Clear search
Close search
Google apps
Main menu

    Troubleshooting GSPS

    If you're experiencing issues with configuring G Suite Password Sync (GSPS), first make sure you have completed each of the steps in the GSPS configuration guide correctly. Then see below for common issues with GSPS.

    GSPS is synchronizing passwords for some, but not all, of my users
    • Make sure you have installed GSPS successfully on all of your domain's Active Directory servers (domain controllers).
      On Microsoft® Windows 2008 and above, you only need to install GSPS on writable domain controllers. If you're not sure, install GSPS on all of your DCs; doing so won't cause any issues.
    • Make sure the account privileges for the user whose update failed do not exceed those of your admin account. User accounts with fewer privileges can't change passwords on accounts with more privileges. For example, an account with admin privileges can't update passwords for accounts with super-admin privileges.
    • Make sure that your users have email addresses in the attribute you entered under Mail Attribute during configuration, and that these addresses match their G Suite primary email addresses exactly (including the domain part of the address).
    • Make sure that no password contains unsupported characters (non US-ASCII characters). If a password failed to sync because it contains unsupported characters, GSPS logs a warning to the Windows "Application" event log in addition to the GSPS DLL log:

      Log Name: Application
      Source: G Suite Password Sync
      Event ID: 40963
      Level: Warning
      Contents: An attempt to change the password for user USERNAME was made. However, the new password contains unsupported characters. The password can not be updated on G Suite, and will be out of sync with Active Directory.

    I'm an Active Directory administrator, but I am not authorized to install or configure GSPS
    • In order to install GSPS, you must be a member of the Domain Admins group. Being a member of the Administrators group does not provide sufficient authorization.
    • You must sign in to Windows as a domain Admin in the same domain as the domain controller you are setting up. If you log in as a domain Admin from a different domain (such as an Enterprise Admin from another domain, or an admin from from a trusted domain) you won't be authorized to install or configure GSPS.
    The GSPS installer fails

    Make sure you:

    • Are running the installer locally (not over the network).
    • Have the right version of GSPS for your server's architecture (32 or 64-bit).
    G Suite won't let me grant access to GSPS

    Make sure you have enabled API access in G Suite.

    I need help configuring proxy settings for GSPS

    GSPS supports proxy connections if you set up system-wide proxy settings on all of your domain controllers. To do this:

    1. Make sure the current user's proxy settings are set up correctly by navigating to in Internet Explorer®.
      1. If you are redirected to or see a page saying "Not Found" your proxy settings are probably correct. Make sure you disable Friendly Error Messages to ensure you see the actual web page.
      2. If you see an authentication prompt or certificate error, your proxy settings may not be correct.
    2. Execute the following command:
      netsh winhttp import proxy ie
    3. If you are not using a proxy server, but are still encountering proxy-related issues, run the command bitsadmin /util /setieproxy networkservice no_proxy in the command prompt. This command will set Windows to ignore any auto-discovered proxy configuration that may be present in the system.

    Note: GSPS supports unauthenticated proxies only. If your proxy requires authentication (Basic, Kerberos, or NTLM), you need to configure it to allow unauthenticated or direct connections from your domain controllers to the connections specified here

    Although GSPS supports proxy connections, you may need to enable a direct connection if you encounter any issues, to make sure they aren't caused by the proxy server. Because proxy configuration depends on your local setup, Google Cloud Support can't assist you with configuration issues. Contact your network administrator if you encounter any proxy issues.

    I get a "Network error connecting to Google" error when attempting to authorize

    This error indicates that GSPS could not verify your authorization and can occur for a variety of reasons. Check your proxy settings and ensure that your network allows connections to the URLs required by GSPS.

    After installing new GSPS servers, my existing servers fail with authorization errors

    There is currently a 25-token limit per user account per client when using 3-legged OAuth to authenticate your G Suite domain. If the limit is reached, creating a new token automatically invalidates the oldest token without warning.

    To avoid token limits, you should use a service account, rather than 3-legged OAuth. For details, see Choose your G Suite Authentication method.

    Automatic troubleshooting

    You can use the GSPS support tool to gather GSPS logs and troubleshooting information from all of your domain controllers at once. It connects to all of the writeable domain controllers in your domain and gathers all of the information listed in the troubleshooting checklist below from each of them (except for network connectivity tests).

    Manual troubleshooting checklist
    Some of the steps in this list require running console commands. To do so, open a command prompt (CMD) window by clicking on the Start button and navigating to All Programs > Accessories > Command Prompt.

    Depending on your system, you may need to right-click Command Prompt and choose Run as administrator so that the command prompt will have the correct privileges.
    • Check if you are a member of the Domain Admins group.
    • List your domain controllers:
      Run the command nltest /, replacing with the name of your Active Directory domain.
    • Verify the following steps on each of them:
      1. You have installed GSPS on the server.
      2. You restarted the server after installing GSPS.
      3. You installed the correct edition of GSPS (32 or 64-bit).
      4. You can access using Internet Explorer on the machine (it's OK if this page shows a Google error or displays "Not Found"). Make sure the page doesn't show a certificate error, and doesn't present any requests for proxy authentication, as authenticated proxy servers are not supported. Disable Friendly Error Messages to ensure you see the actual web page.
      5. Copy your current user's proxy settings to the system-wide proxy settings by entering the following command: netsh winhttp import proxy ie.
      6. If you are not using a proxy server, but are still encountering proxy-related issues, run the command bitsadmin /util /setieproxy networkservice no_proxy.
      7. Make sure that the GSPS DLL is registered on the machine by running the command reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "Notification Packages". The output should include the text password_sync_dll. If it does not, you'll need to reinstall GSPS.
      8. Make sure that the GSPS DLL is loaded by running the command tasklist /m password_sync_dll.dll. The process "lsass.exe" should be listed in the results.

        If it isn't, the DLL isn't loaded. Verify that the DLL is registered and that the edition (32 or 64-bit) matches the system. If they do, restart the machine so the DLL loads.

      9. Make sure that the GSPS service is started by running the command sc query "G Suite Password Sync" (or sc query "Google Apps Password Sync", if you are using version 1.6 or earlier).

        If it prints:

        • STATE: RUNNING: The service is running.
        • STATE: STOPPED: The service isn't running. Try running the command sc start "G Suite Password Sync" (or sc start "Google Apps Password Sync", if you are using version 1.6 or earlier) to start it. If it doesn't start, review the prerequisites again.

        • The specified service does not exist as an installed service: The service isn't installed on the system. Reinstall GSPS.
      10. Make sure your network and proxy settings are set up correctly, as described above.
    Where are the logs and configuration files located?

    You can use the GSPS support tool to gather GSPS logs and troubleshooting information from all of your domain controllers at once. If you need to manually find these logs, use the following information to locate the files:

    Type of file Location of file What to do with the file
    Configuration file C:\ProgramData\Google\Google Apps 
    Password Sync\config.xml
    Review this file to inspect your settings.
    Service logs C:\Windows\ServiceProfiles\NetworkService\
    AppData\Local\Google\Google Apps 
    Password Sync\Tracing\password_sync_service
    Review these files if GSPS was configured successfully but all or some of your users' passwords are not being synced.
    Service authorization logs C:\Windows\ServiceProfiles\NetworkService\

    Review these files if you see "Authentication failed" errors with 
    error codes 0x6, 0x203, 0x4, or 0x102 in the GSPS service logs.

    ​Configuration interface logs C:\Users\username\AppData\Local\Google\
    Google Apps Password Sync\Tracing\GoogleAppsPasswordSync 

    or C:\Users\username\AppData\Local\Google\ Google Apps Password Sync\Tracing\GoogleAppsPasswordSync, if you're using version 1.6 or earlier

    Review these files if you encounter issues during the configuration
    Configuration interface authorization logs C:\Users\username\AppData\Local\Google\Identity Review these files if you encounter issues during the Google authorization part of the configuration.
    DLL logs C:\WINDOWS\system32\config\systemprofile\
    AppData\Local\ Google\Google Apps Password Sync\Tracing\lsass
    Review these files if the service logs show no indication of password change attempts (no success and no failure reports).
    Command line installer logs C:\Users\username\AppData\Local\Google\
    Google Apps  Password Sync\Tracing\MsiExec 
    Review the installer logs and the msi_log.txt file (or the filename supplied to parameter /l*vx),  if you encounter issues during a command line installation of GSPS.
    Crash reports logs

    If the GSPS UI configuration tool crashes, the logs can be found:


    If the GSPS service crashes, the logs can be found:


    If the administrator has changed the default temporary directory, see How to identify your temporary directory for instructions on obtaining that information. 


    How to identify your temporary directory

    If the GSPS configuration wizard crashes:

    1. Open a command line tool (cmd.exe)
    2. Type: echo %TEMP%

    If the GSPS service crashes:

    1. Download the PsExec file from
    2. Open a command line tool (cmd.exe).
    3. Go to the directory where the PsExec file was downloaded.
    4. Enter psexec.exe -i -s %SystemRoot%\system32\cmd.exe
    5. A new command window will open. Type in the command: whoami. It should display a message like "nt authority\system".
    6. Enter echo %TEMP%


    Was this article helpful?
    How can we improve it?
    Sign in to your account

    Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.