Set up password recovery for users

Before you begin: Users need a recovery phone number or email address where they can get recovery instructions:

• To have users set up recovery information, tell them to go to Set up a recovery phone number or email address.
  Important: Users who have 2-Step Verification enabled can use only a recovery email address to reset their password.
• To set up recovery information for users in the Admin console, go to Add recovery information for admins and users.

Users who haven't added recovery information are directed to contact an administrator.

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. In the Admin console, go to Menu  SecurityAuthenticationAccount recovery.
3. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
4. Click User account recovery.
5. Click Allow users and non-super admins to recover their account. This setting won't apply if your organization uses single sign-on (SSO) with a third-party identity provider or Password Sync.
6. Click Save. If you configured an organizational unit or group, you might be able to either Inherit or Override a parent organizational unit, or Unset a group.

Important: Immediately remove a user's recovery information either when they leave your organization or if their account might be hijacked (see below).

When non-admin password recovery is turned on, you should take precautionary action if you believe a user account may be vulnerable or compromised. For example:

• The user is terminated or leaves your organization.
• You suspect the account has been hijacked, and the user's recovery information has been changed.

In these cases, removing the user's recovery information is not enough to protect the account, since the information can still be used for recovery for a period of time after being removed. You should either change the user's password and disable non-admin password recovery, or suspend the user account to prevent all access.

• Google Workspace for Education users under the age of 18—Younger Google Workspace for Education users aren’t permitted to add a recovery phone number or email to their account. They can't reset a forgotten password on their own.

  Note: Users of any age with primary or secondary education accounts can't supply a recovery phone number or email. The option to add a phone number or email is not available for these types of accounts.

  Only users with Higher Education accounts, administrators, and teachers using Google Workspace for Education can supply a recovery phone number or email.

• Organizations using SSO or GSPS—If your organization uses single sign-on (SSO), you won't have the enable non-admin user password recovery option in your Admin console.
  
  If your organization uses Password Sync for Active Directory (GSPS) and you prevented users from changing their Google passwords, users are redirected to Active Directory to reset their passwords. This keeps their Active Directory passwords in sync with Google Workspace.