It's free, sure... but only if you're paying for google apps. There are a significant number of organizations using Google Apps Standard, for which this tool will not work.

@Rusty - Giggle Apps? If you're so lax in your implementation that you feel it's a risk, perhaps you're the one who needs a head examined. It's a tool, like anything else, and gApps actually has better security than most of the other cloud service providers out there... and it's a damn sight simpler to administer than MSE2k10 running on Server2k8R2Enterprise.

Connecting the two isn't a bad idea at all - especially given that it's a one-way sync. RTFM FTW, my friend.

@Michael Kassner.. Yeah, and you appear to not have gotten fully informed, either. Per Mat Honan himself: "In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, its possible that none of this would have happened.." Single Sign-on is simply an extension of the security that's already in place. Using a different password for every site, every service, every system... will only confuse security to the point that people start writing them down or using other tools - like SSO, but less secure - and you now have worse security than in the first place. Using basic security concepts - like the 2fac Auth that Mat Honan himself references (which, btw, I also use myself - in addition to app-specific passwords, and other tools as well to protect myself and my clients) are a natural extension of SSO that make sense... all while ensuring that security remains SECURITY and not just obfuscation.

WAKE UP PEOPLE. Security is your own responsibility, and if something breaks, it's on your head, no-one else's. If you do full due diligence, then even Yahoo mail (okay, so this is a stretch!) can be a viable business tool... but it always, always, ALWAYS comes down to taking responsibility for your actions. As a former SIPRNET admin, no way in hell would I have used certain tools.. because my due diligence - done out of a sense of responsibility for the data entrusted to my systems - indicated it wasn't safe enough. As a private consultant who handles several law offices? gApps does a great job, as long as the policies are in place to ensure the lawyers in those practices understand what's okay and what isn't... but due diligence requires that I make it clear to the users what's okay and what isn't.

Devil's Advocate: Sure, blindly turning on tools without configuration customization and due diligence would be a bad idea, and gApps, G's AD sync tool, etc... would be lunacy to implement.

That said? Don't be an idiot. Research and deploy based on use case applicability.