Set up Google Apps Password Sync

The Google Apps Password Sync (GAPS) tool updates Google Apps passwords directly from a Microsoft®Active Directory® environment. The steps below will walk you through how to set up and configure GAPS.

Before you begin

Before you proceed, make sure of the following:

  • You are a Google Apps administrator for your organization. Only administrators can complete the steps in this guide.
  • You are a Google Apps for Work, Education, or Government customer.
  • You are a Domain Admin on your Active Directory domain.
  • You meet the system requirements

Preparing to install GAPS

Step 1. Add your users to Google Apps

If you haven't done so already, make sure you've created Google Apps accounts for all of your users.

  • Using GADS to add users: The recommended way to add users to Google Apps in an Active Directory environment is with Google Apps Directory Sync (GADS). GADS automatically syncs user accounts in Google Apps with the user accounts in your Active Directory system.

    To do this, you need to set the User Accounts > Additional User Attributes > Synchronize Passwords setting in GADS to Only for new users. Otherwise, passwords may become out of sync when you run GADS.

  • Use another method to add users: If you don't want to use GADS, you can see your other choices in Options for adding users.
Step 2. Enable the Directory API

GAPS requires the Directory API (version 1) to be enabled in Google Apps. If you are already using GADS, this API is enabled.

For details on how to enable the Directory API, see Administrative APIs.

Install GAPS

Step 3. Install GAPS on your Active Directory servers

Do the following steps on each of your Active Directory servers (Domain Controllers):

  1. Log in to the Domain Controller as a Domain Admin from the Domain Controller's domain (a Domain Admin who's a member of a different Active Directory domain won't work).
  2. Download GAPS.
  3. Open the installer, GoogleAppsPasswordSync.msi, included in the download. Make sure you download the correct edition for your operating system (32-bit or 64-bit).
  4. Complete the steps indicated by the installer.
  5. Restart the server.

Important: If your organization has more than 20 Domain Controllers, we recommend you create a new Google Apps Admin account for every 20 Domain Controllers you intend to authorize for GAPS. For details, see Troubleshooting GAPS.

Configure GAPS

Step 4. Configure GAPS on your Active Directory servers

Do the following steps on each of your Active Directory servers (Domain Controllers):

  1. Open Google Apps Password Sync from the Start menu.
  2. Click Next.
  3. Specify your primary Google Apps domain and your administrator email address and click Authorize Now
  4. Click Continue without changing any of the settings. 
  5. A Google Apps login page opens in a browser. If needed, provide your administrator username and password and click Sign in.
  6. Click Accept.
  7. You should see the message "Authorization has been granted successfully. Please switch to your application." Close your browser and return to GAPS. Your Google Apps configuration should be marked as authorized.

    Note: If the application still says "Not authorized," the authorization has failed. This can happen for the following reasons:

    • The Google Apps user you provided isn't a super administrator in your Google Apps domain
    • The time and timezone on your server aren't set correctly
  8. Click Next.
  9. On the Active Directory Configuration screen, specify the following in the corresponding fields:

    GAPS configuration

    Field What to do
    Use Anonymous access GAPS utilizes Active Directory Services Interfaces (ADSI) for authentication purposes. Anonymous access to query your Active Directory isn't recommended. Leave this box unchecked.
    Authorized user

    The authorized user that GAPS will act on the behalf of. The user doesn't have to be a Domain Admin, but it can be a role account with the following permissions: List Contents, Read All Properties, and Read Permissions applied to "This object and all child objects."

    This user will only be used to get the email addresses of users from Active Directory, so it must have access to read the mail attribute for all the users whose passwords you wish to sync.

    Password The authorized user's password.
    Base DN

    Your Active Directory domain's base distinguished name (DN). If you are using GADS, this setting should be identical to the Base DN setting in GADS.

    When first configuring GAPS, your domain's default base DN is automatically detected and added here. You can edit it, if required.

    Mail attribute

    Your Active Directory domain's mail attribute, which specifies a user's Google Apps email address. In most installations, this attribute is mail.

    Make sure that the mail attribute includes email addresses that are identical to your users' addresses on Google Apps, including the domain part of the address.

    If you're using the "Replace domain names in LDAP email addresses" option in GADS, this may not be the case. However, if you are using this option in GADS, make sure you use an attribute that matches the email address in Google Apps.

  10. Click Next. The application will test the connection settings you provided and alert you if there are any errors. The summary screen should show your configuration as saved and your service as running.
  11. Click Finish.

GAPS is now up and running. Any password changes made to a user's Active Directory user are automatically updated in Google Apps as well.

Remember: GAPS doesn't sync your existing Active Directory passwords to Google Apps; it only syncs password changes. Be sure to instruct your users to change their Active Directory passwords (as described in step 5) to sync passwords to Google Apps.

Complete the sync process

Step 5. Instruct users to change their Active Directory passwords

GAPS won't sync an Active Directory password with Google Apps until it's changed. Have your users change their Active Directory passwords to complete the sync process. It's recommended that you force your Active Directory users to change their password the next time they log in.

When creating new users, it's recommended to follow this workflow:

  1. In Active Directory, create the new user with an initial generic password and check the User must change password at next logon box.
  2. Run GADS to provision the user in Google Apps.
  3. Let the user log in to their machine and replace the initial password.
  4. GAPS will update the new password on Google Apps within a few minutes.
  5. Let the user log in to Google Apps with their new password chosen in step 3.
  6. Any subsequent password changes will be automatically synced to Google Apps by GAPS.


Prevent users from changing their Google Apps passwords directly

In order for GAPS to keep Active Directory passwords in sync with Google Apps, passwords must be changed only from Active Directory.

To prevent users from changing their password from Google Apps:

  1. Create an internal webpage with Google Sites that instructs users to change their Windows password instead of their Google Apps password. Copy the URL of the page.
  2. Sign in to the Google Admin console.
  3. Click Security.
  4. Click Set up single sign-on (SSO).
  5. In the Change password URL field, provide the URL of the page you created.
  6. Click Save.

Any user who attempts to change their Google Apps password, will be directed to your page that will instruct them to change their Windows password instead.

Note: You need to upload a certificate before saving changes to your SSO settings.

You're done!


Was this article helpful?
Sign in to your account

Get account-specific help by signing in with your Apps for Work account email address, or learn how to get started with Apps for Work.