GAPS Configuration Guide - Release 1.1

This guide will walk you through the steps to get Google Apps Password Sync (GAPS) up and running for your organization.

Before you proceed, make sure of the following:

  • You are a Google Apps administrator for your organization. Only administrators can complete the steps in this guide.
  • You are a Google Apps for Business, Education, or Government customer.
  • You are a Domain Admin on your Active Directory domain.
If you are not using Active Directory and want to sync passwords to Google Apps, see Google Apps Directory Sync: Additional User Attributes.

Add your users to Google Apps

If you haven't done so already, make sure you've created Google Apps accounts for all of your users. The recommended way to add users to Google Apps in an Active Directory environment is with Google Apps Directory Sync (GADS). GADS automatically syncs user accounts in Google Apps with the user accounts in your Active Directory system.

If you are using GADS, you need to set the User Accounts > Additional User Attributes > Synchronize Passwords setting in GADS to Only for new users. Otherwise, passwords may become out of sync when you run GADS.

If you do not want to use GADS to sync users, read Options for adding users for other methods.


Enable the Provisioning API

GAPS requires the Provisioning API to be enabled in Google Apps in order to set user passwords.

Read Administrative APIs to learn how to enable the Provisioning API for your domain. If you are already using GADS, this should already be enabled.


Install and configure GAPS on your Active Directory servers

To install and configure GAPS, do the following on each of your Active Directory servers (Domain Controllers):

  1. Log in to the Domain Controller as a Domain Admin from the Domain Controller's domain (a Domain Admin who's a member of a different Active Directory domain won't work).
  2. Download GAPS.
  3. Open the installer, GoogleAppsPasswordSync.msi, included in the download. Make sure you download the correct edition for your operating system (32-bit or 64-bit).
  4. Complete the steps indicated by the installer.
  5. Restart the server.
  6. Open Google Apps Password Sync from the Start menu.
  7. On the welcome screen, click Next.
  8. On the Google Apps Configuration screen, specify your primary Google Apps domain and your administrator email address in the appropriate fields, and click Authorize Now. The following dialog appears:
  9. Don't change any of the settings in the dialog, such as the Remember Me box; just click Continue.
  10. A Google Apps login page opens in a browser. If needed, provide your administrator username and password and click Sign in.
  11. Click Accept on the following page:

  12. A page appears that with the message "Authorization has been granted successfully. Please switch to your application." Close your browser and return to GAPS. Your Google Apps configuration should be marked as authorized.
  13. Click Next.

  14. On the Active Directory Configuration screen, specify the following in the corresponding fields: 
    Anonymous access to query your Active Directory is not recommended. Leave this box unchecked.
    • The authorized user that GAPS will act on the behalf of. The user doesn't have to be a Domain Admin, but it can be a role account with the following permissions: List Contents, Read All Properties, Read Permissions, and All Validated Writes applied to "This object and all child objects".
      • This user will only be used to get the email addresses of users from Active Directory, so it must have access to read the mail attribute for all the users whose passwords you wish to sync.
    • The authorized user's password
    • Your Active Directory domain's base distinguished name (DN). If you are using GADS, this setting should be identical to the Base DN setting in GADS.
      When first configuring GAPS, your domain's default base DN will be automatically detected, and you can edit it if needed.
    • Your Active Directory domain's mail attribute, which specifies a user's Google Apps email address. In most installations, this attribute is mail. Make sure that the mail attribute includes email addresses that are identical to your users' addresses on Google Apps, including the domain part of the address.
    Make sure that the mail attribute includes email addresses that are identical to your users' addresses on Google Apps, including the domain part of the address. If you're using the "Replace domain names in LDAP email addresses" option in GADS, this may not be the case.
  15. Click Next. The Summary screen should show your Configuration as saved and your Service as running.
  16. Click Finish.

Google Apps Password Sync is now up and running. Any password changes made to a user's Active Directory user are automatically updated in Google Apps as well.

GAPS doesn't sync your existing Active Directory passwords to Google Apps; it only syncs password changes. Be sure to instruct your users to change their Active Directory passwords (as described in step 5) to sync passwords to Google Apps.

Prevent users from changing their Google Apps passwords directly

In order for GAPS to keep Active Directory passwords in sync with Google Apps, passwords must be changed only from Active Directory.

To prevent users from changing their password from Google Apps:

  1. Create an internal webpage with Google Sites that instructs users to change their Windows password instead of their Google Apps password. Copy the URL of the page.
  2. Sign in to the Google Admin console
  3. Click Security > Advanced settings. Where is it? 
  4. Click Set up single sign-on (SSO).
  5. In the Change password URL field, provide the URL of the page you created.
  6. Click Save changes.

When a user attempts to change their Google Apps password, they will be directed to your page that instructs them to change their Windows password instead.


Instruct users to change their Active Directory passwords

GAPS won't sync an Active Directory password with Google Apps until it's changed. Have your users change their Active Directory passwords to complete the sync process. It's recommended that you force your Active Directory users to change their password the next time they log in.

When creating new users, it's recommended to follow this workflow:

  1. In Active Directory, create the new user with an initial generic password and tick the User must change password at next logon checkbox.
  2. Run GADS to provision the user in Google Apps.
  3. Let the user log in to their machine and replace the initial password.
  4. GAPS will update the new password on Google Apps within a few minutes.
  5. Let the user log in to Google Apps with their new password that they chose in step 3.
  6. Any subsequent password changes will be automatically synced to Google Apps by GAPS.

You're done!