If you're experiencing issues with configuring G Suite Password Sync (GSPS), see below for solutions to common issues with GSPS.
Before you begin
Before you begin troubleshooting, make sure that:
- You meet all the system requirements and your domain controllers are set up correctly. Learn more
- You have completed all of the set up steps. Learn more
If you continue to experience issues, check below for solutions to common GSPS issues.
Common GSPS issuesGSPS is synchronizing passwords for some, but not all, of my users
If some users' passwords aren't synchronized, make sure that:
- You have installed GSPS successfully on all of your domain's Microsoft® Active Directory® servers (domain controllers). On Microsoft Windows Server® 2008 and above, you only need to install GSPS on writable domain controllers. If you're not sure, install GSPS on all of your domain controllers. Doing so won't cause any issues.
- The account privileges for the user whose update failed don't exceed those of your admin account. User accounts with fewer privileges can't change passwords on accounts with more privileges. For example, an account with admin privileges can't update passwords for accounts with super-admin privileges.
- Your users have email addresses in the attribute you specified under Mail Attribute during configuration. These addresses must match their Google primary email addresses exactly (including the domain part of the address).
- The password meets the username and group name guidelines. If a password fails to sync because it contains unsupported characters, GSPS logs a warning to the Windows Application event log. For example:
Log Name: Application
Source: G Suite Password Sync
Event ID: 40963
Contents: An attempt to change the password for user USERNAME was made. However, the new password contains unsupported characters. The password can not be updated on G Suite, and will be out of sync with Active Directory.
In order to install GSPS, you must be a member of the Domain Admins group. Being a member of the Administrators group does not provide sufficient authorization.
You must sign in to Windows as a domain admin in the same domain as the domain controller you are setting up. If you sign in as a domain admin from a different domain (such as an Enterprise Admin from another domain, or an admin from from a trusted domain) you won't be authorized to install or configure GSPS.
Check that your setup:
- Is running the installer locally (not over a network)
- Has the right version of GSPS for your server's architecture (32 or 64-bit)
Make sure you have enabled API access in the Google Admin console.
GSPS supports proxy connections if you set up system-wide proxy settings on all of your domain controllers. To do this:
- Make sure the current user's proxy settings are set up correctly by navigating to https://www.googleapis.com/ in Internet Explorer®.
If you're redirected to a google.com page or see a page saying "Not Found," your proxy settings are probably correct. If you see an authentication prompt or certificate error, your proxy settings might not be correct.
- Execute the following command:
netsh winhttp import proxy ie.
- (Optional) If you aren't using a proxy server, but are still encountering proxy-related issues, run the command
bitsadmin /util /setieproxy networkservice no_proxyin the command prompt. This command sets Windows to ignore any auto-discovered proxy configuration that might be present in the system.
- GSPS supports unauthenticated proxies only. If your proxy requires authentication (Basic, Kerberos, or NTLM), you need to configure it to allow unauthenticated or direct connections from your domain controllers to the connections specified in Set up your domain controllers.
- Although GSPS supports proxy connections, you might need to enable a direct connection to make sure issues aren't caused by the proxy server. Because a proxy configuration depends on your local setup, Google Cloud Support can't assist you with configuration issues. Contact your network administrator if you encounter any proxy issues.
This error indicates that GSPS couldn't verify your authorization. Check your proxy settings and make sure that your network allows connections to the URLs required by GSPS.
There is currently a token limit per user account per client when using 3-legged OAuth to authenticate your Google domain. If the limit is reached, creating a new token automatically invalidates the oldest token without warning.
To avoid token limits, you should use a service account, rather than 3-legged OAuth. For details, go to Choose your Google authentication method.
You can use the GSPS support tool to gather GSPS logs and troubleshooting information from all domain controllers. It connects to the writeable domain controllers in your domain and gathers the information listed in the troubleshooting checklist below (except for network connectivity tests).
Open a Command Prompt (CMD)
- In the Start menu, click Windows SystemCommand Prompt.
- (Optional) Depending on your system, you might need to right-click Command Prompt and click MoreRun as administrator.
First, complete these steps
- Make sure that you're a member of the Domain Admins group.
- List your domain controllers. To do so, run the command
nltest /dclist:youraddomain.com, replacing youraddomain.com with the name of your Active Directory domain.
Complete these steps on each domain controller
- Make sure the correct version of GSPS (32 or 64-bit) is installed on the server.
- Restart the server after installing GSPS.
- Check that you can access https://www.googleapis.com/ using Internet Explorer. It's OK if this page shows a Google error or displays "Not Found." Make sure the page doesn't show a certificate error or any requests for proxy authentication. Authenticated proxy servers are not supported.
- Copy your current user's proxy settings to the system-wide proxy settings by specifying the following command:
netsh winhttp import proxy ie
- If you aren't using a proxy server, but are encountering proxy-related issues, run the command:
bitsadmin /util /setieproxy networkservice no_proxy
- Check that the GSPS DLL is registered on the machine by running the command:
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "Notification Packages"
The output should include the text password_sync_dll. If it doesn't, reinstall GSPS.
- Verify that the GSPS DLL is loaded by running the command:
tasklist /m password_sync_dll.dll
The process "lsass.exe" should be listed in the results. If it isn't listed, the DLL isn't loaded. Verify the DLL is registered and the edition (32 or 64-bit) matches the system. Then, restart the machine so the DLL loads.
- Check that the GSPS service has started by running the command:
sc query "G Suite Password Sync"(or
sc query "Google Apps Password Sync", if you are using version 1.6 or earlier).
If the output says:
- STATE: RUNNING–The service is running.
- STATE: STOPPED–The service isn't running.
Run the command:
sc start "G Suite Password Sync"(or
sc start "Google Apps Password Sync", if you are using version 1.6 or earlier).
- The specified service does not exist as an installed service–The service isn't installed.
Complete the steps in Set up G Suite Password Sync. The summary screen of the configuration tool should now confirm that the service is running.
- Make sure your network and proxy settings are set up correctly. Learn more
You can use the GSPS support tool to gather GSPS logs and troubleshooting information from all of your domain controllers.
To manually find these logs, use the following information:
|Type of file||Location of file||What to do with the file|
|Configuration file||C:\ProgramData\Google\Google Apps
|Review this file to inspect your settings.|
Google Apps Password Sync\
Review these files if GSPS was configured successfully but all or some of your users' passwords are not being synced.
To see an example of a GSMMO trace log, which is similar to a GSPS log file, go to this page.
|Service authorization logs||C:\Windows\ServiceProfiles\NetworkService\
Review these files if you see "Authentication failed" errors with
|Configuration interface logs||
Review these files if you encounter issues during the configuration.
To see an example of a GSMMO trace log, which is similar to a GSPS log file, go to this page.
|Configuration interface authorization logs||C:\Users\your-user-name\AppData\Local\ Google\Identity||Review these files if you encounter issues during the Google authorization part of the configuration.|
AppData\Local\ Google\Google Apps Password Sync\Tracing\lsass
|Review these files if the service logs show no indication of password change attempts (no success and no failure reports).|
|Command line installer logs||C:\Users\your-user-name\AppData\Local\ Google\Google Apps Password Sync\ Tracing\MsiExec||Review the installer logs and the msi_log.txt file (or the filename supplied to parameter /l*vx), if you encounter issues during a command line installation of GSPS.|
|Crash reports logs||
If the GSPS UI configuration tool crashes, the logs can be found here:
If the GSPS service crashes, the logs can be found here:
|If the administrator has changed the default temporary directory, go to How to identify your temporary directory for instructions on getting this information.|
If the GSPS configuration wizard crashes:
- Open a Command Prompt (CMD)
If the GSPS service crashes:
- Download the PsExec file from Microsoft: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec.
- Open a Command Prompt (CMD).
- Go to the directory where the PsExec file was downloaded.
psexec.exe -i -s %SystemRoot%\system32\cmd.exe
- A new command window will open. Sepcify the command:
It should display a message like "nt authority\system".