We recommend using a service account for authentication. If you’re installing Password Sync from the command line, you must use a service account.
You can also use 3-legged OAuth for authentication, but only on Microsoft Windows Server with Desktop Experience. If you have more than 5 domain controllers, we recommend using a service account as manual setup of 3-legged OAuth can be time consuming.
Note: 3-legged OAuth is not available on Windows Server Core.
A service account belongs to an application rather than a user. The application sends a request to Google APIs on behalf of the service account, so users aren't directly involved in the authentication process.
Advantages of a service account
- Multiple domain administrators can manage and monitor a service account. Therefore, even if an administrator changes, Password Sync is unaffected.
- Service accounts aren't subject to the refresh token limit that affects 3-legged OAuth.
- Service account credentials are downloaded as a JSON file and can be used on many domain controllers. You don't need to repeat the authorization process for each domain controller.
- Service accounts don't require a web browser to authenticate. You can configure Password Sync when using Windows Server Core.
- You can install and configure Password Sync using the command line.
Disadvantages of a service account
- You must create a project in Google Cloud Console, which makes the setup more complex.
With 3-legged OAuth, the application sends a request to Google APIs on behalf of a user. However, unlike a service account, 3-legged OAuth normally requires each user to give the application permission to access their data. For Password Sync, the domain administrator performs this step on behalf of all users in the domain during the setup process. In turn, for Password Sync to successfully synchronize user passwords for every user in a domain, the domain’s administrator must authorize Password Sync on each domain controller.
Note: This option is only available on Windows Server with Desktop Experience.
Advantages of 3-legged OAuth
- Using 3-legged OAuth is simple and requires only one setup step.
Disadvantages of 3-legged OAuth
- It is not available on Windows Server Core.
- Domains with multiple domain controllers might exceed the token limit.
- Domains with multiple domain controllers must authorize each domain controller separately. This can be time-consuming.
- 3-legged OAuth is tied to a single administrator account. If the account is turned off or deleted, Password Sync won't work.
- Unlike service accounts, usage can't be monitored via the Google Cloud Console.
- You can't install and configure Password Sync using the command line with 3-legged OAuth.
After you choose your authentication method, you're ready to set up Password Sync. Go to Set up Password Sync.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.