Set up Password Sync

2. Choose your authentication method

Before you install Password Sync, you need to choose a Google authentication method. We recommend using a service account for authentication. If you’re installing Password Sync from the command line, you must use a service account.

You can also use 3-legged OAuth for authentication, but only on Microsoft Windows Server with Desktop Experience. If you have more than 5 domain controllers, you must authorize each domain controller separately, which can be time-consuming. We recommend using a service account instead.

You're on step 2 of 6

Option 1: Use a service account to authenticate

A service account belongs to an application rather than a user. The application sends a request to Google APIs on behalf of the service account, so users aren't directly involved in the authentication process.

Advantages of a service account:

  • Multiple domain administrators can manage and monitor a service account. Therefore, even if an administrator changes, Password Sync is unaffected.
  • Service accounts aren't subject to the refresh token limit that affects 3-legged OAuth.
  • Service account credentials are downloaded as a JSON file and can be used on many domain controllers. You don't need to repeat the authorization process for each domain controller.
  • Service accounts don't require a web browser to authenticate. You can configure Password Sync when using Windows Server Core.
  • You can install and configure Password Sync using the command line.

Disadvantages of a service account:

  • You must create a project in Google Cloud Console, which makes the setup more complex.

Option 2: Use 3-legged OAuth to authenticate

With 3-legged OAuth, the application sends a request to Google APIs on behalf of a user. However, unlike a service account, 3-legged OAuth normally requires each user to give the application permission to access their data. For Password Sync, the domain administrator performs this step on behalf of all users during the setup process. In turn, for Password Sync to successfully synchronize user passwords for every user in a domain, the domain’s administrator must authorize Password Sync on each domain controller.

Advantages of 3-legged OAuth:

  • Using 3-legged OAuth is simple and requires only one setup step.

Disadvantages of 3-legged OAuth:

  • It is only available on Windows Server with Desktop Experience and not on Windows Server Core.
  • Domains with multiple domain controllers might exceed the token limit. You must authorize each domain controller separately, which can be time-consuming.
  • 3-legged OAuth is tied to a single administrator account. If the account is turned off or deleted, Password Sync won't work.
  • Unlike service accounts, usage can't be monitored in the Google Cloud Console.
  • You can't install and configure Password Sync using the command line with 3-legged OAuth.

Next step


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false