Troubleshoot Password Sync

You can use the security investigation tool:

1. In your Google Admin console, run a search for Admin log events.

   For details, go to Admin log events.

2. Add a filter to search for Password Change events.
3. Run the search and examine the results. Note that the name of the actor attached to the event depends on how you set up Password Sync. If you used the following:
   • UI interface—The actor displays as the administrator's email address that you entered.
   • Command line—The actor displays as the email address used for the parameter with the command, --admin_email.

If Password Sync doesn't synchronize some passwords, start with the initial checks and, if your issue persists, proceed to the further troubleshooting section.

Initial checks

Check the following requirements (ordered from most to least likely cause).

1. Make sure that Password Sync is installed correctly

Check that you have installed Password Sync successfully on all of your domain's writable Microsoft Active Directory (AD) servers (domain controllers):

1. Check which domain controllers have Password Sync installed by opening and running the Password Sync Support Tool.
2. To find the list of writable domain controllers, open a Command Prompt (CMD) window and use the following command:

   findstr /S /C:"A:Creating" PasswordSyncSupportTool.log

3. Review the resulting report and check that each domain controller's folder has a service_*.txt file that shows that the service is running.

   Note: You can expect 2 of the files to show the service is unavailable, and one to confirm it's running.

If you're not sure which domain controllers are writable, install Password Sync on all your domain controllers. Doing so won't cause any issues.

2. Verify the user's privileges

Verify that the Google Account admin privileges for the user experiencing issues don't exceed the privileges of the admin that set up Password Sync.

Users can't change passwords for users that have higher privileges. For example, a regular admin can't update passwords for a super admin. For details about roles, go to Assign specific admin roles.

3. Check email addresses

Verify that you added your users' email addresses in the designated Mail Attribute field when you set up Password Sync. The addresses must exactly match the Google primary email addresses, including the domain part of the address. For details, go to Set up authorization access method.

4. Verify that the password is valid

The password must meet the username and group name guidelines. If a password doesn't sync because it contains unsupported characters, Password Sync logs a warning in the Windows Application event log like this:

The new password contains unsupported characters. The password can not be updated on the Google Account, and will be out of sync with AD.

Further troubleshooting

If the issue persists, follow these steps.

1. Identify an example

Locate an instance of a password change in AD that was not synced to Google and where the user has not altered their AD password since. Take note of the exact time when the password was changed on AD, the username, and the user's email address.

2. Verify the password change

Use AD admin tools, such as ADSIEdit or LDIFDE, to check the pwdLastSet attribute for the user. The attribute's value is the number of 100 nanosecond intervals since January 1, 1601 (UTC). For details about the attribute, go to Pwd-Last-Set attribute.

Verify that the timestamp for the attribute matches the time when the user changed their password.

1. Go to Google Admin Toolbox Encode/Decode.
2. Select pwdLastSet/FILETIME Decode.
3. For Paste the text to encode/decode below, paste the numeric value from AD and click submit.
4. The Toolbox displays the decoded time value in your local timezone and UTC.
5. If the timestamps don't match, AD didn't process the password change. Resolve the password issues in AD and try again.

3. Verify the issue

In your Google Admin console, check the admin log events. Search for password change events for the user to confirm whether there was a password change within 1–2 minutes of the timestamp in the pwdLastSet attribute. Remember to take time zone differences into account. For details about log events, go to Admin log events.

If you verify a password change event in the log at the correct time, check the following issues:

• Check that the admin who changed the password matches the admin who authorized Password Sync in the logs. If the admin is the same, Password Sync is working as expected.
• Check whether other sources might have changed the Google user's password after it was synced (causing the password to go out of sync with AD). Resolve the issue before trying again.

4. Create a Password Sync Support Tool report

Complete the steps for automatic troubleshooting (earlier on this page). Doing so enables you to collect Password Sync logs and details from all writable domain controllers into a single folder.

5. Locate the domain controller responsible for the password change

Follow these steps to identify the correct domain controller:

1. Open a Command Prompt (CMD) window.
2. Use the cd command to navigate to the directory where you created the report (in the previous step).

   Example: cd C:\Users\yourname\Desktop\PasswordSyncSupportTool_20240717_142555

3. To search for the username in AD, use the findstr command.

   For examples, go to Examples: Using the finstr command (later on this page).

4. If you find multiple log files with the username, select the file where the log timestamp matches the time in the pwdLastSet attribute (remember to take the time zone into account).
5. In the log, check the lines that mention the username to find an associated error message or code.

   For additional help with errors, go to Password Sync error codes & messages.

6. If you don't find the username, make sure you installed Password Sync on all writable domain controllers. For details go to Make sure that Password Sync is installed correctly (earlier on this page).

7. If you are still experiencing issues, verify the other troubleshooting steps.

Examples: Using the finstr command

Example 1–The following command searches for log files in the current directory and its subdirectories that contain the username (case doesn't matter). In the CMD window, the search displays the filename of the matching log files.

findstr /S /I /M /C:"username" *.log

Example 2–The following command searches for log files in the current directory and its subdirectories that contain the username (case doesn't matter). In the CMD window, the search displays the filename of the matching log files and the number of the line that contains the username.

findstr /S /I /N /C:"username" *.log

To install Password Sync, you must be a member of the Domain Admins group in Active Directory. Being a member of the Administrators group does not provide sufficient authorization.

You must sign in to Windows as a domain administrator in the same domain as the domain controller you’re setting up. If you sign in as a domain administrator from a different domain (such as an Enterprise Admin from another domain, or an administrator from a trusted domain) you won't be authorized to install or configure Password Sync.

Check that your setup:

• Is running the installer locally (not over a network)
• Has the right version of Password Sync for your server's architecture (32-bit or 64-bit)

Make sure you have granted app access control to Google Workspace services. For details, go to Control which third-party & internal apps access Google Workspace data.

Password Sync supports proxy connections if you set up system-wide proxy settings on all of your domain controllers:

1. Make sure that the current user's proxy settings are set up correctly by navigating to https://www.googleapis.com/ in Internet Explorer, the Chromium-based version of Edge, or the Chrome browser.

   If you're redirected to a google.com page or a page saying "Not Found," your proxy settings are probably correct. If there’s an authentication prompt or certificate error, your proxy settings might not be correct.

2. To import the proxy configuration, enter the following command:

   netsh winhttp import proxy ie

3. (Optional) If you aren't using a proxy server, but are still encountering proxy-related issues, enter the following command:

   bitsadmin /util /setieproxy networkservice no_proxy

   This command sets Windows to ignore any autodiscovered proxy configuration that might be present in the system.

Note:

• Password Sync supports unauthenticated proxies only. If your proxy requires authentication (Basic, Kerberos, or NTLM), you need to configure it to allow unauthenticated or direct connections from your domain controllers to the URLs and ports specified in Set up your domain controllers.
• Although Password Sync supports proxy connections, you might need to turn on a direct connection to make sure the proxy server doesn't cause issues. Since a proxy configuration depends on your local setup, Google Workspace Support cannot assist you with configuration issues. If you encounter any proxy issues, contact your network administrator.

This error indicates Password Sync couldn't verify your authorization. Check your proxy settings and make sure your network allows connections to the URLs required by Password Sync.

When you are using 3-legged OAuth to authenticate your Google domain, there’s a token limit per user account per client. If the limit is reached, creating a token automatically invalidates the oldest token without warning. For details, go to Refresh token expiration.

To avoid token limits, you should use a service account, rather than 3-legged OAuth. For details, go to Choose your authentication method.