Troubleshoot Password Sync

If you're experiencing issues with setting up Password Sync, review these solutions to common issues.

Before you begin

Before you begin troubleshooting, make sure you meet all the system requirements and have fully completed the setup steps. For details, go to Set up Password Sync.

Troubleshooting options

Option 1: Automatic troubleshooting

Use the Password Sync Support Tool (an open-source tool by Google) to gather Password Sync logs and troubleshooting information from all domain controllers.

Click the link to download the Password Sync Support Tool.
Run the tool, then locate and open the ZIP file on the desktop of your computer.
Extract the trace logs and submit them to the Google Admin Toolbox Log Analyzer.

Most issues can be identified within a few moments of submission.

Google Workspace support does not offer support for the Password Sync Support Tool.

Option 2: Manual troubleshooting

If the automatic troubleshooting step doesn't resolve your problem, or if you couldn't run the Password Sync Support Tool, you can manually collect the troubleshooting information. Some steps in this task require that you run console commands.

Step 1: List your domain controllers

Make sure you're a member of the Domain Admins group.
For details, go to Password Sync installer was unsuccessful (later on this page).
In the Start menu, click Windows SystemCommand Prompt.
Depending on your system, you might need to right-click Command Prompt and click MoreRun as administrator.
To list your domain controllers, enter the following command:
nltest /dclist:your-ad-domain

Replace your-ad-domain with the name of your Active Directory domain.

Step 2: Verify the following on each domain controller

Make sure the correct version of Password Sync (32-bit or 64-bit) is installed on the server and that you have restarted the server after installing Password Sync.
Make sure your network and proxy settings are set up correctly.
For details, go to Configure proxy settings for Password Sync (later on this page).
Using Microsoft Internet Explorer, the Chromium-based version of Microsoft Edge, or a Google Chrome browser, check you can access https://www.googleapis.com/.
It's OK if this page shows a Google error or Not Found. Make sure the page doesn't show a certificate error or any requests for proxy authentication. Authenticated proxy servers are not supported.
To copy your current user's proxy settings to the system-wide proxy settings, enter the following command:
netsh winhttp import proxy ie
If you aren't using a proxy server, but are encountering proxy-related issues, to troubleshoot, enter the following command:
bitsadmin /util /setieproxy networkservice no_proxy
To check that the Password Sync DLL is registered on the machine, enter the following command:
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "Notification Packages"

The output should include the text password_sync_dll. If it doesn't, reinstall Password Sync.
To verify that the Password Sync DLL is loaded, enter the following command:
tasklist /m password_sync_dll.dll

The process lsass.exe should be listed in the results. If it isn't listed, the DLL isn't loaded. Verify that the DLL is registered and the edition (32-bit or 64-bit) matches the system. Then, restart your computer so that the DLL loads.

Step 3: Check that Password Sync has started

To check that the Password Sync service has started, enter the sc query "Password Sync" command (replace Password Sync with G Suite Password Sync if you’re running versions 1.6.13–1.7.6 or Google Apps Password Sync for version 1.6 or earlier).

If the query output says:

STATE: RUNNING—Password Sync is running
STATE: STOPPED—Password Sync isn't running
The specified service does not exist as an installed service—Password Sync isn't installed.

If Password Sync isn’t running, enter the sc start "Password Sync" command (replace Password Sync with G Suite Password Sync if you’re running versions 1.6.13–1.7.6 or Google Apps Password Sync for version 1.6 or earlier).

If Password Sync isn’t installed, complete the steps in Configure Password Sync.

Common Password Sync issues

If you continue to experience issues, check these solutions.

Expand section | Collapse all & go to top

Verify that the sync worked correctly

You can use the security investigation tool:

In your Google Admin console, run a search for Admin log events.
For details, go to Admin log events.
Add a filter to search for Password Change events.
Run the search and examine the results. Note that the name of the actor attached to the event depends on how you set up Password Sync. If you used the following:
- UI interface—The actor displays as the administrator's email address that you entered.
- Command line—The actor displays as the email address used for the parameter with the command, --admin_email.

Password Sync is working only for some users

If some users' passwords aren't synchronized, make sure:

You have installed Password Sync successfully on all of your domain's Microsoft Active Directory servers (domain controllers). On Microsoft Windows Server 2008 and above, you need to install Password Sync only on writable domain controllers. If you're not sure, install Password Sync on all of your domain controllers. Doing so won't cause any issues.
The administrator privileges for the user whose update was unsuccessful don't exceed those of the administrator email address entered in the Password Sync configuration. User accounts with fewer privileges can't change passwords on accounts with more privileges. For example, an account with delegated administrator privileges can't update passwords for accounts with super administrator privileges.
Your users have email addresses in the attribute you specified under Mail Attribute during configuration. These addresses must match their Google primary email addresses exactly (including the domain part of the address).
The password meets the username and group name guidelines. If a password doesn't sync because it contains unsupported characters, Password Sync logs a warning to the Windows Application event log. For example:
Log Name: Application Source: GoogleAppsPasswordSync Event ID: 40963 Level: Warning Contents: An attempt to change the password for user USERNAME was made. However, the new password contains unsupported characters. The password can not be updated on the Google Account, and will be out of sync with Active Directory.

Active Directory admin isn’t authorized to install Password Sync

To install Password Sync, you must be a member of the Domain Admins group in Active Directory. Being a member of the Administrators group does not provide sufficient authorization.

You must sign in to Windows as a domain administrator in the same domain as the domain controller you’re setting up. If you sign in as a domain administrator from a different domain (such as an Enterprise Admin from another domain, or an administrator from a trusted domain) you won't be authorized to install or configure Password Sync.

Password Sync installer was unsuccessful

Check that your setup:

Is running the installer locally (not over a network)
Has the right version of Password Sync for your server's architecture (32-bit or 64-bit)

Unable to grant access to Password Sync

Make sure you have granted app access control to Google Workspace services. For details, go to Control which third-party & internal apps access Google Workspace data.

Configure proxy settings for Password Sync

Password Sync supports proxy connections if you set up system-wide proxy settings on all of your domain controllers:

Make sure that the current user's proxy settings are set up correctly by navigating to https://www.googleapis.com/ in Internet Explorer, the Chromium-based version of Edge, or the Chrome browser.
If you're redirected to a google.com page or a page saying "Not Found," your proxy settings are probably correct. If there’s an authentication prompt or certificate error, your proxy settings might not be correct.
To import the proxy configuration, enter the following command:
netsh winhttp import proxy ie
(Optional) If you aren't using a proxy server, but are still encountering proxy-related issues, enter the following command:
bitsadmin /util /setieproxy networkservice no_proxy

This command sets Windows to ignore any autodiscovered proxy configuration that might be present in the system.

Note:

Password Sync supports unauthenticated proxies only. If your proxy requires authentication (Basic, Kerberos, or NTLM), you need to configure it to allow unauthenticated or direct connections from your domain controllers to the URLs and ports specified in Set up your domain controllers.
Although Password Sync supports proxy connections, you might need to turn on a direct connection to make sure the proxy server doesn't cause issues. Since a proxy configuration depends on your local setup, Google Workspace Support cannot assist you with configuration issues. If you encounter any proxy issues, contact your network administrator.

Network error connecting to Google

This error indicates Password Sync couldn't verify your authorization. Check your proxy settings and make sure your network allows connections to the URLs required by Password Sync.

Existing servers display authorization errors after installing new servers

When you are using 3-legged OAuth to authenticate your Google domain, there’s a token limit per user account per client. If the limit is reached, creating a token automatically invalidates the oldest token without warning. For details, go to Refresh token expiration.

To avoid token limits, you should use a service account, rather than 3-legged OAuth. For details, go to Choose your authentication method.

_{Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.}

Was this helpful?

How can we improve it?