Associate Google accounts with existing Windows profiles

As an admin setting up Google Credential Provider for Windows (GCPW), you can give users a simpler first sign-in experience. You can have GCPW associate a user's existing Windows profile with their Google Account. With this approach, the user can sign in to the Windows profile they already use for work with their Google Account. GCPW also synchronizes the user’s Google password with their Windows password.

To create a new Windows profile to associate with a user’s Google Account, skip the instructions in this article and Install GCPW

With this approach, when the user signs in to the device for the first time, GCPW creates a Windows profile and associates their Google Account with the new profile.

How account association works

GCPW associates a user’s Google Account with an existing local or AD Windows profile based on a custom attribute you add in Google Directory. The custom attribute specifies the user’s username for their local or AD Windows profile.

When the user signs in to the device for the first time after you install GCPW, GCPW checks the user's information in the Directory for Windows usernames. GCPW gets the user's Windows username from the Directory and looks for the matching profile or AD username on the device. Note: For AD-joined devices, if the user doesn’t have an AD-backed Windows profile on the device already (so they have to click Other user to sign in), the device must be connected to AD for the user’s first sign-in.

  • If GCPW finds a matching Windows profile or AD username, GCPW associates the Google Account with the Windows profile and synchronizes passwords.
  • If the Directory doesn't contain any Windows usernames for the user, or if GCPW doesn't find a match, then a new Windows profile is created on the device and associated with the Google Account.
  • For AD domain-joined devices, if the AD username isn’t valid, then GCPW may return an error. If the custom attribute isn’t set for the Google Account, GCPW creates a Windows profile or returns an error, depending on the type of account the user clicked to sign in.

To learn more about the user sign-in experience, go to Sign in to Windows after GCPW installation.

Before you begin

Make sure you review the information in Prepare to install GCPW.

Step 1: Add a custom attribute to user accounts

You can add the custom attribute in the Admin console, with a widget in the developer documentation, with the Directory API, or with Google Cloud Directory Sync (GCDS).

Add in the Admin console
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Directoryand thenUsers.
  3. At the top of Users list, click More and thenManage custom attributes.
  4. Under Standard attributes, review the standard attributes in a user's profile.
  5. At the top right, click Add Custom Attribute.
  6. Under Category, enter Enhanced desktop security. This category name is case sensitive.
  7. Under Custom fields, enter the following values:
    1. Name—Enter one or both of the following as separate entries, depending on the type of Windows profile users have: Local Windows accounts or AD accounts. This name is case sensitive.
    2. Info type—Select Text.
    3. Visibility—Select Visible to user and admin.
    4. Number of values—Select Multi-value.
  8. Click Add. The Manage user attributes page now includes the attribute.

Note: If you enter the Category or Name value incorrectly, you can't edit the custom attribute to correct them. Delete the attribute and start over.

Add with the Try this API panel in the Directory API documentation

The API documentation includes a test widget that lets you send a request and authenticate with your super admin Google Account, all without coding.

To add a custom attribute with the API test widget:

  1. Open the Schemas: insert reference.
  2. On the right, in the Try this API panel, enter the following values:
    1. customerId—Enter my_customer.
    2. Request body—Delete the placeholder content and copy the following text into the field:
      
      {
        "displayName": "Enhanced Desktop Security",
        "fields": [
          {
            "displayName": "AD accounts",
            "fieldName": "AD_accounts",
            "fieldType": "STRING",
            "multiValued": true,
            "readAccessType": "ADMINS_AND_SELF"
          },
          {
            "displayName": "Local Windows accounts",
            "fieldName": "Local_Windows_accounts",
            "fieldType": "STRING",
            "multiValued": true,
            "readAccessType": "ADMINS_AND_SELF"
          }
        ],
        "schemaName": "Enhanced_desktop_security"
      }
  3. Click Execute.
  4. When prompted, enter the account credentials for a super admin account.

If your request is successful, at the bottom of the panel, a 200 response is returned. You can also confirm the custom attribute was created by opening the Admin console and going to Usersand thenMore and thenManage custom attributes.

Add with the Directory API

Add the custom attribute with the Directory API.

Sync with GCDS

Add the values to Active Directory and use Google Cloud Directory Sync (GDCS) to sync the values to your Admin console.

Step 2: Set the custom attribute in each user's account

Complete the following steps for each user you want GCPW to associate their Google Account with an existing Windows profile. For more information about editing attributes, go to Create custom attributes for user profiles.

To set values for the custom attribute for one user at a time:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Directoryand thenUsers.
  3. In the Users list, find the user and click their name. If you need help, see Find a user account.
  4. Click User information and locate the Enhanced desktop security section.
  5. If the user has an Active Directory account, enter their sAMAccountName in the text field, in the following format: domain\username

    For example, if your domain is example.com and the user signs in to Windows with the username jsmith, enter the sAMAccountName example.com\jsmith.

    Note:

    • You can enter only one Active Directory account for a user. If you enter more than one, GCPW uses only the first entry.
    • If you also add an entry for a local account (in the next step), GCPW searches for the Active Directory account first.
  6. If the user has a local Windows profile, enter their account information in the text field, in the following format: un:Windows_username. The Windows username can have spaces. If a user has multiple local Windows accounts, enter each account in a new Local Windows accounts field (a new field is added when you start entering each account).

    To limit the user’s access to a specific device, enter un:Windows_username,sn:device_serial_number. Don't put a space after the comma. Only one device serial number is allowed.

    For example, if the user signs in to Windows with the username jsmith, enter un:jsmith. To restrict the user to signing in on a specific device with serial number 123456, enter un:jsmith,sn:123456

  7. Click Save.

To update users in bulk, you can add attribute values using one of the following methods:

Next step: Install GCPW

Follow the instructions in Install Google Credential Provider for Windows.

 


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu