Troubleshoot Password Sync

If you're experiencing issues with setting up Password Sync, review these solutions to common issues.

Before you begin

Make sure:

  • You meet all the system requirements and your domain controllers are set up correctly. Learn more
  • You’ve completed every setup step. Learn more

Option 1: Automatic troubleshooting

Download and run the Password Sync Support Tool (an open-source tool by Google) to gather Password Sync logs and troubleshooting information from all domain controllers. It connects to all writeable domain controllers in your domain and gathers the information listed in the manual troubleshooting step below (except for network connectivity tests).

Once you run the Password Sync Support Tool, you’ll get a ZIP file containing your logging information. Submit your trace logs to the Google Admin Toolbox Log Analyzer. Most issues can be identified within a few moments of submission.

Google Workspace Support does not offer support for the Password Sync Support Tool.

Option 2: Manual troubleshooting

If the automatic troubleshooting step doesn't resolve your problem, or if you couldn't run the Password Sync Support Tool, you can collect the troubleshooting information manually. Note that some steps in this list require running console commands.

Open a Command Prompt (CMD) window

  1. In the Start menu, click Windows Systemand thenCommand Prompt.
  2. (Optional) Depending on your system, you might need to right-click Command Prompt and click Moreand thenRun as administrator.

First, complete these steps

  • Make sure you're a member of the Domain Admins group.
  • List your domain controllers. To do so, run the command nltest /dclist:your-ad-domain.com, replacing your-ad-domain.com with the name of your Active Directory domain.

Complete these steps on each domain controller

  1. Make sure the correct version of Password Sync (32-bit or 64-bit) is installed on the server.
  2. Restart the server after installing Password Sync.
  3. Check you can access https://www.googleapis.com/ using Microsoft Internet Explorer, the Chromium-based version of Microsoft Edge, or the Google Chrome browser. It's OK if this page shows a Google error or displays "Not Found." Make sure the page doesn't show a certificate error or any requests for proxy authentication. Authenticated proxy servers are not supported.
  4. Copy your current user's proxy settings to the system-wide proxy settings by running the command: netsh winhttp import proxy ie
  5. If you aren't using a proxy server, but are encountering proxy-related issues, run the command: bitsadmin /util /setieproxy networkservice no_proxy
  6. Check the Password Sync DLL is registered on the machine by running the command: reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "Notification Packages"

    The output should include the text password_sync_dll. If it doesn't, reinstall Password Sync.

  7. Verify the Password Sync DLL is loaded by running the command: tasklist /m password_sync_dll.dll

    The process "lsass.exe" should be listed in the results. If it isn't listed, the DLL isn't loaded. Verify the DLL is registered and the edition (32-bit or 64-bit) matches the system. Then, restart the machine so the DLL loads.

  8. Check the Password Sync service has started by running the command: sc query "Password Sync". (Replace "Password Sync" with "G Suite Password Sync" if using versions 1.6.13 to 1.7.6, or "Google Apps Password Sync" if using version 1.6 or earlier.)

    If the query output says:

    • STATE: RUNNING—The service is running.
    • STATE: STOPPED—The service isn't running.

      Run the command: sc start "Password Sync". (Replace "Password Sync" with "G Suite Password Sync" if using versions 1.6.13 to 1.7.6, or "Google Apps Password Sync" if using version 1.6 or earlier.)

    • The specified service does not exist as an installed service—The service isn't installed.

      Complete the steps in Set up Password Sync. The summary screen of the configuration tool should now confirm the service is running.

  9. Make sure your network and proxy settings are set up correctly. Learn more

Common Password Sync issues

If you continue to experience issues, check below for solutions to common Password Sync issues.

Open all   |   Close all

Password Sync is synchronizing passwords for some, but not all, of my users

If some users' passwords aren't synchronized, make sure:

  • You have installed Password Sync successfully on all of your domain's Microsoft Active Directory servers (domain controllers). On Microsoft Windows Server 2008 and above, you only need to install Password Sync on writable domain controllers. If you're not sure, install Password Sync on all of your domain controllers. Doing so won't cause any issues.
  • The administrator privileges for the user whose update was unsuccessful doesn't exceed those of the administrator email address entered in the Password Sync configuration. User accounts with fewer privileges can't change passwords on accounts with more privileges. For example, an account with delegated administrator privileges can't update passwords for accounts with super administrator privileges.
  • Your users have email addresses in the attribute you specified under Mail Attribute during configuration. These addresses must match their Google primary email addresses exactly (including the domain part of the address).
  • The password meets the username and group name guidelines. If a password doesn't sync because it contains unsupported characters, Password Sync logs a warning to the Windows Application event log. For example:

    Log Name: Application
    Source: GoogleAppsPasswordSync
    Event ID: 40963
    Level: Warning
    Contents: An attempt to change the password for user USERNAME was made. However, the new password contains unsupported characters. The password can not be updated on the Google Account, and will be out of sync with Active Directory.

I'm an Active Directory administrator, but I'm not authorized to install or set up Password Sync

To install Password Sync, you must be a member of the Domain Admins group in Active Directory. Being a member of the Administrators group does not provide sufficient authorization.

You must sign in to Windows as a domain administrator in the same domain as the domain controller you’re setting up. If you sign in as a domain administrator from a different domain (such as an Enterprise Admin from another domain, or an administrator from a trusted domain) you won't be authorized to install or configure Password Sync.

The Password Sync installer was unsuccessful

Check that your setup:

  • Is running the installer locally (not over a network)
  • Has the right version of Password Sync for your server's architecture (32-bit or 64-bit)
I'm unable to grant access to Password Sync

Make sure you have granted app access control to Google Workspace services. Learn more

I need help with configuring proxy settings for Password Sync

Password Sync supports proxy connections if you set up system-wide proxy settings on all of your domain controllers:

  1. Make sure the current user's proxy settings are set up correctly by navigating to https://www.googleapis.com/ in Internet Explorer, the Chromium-based version of Edge, or the Chrome browser.

    If you're redirected to a google.com page or a page saying "Not Found," your proxy settings are probably correct. If there’s an authentication prompt or certificate error, your proxy settings might not be correct.

  2. Execute the following command in the command prompt: netsh winhttp import proxy ie.
  3. (Optional) If you aren't using a proxy server, but are still encountering proxy-related issues, run the command bitsadmin /util /setieproxy networkservice no_proxy in the command prompt. This command sets Windows to ignore any autodiscovered proxy configuration that might be present in the system.

Note:

  • Password Sync supports unauthenticated proxies only. If your proxy requires authentication (Basic, Kerberos, or NTLM), you need to configure it to allow unauthenticated or direct connections from your domain controllers to the URLs and ports specified in Set up your domain controllers.
  • Although Password Sync supports proxy connections, you might need to turn on a direct connection to make sure the proxy server doesn't cause issues. Since a proxy configuration depends on your local setup, Google Workspace Support cannot assist you with configuration issues. Contact your network administrator if you encounter any proxy issues.
I get a "Network error connecting to Google" error when attempting to authorize

This error indicates Password Sync couldn't verify your authorization. Check your proxy settings and make sure your network allows connections to the URLs required by Password Sync.

After installing new Password Sync servers, my existing servers display authorization errors

There’s currently a token limit per user account per client when using 3-legged OAuth to authenticate your Google domain. If the limit is reached, creating a token automatically invalidates the oldest token without warning. Learn more

To avoid token limits, you should use a service account, rather than 3-legged OAuth. For details, go to Choose your Google authentication method.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false