How does the GSPS tool sync passwords?
The G Suite Password Sync (GSPS) tool can be used to update G Suite passwords directly from Microsoft® Active Directory®.
How it works
After GSPS is installed and configured, it sends updated passwords to G Suite each time an Active Directory user changes their password.
- When a user's password is changed, the update request is sent to a domain controller (DC).
- The GSPS Dynamic Link Library (DLL) is called by Windows® on that DC with the new password and username.
- The service receives the hashed password and the username from the DLL.
- The service gets the email address for the user from Active Directory using LDAP.
- The service updates G Suite using the Directory API.
- The user can then sign in to G Suite using their Active Directory password.
- In Active Directory, passwords are stored as write-only. They can't be read through any interface, such as LDAP. Therefore, conventional synchronization methods (for example, Google Cloud Directory Sync) can't access them. The only way to read passwords is to capture them when they are set or changed.
- GSPS has a DLL named "password_sync_dll.dll" that's installed as an LSA Notification Package. Learn more about LSA Notification Packages on the Microsoft website.
- When a password change occurs on a specific DC, the DLL receives the updated password and the username of the user. GSPS needs to be installed on every writable DC because password synchronization is triggered by Windows on the DC that receives the password change. The trigger occurs on every password update, whether it's done by an administrator or by the end user. Learn more about the PasswordChangeNotify callback function on the Microsoft website.
- When the DLL receives the username and password, it hashes the password as salted SHA512, and sends it to the GSPS service.
- The GSPS service ("password_sync_service.exe") then looks up the user's email address in Active Directory using LDAP based on the username sent by the DLL, and then updates G Suite using the Directory API. When passwords are changed through the Directory API, some application OAuth tokens are revoked. Users may be required to sign in again to applications with their username and password.
- GSPS complies with Microsoft's password filter programming considerations. For details, see the Microsoft website.