Set up Password Sync

5. Configure Password Sync

This section describes how to set up Password Sync using the configuration wizard. For instructions on how to set up using the command line, go to Install & configure Password Sync from the command line.

Next, you need to add your Google Workspace domain and authentication method.

You're on step 5 of 7

"" "" "" "" "" "" ""

Step 1: Add your Google Workspace domain

  1. From the Start menu, click Password Syncand thenYesand thenNext.
  2. Add your Google Workspace administrator email address.

    Password Sync uses this email address to perform password updates. The address also appears in the audit logs in the Google Admin console.

    Important: Before you continue, make sure this administrator has signed in to the Admin console and accepted the Terms of Service.

Step 2: Set up your authentication method

If you're using a service account:

  1. Select Service Account.
  2. Click Load Credentials and select your service account JSON file.

    The Status value should change to Authorized.

    Note: The JSON file has a key that allows access to your Google domain. After authentication, remove the file from the system.

If you're using 3-legged OAuth:

  1. Select 3-legged OAuthand thenAuthorize Now.
  2. When prompted, sign in to your Google Account with the email address used when you set up 3-legged OAuth and click Continue.
  3. If prompted, provide your administrator username and password and click Sign in.
  4. Click Allow.

    You should see "Authorization has been granted successfully. Please switch to your application."

  5. Close your browser and return to Password Sync. The Status value should change to Authorized.

  6. If the Password Sync screen doesn't display Authorized, refer to the error message at the bottom of the Password Sync configuration screen. Typically, authorization is blocked because the user isn't a super administrator or the time and time zone on your server aren't set correctly.

Step 3: Set up authorization access method

  1. Click Next.
  2. Select the authorization access method for Password Sync to use to query Microsoft Active Directory. For details, go to Authorization access methods (below).
  3. For Base distinguished name (DN), accept the default or enter another base DN.

    If you're using Google Cloud Directory Sync (GCDS), this setting is usually identical to the GCDS base DN setting.

  4. For Mail Attribute, enter your Active Directory domain's mail attribute that contains each user's Google email address (usually, "mail").

    The values in the attribute must exactly match the Google email address, including the domain part of the address. If you're using the Replace domain names in LDAP email addresses option in GCDS, it might be another attribute.

  5. Click Next.

    The Summary screen shows the configuration is saved and the service is running.

  6. Click Finish.
  7. Repeat these steps for each domain controller in your domain.

Authorization access methods

Access method Description
Application’s Security Context

The default and recommended setting. Password Sync runs in the security context of the NetworkService account, not a user account.

If you have Server Core domain controllers or you’re configuring Password Sync from the command line, you must choose this option.

Anonymous Password Sync uses Active Directory Service Interfaces (ADSI) for authentication purposes.

We don’t recommend Anonymous access, as it isn’t supported by most Active Directory configurations.

User Credentials

Password Sync acts on behalf of an authorized user. The user doesn't have to be a domain administrator. It can be a role account with the following permissions: List Contents, Read All Properties, and Read Permissions applied to "This object and all child objects."

The authorized user retrieves the email addresses of users from Active Directory. They must have access to read the mail attribute for all the users whose passwords you want to sync.

If you select this option, complete the Authorized User and Password fields.

Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?
Clear search
Close search
Google apps
Main menu
Search Help Center