Set up G Suite Password Sync
You can use G Suite Password Sync (GSPS) to update your users' Google passwords directly from Microsoft®Active Directory®. Learn more about GSPS.
GSPS is available to G Suite and Cloud Identity administrators.
- You're an administrator for your organization. Only administrators can complete the steps to set up GSPS.
- You're a domain administrator for your Active Directory domain.
- You meet the system requirements.
GSPS uses one of the following authentication methods:
- Service account
- 3-legged OAuth
We recommend using a service account for GSPS authentication. To use a service account, you must be planning to install GSPS 1.6 or later. For more information on authentication methods for GSPS, see Choose your Google authentication method.
If you haven't already, you need to create Google accounts for all of your users. Then you can add users by:
- Using GCDS–The recommended way to add users to your Google Account in an Active Directory environment is with Google Cloud Directory Sync (GCDS). GCDS automatically syncs user accounts in your Google domain with the user accounts in your Active Directory system.
To do this, you need to set the Additional User Attributes > Synchronize Passwords setting in GCDS to Only for new users. Otherwise, passwords may become out of sync when you run GCDS. For details, see Additional user attributes.
- Using another method–If you don't want to use GCDS, see your Options for adding users.
To use GSPS, you need to enable the Directory API (version 1) in your Google Admin console. If you're already using GCDS, this API is already enabled.
For details on how to enable the Directory API, see Enable API access in the Admin console.
This section describes how to install GSPS using the configuration wizard. For instructions on how to install GSPS from the command line, see Install and configure GSPS from the command line.Step 5: Download GSPS and copy service account JSON file to domain controller
Do the following steps on each of your Active Directory servers (domain controllers):
- Sign in to the domain controller as a domain administrator. The account must be from the domain controller’s domain.
- Download GSPS. Ensure you download the correct edition for your operating system (32 or 64-bit).
- (Optional) If you're using a service account, copy your service account JSON file to your domain controller. If you haven’t already created your service account, see Authorize GSPS for your domain.
The installer you run depends on your host architecture (32 or 64-bit).
- Run an installer option:
- Complete the installer steps.
- Restart the server.
- From the Start menu, open G Suite Password Sync.
- Click Next.
- Specify your primary Google domain and your Admin Email Address. This is the email address of the administrator that GSPS will use to perform the password updates. The administrator's address also appears in the audit logs in the Admin console.
Important: Make sure that this administrator has signed into the Google Admin console and accepted the terms of service before you continue.
- Configure your authentication method (service account or 3-legged OAuth).
If you're using a service account:
- Select Service account.
- Click Load Credentials and select your service account JSON file.
The Status value should change to Authorized.
Note: You can remove the JSON file from the system after you complete the configuration process. Remember that the JSON file contains a key that allows access to your Google domain.
If you're using 3-legged OAuth:
- Select 3-legged OAuth.
- Click Authorize Now.
- When prompted, sign in to your Google Account using the email address entered earlier. Click Continue.
- If prompted, provide your administrator username and password and click Sign in.
- Click Allow.
You should see "Authorization has been granted successfully. Please switch to your application."
Close your browser and return to GSPS. The Status value should change to Authorized.
Note: If the GSPS screen doesn't display Authorized, authorization has failed and you should refer to the error message at the bottom of the GSPS configuration screen. Authorization can fail for a number of reasons, typically:
- The user isn't a super administrator for your Google domain.
- The time and time zone on your server aren't set correctly.
- Click Next.
- Select the authorization access method for GSPS to use to query Active Directory. The options available are described below.
Authorization access method Description Application’s Security Context
This is the default and recommended setting.The GSPS service runs in the security context of the
NetworkServiceaccount, not a user account.
This is the only option supported on Server Core domain controllers or when you configure GSPS from the command line.
The authorized user that GSPS acts on behalf of. The user doesn't have to be a domain administrator. But, it can be a role account with the following permissions: List Contents, Read All Properties, and Read Permissions applied to "This object and all child objects."
This user will only be used to get the email addresses of users from Active Directory. Therefore, it must have access to read the mail attribute for all the users whose passwords you want to sync.
GSPS uses Active Directory Services Interfaces (ADSI) for authentication purposes. Anonymous access isn't recommended as it is not supported by most Active Directory configurations.
- If you selected User Credentials as your authorization access method, complete the Authorized User and Password fields.
- Enter the Base distinguished name (DN). When you configure GSPS for the first time, your Active Directory domain's default base DN is detected and added here. You can edit it, if required.
If you're using GCDS, this setting is usually identical to the GCDS Base DN setting.
- Enter the Mail Attribute. This is your Active Directory domain's mail attribute that contains each user's Google email address. In most cases, this attribute is “mail.” The values stored here must exactly match the Google email address, including the domain part of the address.
If you're using the Replace domain names in LDAP email addresses option in GCDS, it may not be "mail." Therefore, make sure you use an attribute that matches the email address in Google.
- Click Next. The application tests the connection settings you provided and alerts you if there are any errors. Review for any error messages. The Summary screen should show the configuration is saved and the service is running.
- Click Finish.
- Repeat this section for each of the domain controllers in your domain.
GSPS is now installed and running. Any password changes made to a user's Active Directory account are automatically updated for your Google users as well. However, GSPS doesn't sync your existing Active Directory passwords to Google–it only syncs password changes.
Be sure to instruct your users to change their Active Directory password (as described in step 8) to sync the password their to Google Account.
Complete and maintainStep 8: Instruct users to change their Active Directory passwords
GSPS won't sync an Active Directory password with a Google Account until it's changed. Therefore, you need to have your users change their Active Directory passwords to complete the sync process. We recommend that you prompt your Active Directory users to change their password the next time they sign in.
When adding new users, we recommend following this workflow:
- In Active Directory, create the new user with an initial generic password and check the User must change password at next logon box.
- Run GCDS to provision the user in your Google domain.
- Have the user sign in and change the initial password. GSPS syncs the new password with the Google Account within a few minutes.
Note: Google passwords must adhere to the name and password guidelines.
- Have the user sign in to their Google Account with their new password. Any subsequent Active Directory password changes are automatically synced to Google by GSPS.
To ensure that your users change their passwords in Active Directory:
Step 1: Do not enable non-admin password recovery
Ensure that non-admin password recovery is not enabled. See Set up password recovery for users.
Step 2: Instruct users to change their Windows password
- Use Google Sites to create an internal webpage that instructs users to change their Microsoft Windows password instead of their Google password.
- Copy the URL of the page.
- Sign in to the Google Admin console.
- Click Security.
- Click Set up single sign-on (SSO).
- In the Change password URL field, enter the URL of the page you created in step 1.
Note: You do not need to check the Set up SSO with a third party identity provider box.
- Click Save.
Any user who attempts to change their Google password will be directed to your page with the instructions. For detail on this process, see Set up single sign-on for managed Google accounts.