Set up Google Apps Password Sync
You can use Google Apps Password Sync (GAPS) to update your users' Google Apps passwords directly from Microsoft®Active Directory®. Learn more about GAPS.
- You're a Google Apps administrator for your organization. Only administrators can complete the steps to set up GAPS.
- You're a domain administrator for your Active Directory domain.
- You meet the system requirements.
GAPS uses 1 of the following authentication methods:
- Service account
- 3-legged OAuth
We recommend using a service account for GAPS authentication. To use a service account, you must be planning to install GAPS 1.6. For more information on authentication methods for GAPS, see Choose your Google Apps authentication method.
If you haven't already, you need to create Google Apps accounts for all of your users. Then you can add users by:
- Using GADS–The recommended way to add users to Google Apps in an Active Directory environment is with Google Apps Directory Sync (GADS). GADS automatically syncs user accounts in Google Apps with the user accounts in your Active Directory system.
To do this, you need to set the Additional User Attributes > Synchronize Passwords setting in GADS to Only for new users. Otherwise, passwords may become out of sync when you run GADS. For details, see Additional user attributes.
- Using another method–If you don't want to use GADS, see your Options for adding users.
To use GAPS, you need to enable the Directory API (version 1) in Google Apps. If you're already using GADS, this API is already enabled.
For details on how to enable the Directory API, see Administrative APIs.
This section describes how to install GAPS using the configuration wizard. For instructions on how to install GAPS from the command line, see Install and configure GAPS from the command line.Step 5: Download GAPS and copy service account JSON file to domain controller
Do the following steps on each of your Active Directory servers (domain controllers):
- Sign in to the domain controller as a domain administrator. The account must be from the domain controller’s domain.
- Download GAPS. Ensure you download the correct edition for your operating system (32 or 64-bit).
- (Optional) If you're using a service account, copy your service account JSON file to your domain controller. If you haven’t already created your service account, see Create a GAPS service account.
The installer you run depends on your host architecture (32 or 64-bit).
- Run an installer option:
- Complete the installer steps.
- Restart the server.
- From the Start menu, open Google Apps Password Sync.
- Click Next.
- Specify your primary Google Apps Domain and your Admin Email Address.
- Configure your authentication method (service account or 3-legged OAuth).
If you're using a service account:
- Select Service account.
- Click Load Credentials and select your service account JSON file.
The Status value should change to Authorized.
Note: You can remove the JSON file from the system after you complete the configuration process. Remember that the JSON file contains a key that allows access to your Google Apps domain.
If you're using 3-legged OAuth:
- Select 3-legged OAuth.
- Click Authorize Now.
- When prompted, sign in to your Google Apps account using the email address entered earlier. Click Continue.
- If prompted, provide your administrator username and password and click Sign in.
- Click Allow.
You should see "Authorization has been granted successfully. Please switch to your application."
Close your browser and return to GAPS. The Status value should change to Authorized.
Note: If the GAPS screen doesn't display Authorized, authorization has failed and you should refer to the error message at the bottom of the GAPS configuration screen. Authorization can fail for a number of reasons, typically:
- The Google Apps user isn't a super administrator in your Google Apps domain.
- The time and time zone on your server aren't set correctly.
- Click Next.
- Select the authorization access method for GAPS to use to query Active Directory. The options available are described below.
Authorization access method Description Application’s Security Context
This is the default and recommended setting.The GAPS service runs in the security context of the
NetworkServiceaccount, not a user account.
This is the only option supported on Server Core domain controllers or when you configure GAPS from the command line.
The authorized user that GAPS acts on behalf of. The user doesn't have to be a domain administrator. But, it can be a role account with the following permissions: List Contents, Read All Properties, and Read Permissions applied to "This object and all child objects."
This user will only be used to get the email addresses of users from Active Directory. Therefore, it must have access to read the mail attribute for all the users whose passwords you want to sync.
GAPS uses Active Directory Services Interfaces (ADSI) for authentication purposes. Anonymous access isn't recommended as it is not supported by most Active Directory configurations.
- If you selected User Credentials as your authorization access method, complete the Authorized User and Password fields.
- Enter the Base distinguished name (DN). When you configure GAPS for the first time, your Active Directory domain's default base DN is detected and added here. You can edit it, if required.
If you're using GADS, this setting is usually identical to the GADS Base DN setting.
- Enter the Mail Attribute. This is your Active Directory domain's mail attribute that contains each user's Google Apps email address. In most cases, this attribute is “mail.” The values stored here must exactly match the Google Apps email address, including the domain part of the address.
If you're using the Replace domain names in LDAP email addresses option in GADS, it may not be "mail." Therefore, make sure you use an attribute that matches the email address in Google Apps.
- Click Next. The application tests the connection settings you provided and alerts you if there are any errors. Review for any error messages. The Summary screen should show the configuration is saved and the service is running.
- Click Finish.
- Repeat this section for each of the domain controllers in your domain.
GAPS is now installed and running. Any password changes made to a user's Active Directory account are automatically updated in Google Apps as well. However, GAPS doesn't sync your existing Active Directory passwords to Google Apps–it only syncs password changes.
Be sure to instruct your users to change their Active Directory passwords (as described in step 8) to sync password their to Google Apps.
Complete the sync processStep 8: Instruct users to change their Active Directory passwords
GAPS won't sync an Active Directory password with Google Apps until it's changed. Therefore, you need to have your users change their Active Directory passwords to complete the sync process. We recommend that you prompt your Active Directory users to change their password the next time they sign in.
When adding new users, we recommend following this workflow:
- In Active Directory, create the new user with an initial generic password and check the User must change password at next logon box.
- Run GADS to provision the user in Google Apps.
- Have the user sign in and change the initial password. GAPS updates the new password in Google Apps within a few minutes.
- Have the user sign in to Google Apps with their new password. Any subsequent Active Directory password changes are automatically synced to Google Apps by GAPS.
You’ve successfully set up and configured GAPS. To avoid synchronization issues, we recommend these maintenance checks:Prevent users from changing their Google Apps passwords
To keep Active Directory passwords in sync with Google Apps, passwords must be changed only in Active Directory.
To prevent users from changing their password in Google Apps:
- Use Google Sites to create an internal webpage that instructs users to change their Microsoft Windows password instead of their Google Apps password. Copy the URL of the page.
- Sign in to the Google Admin console.
- Click Security.
- Click Set up single sign-on (SSO).
- In the Change password URL field, enter the URL of the page you created.
- Click Save.
Any user who attempts to change their Google Apps password will be directed to your page with the instructions. For detail on this process, see Set up Single Sign-On (SSO) for Google Apps accounts.