If you haven't done so already, make sure you've created Google Apps accounts for all of your users. The recommended way to add users to Google Apps in an Active Directory environment is with Google Apps Directory Sync (GADS). GADS automatically syncs user accounts in Google Apps with the user accounts in your Active Directory system.

If you do not want to use GADS to sync users, read Options for adding users for other methods.

GAPS requires the Provisioning API to be enabled in Google Apps in order to set user passwords.

Read Administrative APIs to learn how to enable the Provisioning API for your domain. If you are already using GADS, this should already be enabled.

To install and configure GAPS, do the following on each of your Active Directory servers (Domain Controllers):

1. Download GAPS.
2. Open the installer, GoogleAppsPasswordSync.msi, included in the download. Make sure you download the correct edition for your operating system (32-bit or 64-bit).
3. Complete the steps indicated by the installer.
4. Restart the server.
5. Open Google Apps Password Sync from the Start menu.
6. On the welcome screen, click Next.

7. On the Google Apps Configuration screen, specify your primary Google Apps domain and your administrator email address in the appropriate fields, and click Authorize Now. The following dialog appears:

   
8. Don't change any of the settings in the dialog; just click Continue.
9. A Google Apps login page opens in a browser. Provide your administrator username and password and click Sign in.

10. Click Allow access on the following page:

    
11. A page appears that provides a code that you are instructed to paste into GAPS. You do not need this code. Close your browser and return to GAPS. Your Google Apps configuration should be marked as authorized.
    If you are returned to the Please sign-in to Google Apps Password Sync dialog, simply click Continue again and repeat the previous step.

12. Click Next.

    
13. On the Active Directory Configuration screen, untick the Use Anonymous access to query Active Directory checkbox and specify the following in the corresponding fields:
    • The authorized user (Domain Admin) that GAPS will act on behalf of. This user will only be used to get the email addresses of users.
    • The authorized user's password
    • Your Active Directory domain's base distinguished name (DN). If you are using GADS, this setting should be identical to the Base DN setting in GADS.
    • Your Active Directory domain's mail attribute, which specifies a user's Google Apps email address. In most installations, this attribute is mail.
    Make sure that the mail attribute includes email addresses that are identical to your users' addresses on Google Apps, including the domain part of the address.
    
    If you're using the "Replace domain names in LDAP email addresses" option in GADS, this may not be the case.
14. Click Next. The Summary screen should show your Configuration as saved and your Service as running.
15. Click Finish.

Google Apps Password Sync is now up and running. Any password changes made to a user's Active Directory user are automatically updated in Google Apps as well.

In order for GAPS to keep Active Directory passwords in sync with Google Apps, passwords must be changed only from Active Directory.

To prevent users from changing their password from Google Apps:

1. Create an internal webpage with Google Sites that instructs users to change their Windows password instead of their Google Apps password. Copy the URL of the page.
2. Sign in to the Google Admin console. 
3. Do one of the following:
   • In the classic Admin console, click Advanced tools > Set up single sign-on (SSO).
   • In the new Admin console, click Security > Advanced settings.
     ^{Where is it?  Which Admin console do I have?}
    
4. In the Change password URL field, provide the URL of the page you created.
5. Click Save changes.

When a user attempts to change their Google Apps password, they will be directed to your page that instructs them to change their Windows password instead.

GAPS won't sync an Active Directory password with Google Apps until it's changed. Have your users change their Active Directory passwords to complete the sync process. It's recommended that you force your Active Directory users to change their password the next time they log in.

When creating new users, it's recommended to follow this workflow:

1. In Active Directory, create the new user with an initial generic password and tick the User must change password at next logon checkbox.
2. Run GADS to provision the user in Google Apps.
3. Let the user log in to their machine and replace the initial password.
4. GAPS will update the new password on Google Apps within a few minutes.
5. Let the user log in to Google Apps with their new password that they chose in step 3.
6. Any subsequent password changes will be automatically synced to Google Apps by GAPS.

You're done!