As your organization's administrator, you can let users and non-super administrators recover their account if they forget their password:
Option 1: Let users reset passwords themselves
This feature isn’t available if your organization uses single sign-on (SSO) or G Suite Password Sync. It also doesn’t work for users under the age of 18. Go to details below.
You can let users who aren't super admins reset their own passwords without contacting an administrator. Users must add a recovery phone number or email address to their account where they can receive recovery instructions by voice, text message, or email. They can then reset their password by entering their Google Account address and following automated instructions.
By default, only super admins can reset a forgotten password using the automated system. Here's how to let users and non-super admins do this:
Now, if users in your organization click Forgot password? on the sign-in page, they get instructions on recovering their password. If users added a recovery phone number or email address to their account, they can reset their password. Users with 2-Step Verification can reset their password only with their recovery email address. Users who haven't added recovery information are directed to contact an administrator.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Security
Account recovery.
-
To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
-
Click User account recovery.
-
Click Allow users and non-super admins to recover their account. This setting won't apply if your organization use single sign-on (SSO) with a third-party identity provider or G Suite Password Sync.
-
Tell users to set up a recovery phone number or email address where they can receive password recovery instructions.Immediately remove a user's recovery information when they leave your organization or if their account might be hijacked. Go to details below.
If you turn on non-admin password recovery, immediately remove a user's recovery information if...
- The user is terminated or leaves your organization. That way they can’t recover their password to access their old account.
- You suspect the account has been hijacked and the user’s recovery information is no longer legitimate.
To remove a user’s recovery information or check if it’s been hacked, sign in to the account as the user. Then follow steps to set up a recovery phone number or email address.
- G Suite for Education users under the age of 18—Younger G Suite for Education users aren’t permitted to add a recovery phone number or email to their account. They can't reset a forgotten password on their own.
Note: Users of any age with primary or secondary education accounts can't supply a recovery phone number or email. The option to add a phone number or email is not available for these types of accounts.
Only users with Higher Education accounts, administrators, and teachers using G Suite for Education can supply a recovery phone number or email.
- Organizations using SSO or GSPS—If your organization uses single sign-on (SSO), you won't have the enable non-admin user password recovery option in your Admin console.
If your organization uses G Suite Password Sync for Active Directory (GSPS) and you prevented users from changing their G Suite passwords, users are redirected to Active Directory to reset their passwords. This keeps their Active Directory passwords in sync with G Suite.
Option 2: Ask users to contact an administrator
If a user clicks Forgot password? on the sign-in page, and you haven't turned on non-admin password recovery, they get a message to contact their administrator. Make sure you've provided a way for users to contact an administrator if they can't sign in to their account.
See also Reset a user's password.
