enrol the machine on the Google Admin console - we are managing machines here with local group policy. See my other blog posts to cloud manage a machine.
The other two are for the Google Drive App. These are optional, but will auto start the Google Drive app and prompt authentication in the browser. As GCPW does single sign-on then the Drive Apps is signed in.
Step 3 - Testing
If you are using local Chrome policies - you need to test how they interact with GCPW for all policies you have.
The end result
People sign into Chromebooks and PCs with the same account.
Using GCPW updates the local AD password to match the Google one - so if you have apps that auto via a connection to AD these work automatically with the Google Credentials
Chrome has the user automatically signed in after login - so you have single sign-on to all of your Google services.