Set up G Suite Password Sync
You can use G Suite Password Sync (GSPS) to update your users' G Suite passwords directly from Microsoft®Active Directory®. Learn more about GSPS.
- You're a G Suite administrator for your organization. Only administrators can complete the steps to set up GSPS.
- You're a domain administrator for your Active Directory domain.
- You meet the system requirements.
GSPS uses 1 of the following authentication methods:
- Service account
- 3-legged OAuth
We recommend using a service account for GSPS authentication. To use a service account, you must be planning to install GSPS 1.6. For more information on authentication methods for GSPS, see Choose your G Suite authentication method.
If you haven't already, you need to create G Suite accounts for all of your users. Then you can add users by:
- Using GCDS–The recommended way to add users to G Suite in an Active Directory environment is with Google Cloud Directory Sync (GCDS). GCDS automatically syncs user accounts in G Suite with the user accounts in your Active Directory system.
To do this, you need to set the Additional User Attributes > Synchronize Passwords setting in GCDS to Only for new users. Otherwise, passwords may become out of sync when you run GCDS. For details, see Additional user attributes.
- Using another method–If you don't want to use GCDS, see your Options for adding users.
To use GSPS, you need to enable the Directory API (version 1) in G Suite. If you're already using GCDS, this API is already enabled.
For details on how to enable the Directory API, see Administrative APIs.
This section describes how to install GSPS using the configuration wizard. For instructions on how to install GSPS from the command line, see Install and configure GSPS from the command line.Step 5: Download GSPS and copy service account JSON file to domain controller
Do the following steps on each of your Active Directory servers (domain controllers):
- Sign in to the domain controller as a domain administrator. The account must be from the domain controller’s domain.
- Download GSPS. Ensure you download the correct edition for your operating system (32 or 64-bit).
- (Optional) If you're using a service account, copy your service account JSON file to your domain controller. If you haven’t already created your service account, see Create a GSPS service account.
The installer you run depends on your host architecture (32 or 64-bit).
- Run an installer option:
- Complete the installer steps.
- Restart the server.
- From the Start menu, open G Suite Password Sync.
- Click Next.
- Specify your primary G Suite Domain and your Admin Email Address.
- Configure your authentication method (service account or 3-legged OAuth).
If you're using a service account:
- Select Service account.
- Click Load Credentials and select your service account JSON file.
The Status value should change to Authorized.
Note: You can remove the JSON file from the system after you complete the configuration process. Remember that the JSON file contains a key that allows access to your G Suite domain.
If you're using 3-legged OAuth:
- Select 3-legged OAuth.
- Click Authorize Now.
- When prompted, sign in to your G Suite account using the email address entered earlier. Click Continue.
- If prompted, provide your administrator username and password and click Sign in.
- Click Allow.
You should see "Authorization has been granted successfully. Please switch to your application."
Close your browser and return to GSPS. The Status value should change to Authorized.
Note: If the GSPS screen doesn't display Authorized, authorization has failed and you should refer to the error message at the bottom of the GSPS configuration screen. Authorization can fail for a number of reasons, typically:
- The G Suite user isn't a super administrator in your G Suite domain.
- The time and time zone on your server aren't set correctly.
- Click Next.
- Select the authorization access method for GSPS to use to query Active Directory. The options available are described below.
Authorization access method Description Application’s Security Context
This is the default and recommended setting.The GSPS service runs in the security context of the
NetworkServiceaccount, not a user account.
This is the only option supported on Server Core domain controllers or when you configure GSPS from the command line.
The authorized user that GSPS acts on behalf of. The user doesn't have to be a domain administrator. But, it can be a role account with the following permissions: List Contents, Read All Properties, and Read Permissions applied to "This object and all child objects."
This user will only be used to get the email addresses of users from Active Directory. Therefore, it must have access to read the mail attribute for all the users whose passwords you want to sync.
GSPS uses Active Directory Services Interfaces (ADSI) for authentication purposes. Anonymous access isn't recommended as it is not supported by most Active Directory configurations.
- If you selected User Credentials as your authorization access method, complete the Authorized User and Password fields.
- Enter the Base distinguished name (DN). When you configure GSPS for the first time, your Active Directory domain's default base DN is detected and added here. You can edit it, if required.
If you're using GCDS, this setting is usually identical to the GCDS Base DN setting.
- Enter the Mail Attribute. This is your Active Directory domain's mail attribute that contains each user's G Suite email address. In most cases, this attribute is “mail.” The values stored here must exactly match the G Suite email address, including the domain part of the address.
If you're using the Replace domain names in LDAP email addresses option in GCDS, it may not be "mail." Therefore, make sure you use an attribute that matches the email address in G Suite.
- Click Next. The application tests the connection settings you provided and alerts you if there are any errors. Review for any error messages. The Summary screen should show the configuration is saved and the service is running.
- Click Finish.
- Repeat this section for each of the domain controllers in your domain.
GSPS is now installed and running. Any password changes made to a user's Active Directory account are automatically updated in G Suite as well. However, GSPS doesn't sync your existing Active Directory passwords to G Suite–it only syncs password changes.
Be sure to instruct your users to change their Active Directory passwords (as described in step 8) to sync password their to G Suite.
Complete the sync processStep 8: Instruct users to change their Active Directory passwords
GSPS won't sync an Active Directory password with G Suite until it's changed. Therefore, you need to have your users change their Active Directory passwords to complete the sync process. We recommend that you prompt your Active Directory users to change their password the next time they sign in.
When adding new users, we recommend following this workflow:
- In Active Directory, create the new user with an initial generic password and check the User must change password at next logon box.
- Run GCDS to provision the user in G Suite.
- Have the user sign in and change the initial password. GSPS updates the new password in G Suite within a few minutes.
- Have the user sign in to G Suite with their new password. Any subsequent Active Directory password changes are automatically synced to G Suite by GSPS.
You’ve successfully set up and configured GSPS. To avoid synchronization issues, we recommend these maintenance checks:Prevent users from changing their G Suite passwords
To keep Active Directory passwords in sync with G Suite, passwords must be changed only in Active Directory.
To prevent users from changing their password in G Suite:
- Use Google Sites to create an internal webpage that instructs users to change their Microsoft Windows password instead of their G Suite password. Copy the URL of the page.
- Sign in to the Google Admin console.
- Click Security.
- Click Set up single sign-on (SSO).
- In the Change password URL field, enter the URL of the page you created.
- Click Save.
Any user who attempts to change their G Suite password will be directed to your page with the instructions. For detail on this process, see Set up Single Sign-On (SSO) for G Suite accounts.