How does G Suite Password Sync work?

G Suite Password Sync (GSPS) can be used to update your users' Google Workspace and Cloud Identity passwords directly from Microsoft Active Directory.

G Suite Password Sync (GSPS) is available to Google Workspace and Cloud Identity administrators.

How it works

After GSPS is installed and configured, it sends updated passwords to your Google Account each time an Active Directory user changes their password.

  1. When a user's password is changed, the update request is sent to a domain controller (DC).
  2. The GSPS Dynamic Link Library (DLL) is called by Microsoft Windows on that DC with the new password and username.
  3. The service receives the hashed password and the username from the DLL.
  4. The service gets the email address for the user from Active Directory using LDAP.
  5. The service updates your Google Account using the Directory API.
  6. The user can then sign in to their Google Account using their Active Directory password.

Technical details

  • In Active Directory, passwords are stored as write-only. They can't be read through any interface, such as LDAP. Therefore, conventional synchronization methods (for example, Google Cloud Directory Sync) can't access them. The only way to read passwords is to capture them when they’re set or changed.
  • GSPS has a DLL named "password_sync_dll.dll" installed as an LSA Notification Package. For more information on LSA Notification Packages, consult your Microsoft documentation.
  • When a password change occurs on a specific DC, the DLL receives the updated password and the username of the user. GSPS must be installed on every writable DC because Microsoft Windows on the DC that receives the password change triggers the password sync. The trigger occurs on every password update, whether it's done by an administrator or by the end user. For more information about the PasswordChangeNotify callback function, consult your Microsoft documentation.
  • When the DLL receives the username and password, it hashes the password as salted SHA512, and sends it to the GSPS service.
  • The GSPS service ("password_sync_service.exe") then finds the user's email address in Active Directory using LDAP based on the username sent by the DLL. It then updates the Google Account using the Directory API. When passwords are changed through the Directory API, some application OAuth tokens are revoked. Users might be required to sign in again to applications with their username and password.
  • GSPS follows Microsoft's password filter programming considerations. For details, consult your Microsoft documentation.

Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue