Set up Password Sync

You can use Password Sync to update your users' Google Workspace and Cloud Identity passwords directly from Microsoft Active Directory. Learn more about Password Sync.

Password Sync is available to Google Workspace and Cloud Identity administrators.

Before you begin

Make sure:

  • You're an administrator for your organization. Only administrators can complete the steps to set up Password Sync.
  • You're a domain administrator for your Active Directory domain.
  • You meet the system requirements.

Important: Password Sync only syncs Active Directory password changes to your organization's Google Account. To complete the sync process, your users must change their Active Directory passwords after Password Sync is set up on all writable domain controllers.

Prepare to install Password Sync

Step 1: Choose your Google authentication method

Password Sync uses one of the following authentication methods:

  • A service account
  • 3-legged OAuth

We recommend using a service account for Password Sync authentication. To use a service account, you must be planning to install Password Sync version 1.6 or later. For more information on Password Sync authentication methods, go to Choose your Google authentication method.

Step 2: Create a service account
If you're using a service account as your authentication method, you need to create a service account for Password Sync in the Google Cloud Console. For details, go to Authorize Password Sync for your domain.
Step 3: Add users to your Google domain

If you haven't already, you need to create Google Accounts for all of your users. Then you can add users by:

  • Using Google Cloud Directory Sync—The recommended way to add users to your account in an Active Directory environment is with Google Cloud Directory Sync (GCDS). GCDS automatically syncs user accounts in your Google domain with user accounts in your Active Directory system.

    To sync, you need to set the Additional User Attributesand thenSynchronize Passwords setting in GCDS to Only for new users, and uncheck the Force new users to change password box. Otherwise, passwords might become out of sync when you run GCDS. Learn more

  • Using another method—If you don't want to use GCDS, go to Options for adding users.

Install & configure Password Sync using the configuration wizard

This section describes how to install Password Sync using the configuration wizard. For instructions on how to install Password Sync from the command line, go to Install and configure Password Sync from the command line.

Step 4: Download Password Sync

Do the following on each of your Active Directory servers (domain controllers):

  1. Sign in to the domain controller as a domain administrator. The account must be from the domain controller’s domain.
  2. Download Password Sync. Ensure you download the correct edition for your operating system (32-bit or 64-bit).
  3. (Optional) If you're using a service account, copy your service account JSON file to your domain controller. If you haven’t already created your service account, go to Authorize Password Sync for your domain.
Step 5: Install Password Sync

The installer you run depends on your host architecture (32-bit or 64-bit).

  1. Run an installer option:
    • gsuitepasswordsync32.msi
    • gsuitepasswordsync64.msi
  2. Complete the installer steps.
  3. Restart the server.
Step 6: Configure Password Sync
  1. From the Start menu, open Password Sync.
  2. Click Next.
  3. Specify your Admin Email Address.

    The email address of the administrator Password Sync uses to perform the password updates. The administrator's address also appears in the audit logs in the Admin console.

    Important: Make sure this administrator has signed in to the Google Admin console and accepted the Terms of Service before you continue.

  4. Set up your authentication method (service account or 3-legged OAuth).

    If you're using a service account:

    1. Select Service Account.
    2. Click Load Credentials and select your service account JSON file.

      The Status value should change to Authorized.

      Note: The JSON file has a key that allows access to your Google domain. After authentication, remove the file from the system.

    If you're using 3-legged OAuth:

    1. Select 3-legged OAuth.
    2. Click Authorize Now.
    3. When prompted, sign in to your Google Account using the email address entered earlier. Click Continue.
    4. If prompted, provide your administrator username and password and click Sign in.
    5. Click Allow.

      You should see "Authorization has been granted successfully. Please switch to your application."

    6. Close your browser and return to Password Sync. The Status value should change to Authorized.

    Note: If the Password Sync screen doesn't display Authorized, authorization was unsuccessful and you should refer to the error message at the bottom of the Password Sync configuration screen. Authorization can be blocked for several reasons, typically:

    • The user isn't a super administrator for your Google domain.
    • The time and time zone on your server aren't set correctly.
  5. Click Next.
  6. Select the authorization access method for Password Sync to use to query Active Directory. The options available are described below.
    Authorization access method Description
    Application’s Security Context

    The default and recommended setting. The Password Sync service runs in the security context of the NetworkService account, not a user account.

    It's the only option supported on Server Core domain controllers or when you configure Password Sync from the command line.

    Anonymous Password Sync uses Active Directory Service Interfaces (ADSI) for authentication purposes. Anonymous access isn't recommended as most Active Directory configurations do not support it.
    User Credentials

    The authorized user that Password Sync acts on behalf of. The user doesn't have to be a domain administrator. It can be a role account with the following permissions: List Contents, Read All Properties, and Read Permissions applied to "This object and all child objects".

    This user is only used to get the email addresses of users from Active Directory. Therefore, it must have access to read the mail attribute for all the users whose passwords you want to sync.

  7. If you selected User Credentials as your authorization access method, complete the Authorized User and Password fields.
  8. Enter the Base distinguished name (DN).

    When you set up Password Sync for the first time, your Active Directory domain's default base DN is detected and added here. You can edit it, if necessary. If you're using GCDS, this setting is usually identical to the GCDS Base DN setting.

  9. Enter the Mail Attribute.

    Your Active Directory domain's mail attribute that contains each user's Google email address. Usually, this attribute is “mail.” The values stored here must exactly match the Google email address, including the domain part of the address.

    If you're using the Replace domain names in LDAP email addresses option in GCDS, it might not be "mail." Therefore, make sure you use an attribute that matches the email address in Google.

  10. Click Next.

    The application tests the connection settings you provided and alerts you to any errors. Review any error messages. The Summary screen should show the configuration is saved and the service is running.

  11. Click Finish.
  12. Repeat this section for each domain controller in your domain.

Password Sync is now installed and running. Any password changes made to a user's Active Directory account are automatically updated for your Google users as well. However, Password Sync doesn't sync your existing Active Directory passwords to Google—it only syncs password changes.

Tell your users to change their Active Directory password (as described in step 7 below) to sync the password to their Google Account.

Complete & maintain

Step 7: Instruct users to change their Active Directory passwords

Password Sync won't sync an Active Directory password with a Google Account until it's changed. Therefore, you need to have your users change their Active Directory passwords to complete the sync process. We recommend you prompt your Active Directory users to change their password the next time they sign in.

When adding new users, we recommend following this workflow:

  1. In Active Directory, create the user with an initial generic password and check the User must change password at next logon box.
  2. Run GCDS to provision the user in your Google domain. Learn more

    Important: Make sure GCDS doesn't force users to change passwords after Password Sync syncs them. To prevent this action, uncheck the Force new users to change password box setting in Configuration Managerand thenUser Accountsand thenAdditional User Attributes. Learn more

  3. Have the user sign in and change the initial password. Password Sync syncs the new password with the Google Account within a few minutes.

    Note: Google passwords must adhere to the name and password guidelines.

  4. Have the user sign in to their Google Account with their new password. Password Sync automatically syncs any subsequent Active Directory password changes to Google.
Prevent users from changing their Google passwords

To ensure your users change their passwords in Active Directory:

Step 1: Do not turn on non-admin password recovery

Make sure non-admin password recovery is not turned on. Learn more

Step 2: Instruct users to change their Microsoft Windows password

  1. Use Google Sites to create an internal page with instructions on how users can change their Windows password instead of their Google password.
  2. Copy the URL of the page.
  3. Sign in to the Google Admin console.
  4. Click Security.
  5. Click Set up single sign-on (SSO) with a third party IdP.
  6. In the Change password URL field, enter the URL of the page you created in step 1.

    Note: You do not need to check the Set up SSO with third-party identity provider box.

  7. Click Save.

Any user who attempts to change their Google password is directed to your page with the correct instructions. For details on this process, go to Set up single sign-on for managed Google Accounts using third-party Identity providers.

Note: Super administrators bypass SSO settings on Google Workspace. When a super administrator attempts to change their password, they’re redirected to their Google Account. Learn more

Upgrading Password Sync

As we add features, enhancements, and fixes to Password Sync, we'll release updates. We recommend you use the latest version of the software. Learn more

There are three methods for upgrading Password Sync:

Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center