GSPS logs and error codes

Log errors that don't indicate any sync issues

Occasionally, you'll see lines in GSPS logs that seem like errors, but don't actually indicate any issue with the sync or with the setup.

Open all   |   Close all

Errors at the top of the logs mentioning Outlook

GSPS will look for Outlook even though it isn't necessary. It still works, even if Outlook isn't found. You may see lines such as these at the start of most log files:

2012-04-12T09:00:00.563+03:00 14cc E:Generic password_sync_service!GetOutlookExePath @ 24 ()> Failed with 0x80070002, last successful line = 17.
2012-04-12T09:00:00.578+03:00 14cc E:Generic password_sync_service!GetOutlookVersion @ 255 ()> Failed with 0x80070002, last successful line = 247.
2012-04-12T09:00:00.578+03:00 14cc E:Generic password_sync_service!GetOfficeRegistryBase @ 362 ()> Failed with 0x80070002, last successful line = 360.
2012-04-12T09:00:00.578+03:00 14cc E:Generic password_sync_service!ResourceStrings::GetOutlookLanguage @ 124 ()> Failed with 0x80070002, last successful line = 111.

This is caused by the logging component of GSPS which is trying to find the Outlook version to report it in the logs. Because GSPS doesn't require Outlook, you can safely ignore these errors.

WinHTTP warnings and errors in the service logs

Some errors and warnings that relate to WinHTTP (the Windows component that GSPS uses to connect to Google) are benign, for example:

2013-08-06T03:30:46.590-07:00  8d4 W:Network password_sync_service!LogPotentialProxyNetworkFailure @ 287 (user@domain.com)> WinHttpGetProxyForUrl auto-detect failed with 0x80072f94. 0/(null). IsNetworkActive is 1, flags 1, IsNetworkActive GetLastError 0x80004005
2013-08-06T03:30:47.371-07:00  8d4 A:PasswordSync password_sync_service!PasswordSyncTask::RetriveUser @ 210 (user@domain.com)> retrieved user......
2013-08-06T03:30:47.374-07:00  8d4 A:PasswordSync password_sync_service!PasswordSyncTask::RetriveUser @ 257 (user@domain.com)> Successfully retrieved user
2013-08-06T03:30:47.374-07:00  8d4 A:PasswordSync password_sync_service!AppsLogin::AppsLogin @ 32 (user@domain.com)> Created Apps login
2013-08-06T03:30:48.113-07:00  8d4 A:PasswordSync password_sync_service!PasswordSyncTask::UpdateUser @ 181 (user@domain.com)> Successfully updated password
2013-08-06T03:30:48.113-07:00  8d4 W:Network password_sync_service!WinHttp::WaitForAsyncEvent @ 2088 (user@domain.com)> Handle closed while waiting for CloseAllTrackedWinhttpHandles.
2013-08-06T03:30:48.113-07:00  8d4 E:Network password_sync_service!WinHttp::WaitForAsyncEvent @ 2089 (user@domain.com)> Failed with 0x80072ef3, last successful line = 2062.
2013-08-06T03:30:48.113-07:00  8d4 E:Network password_sync_service!WinHttp::CloseAllTrackedWinhttpHandles @ 1766 (user@domain.com)> Failed waiting for handle close, retry 0, hr = 80072ef3, 1 handles remaining

The errors and warnings, marked here in red, indicate that some actions didn't complete as GSPS expected. However, note that the logs report "Successfully updated password" (marked here in bold). This indicates that you can ignore the network-related errors and warnings because the password was actually synced correctly.

Failure to read some data from Active Directory in the service logs

You may see errors such as these in the logs:

2012-04-25T14:24:54.052+03:00  fd0 A:PasswordSync password_sync_service!PasswordSyncService::RunSyncService @ 309 ()> Updating password for "COMP$"

2012-04-25T14:24:54.130+03:00  93c E:PasswordSync password_sync_service!LDAPConnector::QueryForTargetEmail @ 86 ()> Failed with 0x80005010, last successful line = 83.

2012-04-25T14:24:54.130+03:00  93c E:PasswordSync password_sync_service!PasswordSyncTask::DoWork @ 77 ()> Error while retrieving target email for COMP$

Note that the entity whose password is being updated ends with a dollar sign ($). This indicates this is a computer account in Active Directory. Because computer accounts don't have email addresses, we see that GSPS failed to retrieve the email address and therefore didn't sync the password. This is expected because computer accounts' passwords are set automatically by Windows and don't need to be synced to your Google Account

Errors loading data in the configuration interface logs

GSPS config UI logs show errors about getting/saving the secret, even when it succeeded. When running the GSPS configuration interface for the first time, you may see these errors in the logs:

2012-04-22T02:00:57.613+01:00  820 E:Migration GoogleAppsPasswordSync!TryDecryptAndGetSecret @ 188 ()> Failed with 0x80070057, last successful line = 184.
2012-04-22T02:00:57.613+01:00  820 E:PasswordSync GoogleAppsPasswordSync!LDAPConfig::TryLoadUserPassword @ 131 ()> Failed with 0x80070057, last successful line = 125.

This is expected. Because you're running the configuration interface for the first time, no configuration exists. However, if you see this in service logs, it may indicate that you've enabled application compatibility for GSPS. Make sure it's disabled before trying to configure GSPS again.

Windows Application event log GSPS common event entries

If a password change is successful, GSPS will log a success event to the Windows "Application" event log in addition to the GSPS DLL log:

Log Name: Application
Source: G Suite Password Sync (Service) [password_sync_service]
Event ID: 41235
Level: Informational
Contents: The password change for Active Directory user 'username’ was synchronized to G Suite account 'username@domain.com' successfully.
Status = 0 (0x00000000)

If a password failed to sync because it doesn't meet the username and group name guidelines or password guidelines, GSPS logs a warning to the Windows "Application" event log in addition to the GSPS DLL log:

Log Name: Application
Source: G Suite Password Sync
Event ID: 40963
Level: Warning
Contents: An attempt to change the password for user USERNAME was made. However, the new password contains unsupported characters. The password can not be updated on G Suite, and will be out of sync with Active Directory.

If an API request returns GDSTATUS_FORBIDDEN trying to sync a password, GSPS logs an error event to the Windows "Application" event log in addition to the GSPS DLL log:

Log Name: Application
Source: G Suite Password Sync (Service) [password_sync_service]
Event ID: 41777
Level: Error
Contents: An API call to the Google server returned an unexpected response while updating the password for account 'username@domain.com' during the 'PasswordSyncTask::RetriveUser' step; all retries have been exhausted.
Details:
- Host: apps-apis.google.com
- Auth Result = 0 (0x00000000)
- GDataStatus = 4 (0x00000004) GDSTATUS_FORBIDDEN
- hResult 1 = -2147217004 (0x80041194)
- hResult 2 = 0 (0x00000000)

If an API request returns GDSTATUS_DENIED trying to sync a password, GSPS logs an error event to the Windows "Application" event log in addition to the GSPS DLL log:

Log Name: Application
Source: G Suite Password Sync (Service) [password_sync_service]
Event ID: 41777
Level: Error
Contents: An API call to the Google server returned an unexpected response while updating the password for account 'user@domain.com' during the 'PasswordSyncTask::RetriveUser' step; all retries have been exhausted.
Details:
- Host: apps-apis.google.com
- Auth Result = 0 (0x00000000)
- GDataStatus = 3 (0x00000003) GDSTATUS_DENIED
- hResult 1 = -2147217005 (0x80041193)
- hResult 2 = 0 (0x00000000)

If an API request returns GDSTATUS_BAD_REQUEST trying to sync a password, GSPS logs an error event to the Windows "Application" event log in addition to the GSPS DLL log:

Log Name: Application
Source: G Suite Password Sync (Service) [password_sync_service]
Event ID: 41777
Level: Error
Contents: An API call to the Google server returned an unexpected response while updating the password for account 'username@domain.com' during the 'PasswordSyncTask::RetriveUser' step; all retries have been exhausted.
Details:
- Host: apps-apis.google.com
- Auth Result = 0 (0x00000000)
- GDataStatus = 7 (0x00000007) GDSTATUS_BAD_REQUEST
- hResult 1 = -2147217401 (0x80041007)
- hResult 2 = 0 (0x00000000)

When the GSPS service is started, GSPS logs an informational event to the Windows "Application" event log in addition to the GSPS DLL log:

Log Name: Application
Source: G Suite Password Sync (Service) [password_sync_service]
Event ID: 41216
Level: Informational
Contents: G Suite Password Sync Service starting.

When the GSPS service is stopped, GSPS logs an informational event to the Windows "Application" event log in addition to the GSPS DLL log:

Log Name: Application
Source: G Suite Password Sync (Service) [password_sync_service]
Event ID: 41234
Level: Informational
Contents: G Suite Password Sync Service shut down.
Status = 0 (0x00000000)

Error codes

Error Code Explanation

0x00005012 S_ADS_NOMORE_ROWS

("The search operation has reached the last row.") 

GSPS was able to contact the Active Directory server, and succeeded making a search. However, no results were returned that matched the query.

The most probable cause is that the supplied email attribute name is incorrect, or there are no users with that attribute, or (if using User Credentials to query Active Directory) that the user account does not have access to read that attribute.

0x80041007 At least one user isn't an existing Google user or can't be 
accessed by GSPS. Find the affected user in the 
logs (search for "Failed with 0x80041007"), then verify in your Google Admin console that the user exists in your Google Account. 
0x80041011 The service account isn't authorized in your Google Admin console. Correct this by creating a GSPS service account or authorize GSPS using 3-legged OAuth.
0x80041012 The service account isn't correctly authorized in your Google Admin console. Verify that you've used the correct API scope or authorize GSPS using 3-legged OAuth.
0x80041013 The JSON file provided is invalid. Make sure you've configured your service account correctly or authorize GSPS using 3-legged OAuth.
0x8004100f The time is incorrect on the domain controller that is running GSPS. Make sure that the date, time, and timezone are correct. Then, try authorizing again.

0x80070005 ("Access denied")

If this error appears in the configuration interface logs, make sure you're logged in as a domain administrator, not just an administrator.

Additionally, make sure that the user is a member of the same domain as the domain controller, not from another domain (for example, not an Enterprise admin from a different domain).

0x8007202b A referral was returned from the server"

0x80072030 (There is no such object on the server")

These errors usually mean that the base DN is incorrect. If you collected logs using the GSPS support tool, compare the base DN in the config.xml file to the admin's DN in the GSPSTool.log file to see if there are any differences in the "DC=" parts.

0x8007052e ("Logon failure: unknown user name or bad password")

If you set up GSPS to use Anonymous access to connect to Active Directory, this error indicates that it isn't enabled. You need to enter an Active Directory user and password in the GSPS configuration.

If you have already entered a username and password, they may be incorrect. Try formatting the username both as domain\administrator and as administrator@domain.com. If one format doesn't work, try the other.

0x80070057 ("The parameter is incorrect")

This error can mean different things in different contexts. Try looking at the lines above it to understand the context and troubleshoot accordingly.

If you see this error code on the same line with TryDecryptAndGetSecret in the GSPS service logs, it may indicate that you've enabled application compatibility for GSPS. Make sure it's disabled before trying to configure GSPS again.

0x80072ee0

This error indicates an issue with authorization for your Google Account. It usually occurs due to incorrect network or proxy configuration. To resolve it, see I need help configuring proxy settings.

If this doesn't resolve the issue, try reauthorizing GSPS in the configuration interface. If you have multiple domain controllers, don't use the same Google super administrator account to authorize more than 10 DCs.

HTTP/1.1 403 You are not authorized to access this API

The domain controller on which this log line was found isn't properly authorized with your Google Account. To resolve the issue, run the GSPS configuration interface again and reauthorize it with your Google Account.

0x8007203e ("The search filter cannot be recognized.")

GSPS was able to contact the Active Directory server, but failed to perform a search.

The most probable cause is that the email address attribute contains invalid characters.

RetrieveTargetEmail ... Failed with 0x80072020 ("An operations error occurred")

GSPS failed to open a search to the Active Directory. This error appears when trying to use Anonymous access, but the Active Directory server doesn't allow it. Try using the recommended application’s security context option instead.

0x80005010 ("The specified column in the directory was not set")

GSPS is unable to find the user’s email address in Active Directory using the attribute specified during GSPS installation (usually "mail"). Check that the user has a valid email address. If yes, it's possible that the authorized user (the user that GSPS uses to query Active Directory) doesn't have access to this attribute for the user. Try providing a different Active Directory user in the GSPS configuration interface.

Note: GSPS doesn't support computer accounts (ending with a dollar sign —$). If the failure is for a computer account, this is expected.

0x8007200a ("The specified directory service attribute or value does not exist")

This error usually means that the authorized user (the user that GSPS uses to query Active Directory) doesn't have access to this attribute for the user. Try providing a different Active Directory user in the GSPS configuration interface.

0x80005008 ("One or more input parameters are invalid")

 

This can occur when the user whose password is being synced isn't included in the base DN that you've provided. Try changing the base DN. For example, if you use "OU=Sales,DC=altostrat,DC=corp" as your base DN, try using only "DC=altostrat,DC=corp" instead.

0x8007065e

This issue can occur if the network timeout registry entries have been created using the wrong registry data type (for example REG_SZ instead of REG_DWORD). Use the Registry Editor (regedit), to make sure that all entries under the following paths are are REG_DWORD and not any other type:

  • HKEY_LOCAL_MACHINE\Software\Google\Google Apps Password Sync\Other 
  • HKEY_CURRENT_USER\Software\Google\Google Apps Password Sync\Other 
 

 

For other Active Directory or LDAP related error codes, see the Generic ADSI Error Codes table on the Microsoft website.

Was this article helpful?
How can we improve it?