If you're experiencing issues with setting up Password Sync, review these solutions to common issues.
Before you begin
Before you begin troubleshooting, make sure you meet all the system requirements and have fully completed the setup steps. For details, go to Set up Password Sync.
Troubleshooting options
Option 1: Automatic troubleshooting
Use the Password Sync Support Tool (an open-source tool by Google) to gather Password Sync logs and troubleshooting information from all domain controllers.
- Click the link to download the Password Sync Support Tool.
- Run the tool, then locate and open the ZIP file on the desktop of your computer.
- Extract the trace logs and submit them to the Google Admin Toolbox Log Analyzer.
Most issues can be identified within a few moments of submission.
Google Workspace support does not offer support for the Password Sync Support Tool.
Option 2: Manual troubleshooting
If the automatic troubleshooting step doesn't resolve your problem, or if you couldn't run the Password Sync Support Tool, you can manually collect the troubleshooting information. Some steps in this task require that you run console commands.
Step 1: List your domain controllers
- Make sure you're a member of the Domain Admins group.
For details, go to Password Sync installer was unsuccessful (later on this page).
- In the Start menu, click Windows SystemCommand Prompt.
Depending on your system, you might need to right-click Command Prompt and click MoreRun as administrator.
- To list your domain controllers, enter the following command:
nltest /dclist:your-ad-domain
Replace your-ad-domain with the name of your Active Directory domain.
Step 2: Verify the following on each domain controller
- Make sure the correct version of Password Sync (32-bit or 64-bit) is installed on the server and that you have restarted the server after installing Password Sync.
- Make sure your network and proxy settings are set up correctly.
For details, go to Configure proxy settings for Password Sync (later on this page).
- Using Microsoft Internet Explorer, the Chromium-based version of Microsoft Edge, or a Google Chrome browser, check you can access https://www.googleapis.com/.
It's OK if this page shows a Google error or Not Found. Make sure the page doesn't show a certificate error or any requests for proxy authentication. Authenticated proxy servers are not supported.
- To copy your current user's proxy settings to the system-wide proxy settings, enter the following command:
netsh winhttp import proxy ie
- If you aren't using a proxy server, but are encountering proxy-related issues, to troubleshoot, enter the following command:
bitsadmin /util /setieproxy networkservice no_proxy
- To check that the Password Sync DLL is registered on the machine, enter the following command:
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "Notification Packages"
The output should include the text password_sync_dll. If it doesn't, reinstall Password Sync.
- To verify that the Password Sync DLL is loaded, enter the following command:
tasklist /m password_sync_dll.dll
The process lsass.exe should be listed in the results. If it isn't listed, the DLL isn't loaded. Verify that the DLL is registered and the edition (32-bit or 64-bit) matches the system. Then, restart your computer so that the DLL loads.
Step 3: Check that Password Sync has started
To check that the Password Sync service has started, enter the sc query "Password Sync"
command (replace
with Password Sync
G Suite Password Sync
if you’re running versions 1.6.13–1.7.6 or Google Apps Password Sync
for version 1.6 or earlier).
If the query output says:
- STATE: RUNNING—Password Sync is running
- STATE: STOPPED—Password Sync isn't running
- The specified service does not exist as an installed service—Password Sync isn't installed.
If Password Sync isn’t running, enter the sc start "Password Sync"
command (replace
with Password Sync
G Suite Password Sync
if you’re running versions 1.6.13–1.7.6 or Google Apps Password Sync
for version 1.6 or earlier).
If Password Sync isn’t installed, complete the steps in Configure Password Sync.
Common Password Sync issues
If you continue to experience issues, check these solutions.
Expand section | Collapse all & go to top
Verify that the sync worked correctlyYou can use the security investigation tool:
- In your Google Admin console, run a search for Admin log events.
For details, go to Admin log events.
- Add a filter to search for Password Change events.
- Run the search and examine the results. Note that the name of the actor attached to the event depends on how you set up Password Sync. If you used the following:
- UI interface—The actor displays as the administrator's email address that you entered.
- Command line—The actor displays as the email address used for the parameter with the command, --admin_email.
If Password Sync is not syncing all users, follow the steps in Some user passwords aren't syncing.
To install Password Sync, you must be a member of the Domain Admins group in Active Directory. Being a member of the Administrators group does not provide sufficient authorization.
You must sign in to Windows as a domain administrator in the same domain as the domain controller you’re setting up. If you sign in as a domain administrator from a different domain (such as an Enterprise Admin from another domain, or an administrator from a trusted domain) you won't be authorized to install or configure Password Sync.
Check that your setup:
- Is running the installer locally (not over a network)
- Has the right version of Password Sync for your server's architecture (32-bit or 64-bit)
Make sure you have granted app access control to Google Workspace services. For details, go to Control which third-party & internal apps access Google Workspace data.
Password Sync supports proxy connections if you set up system-wide proxy settings on all of your domain controllers:
- Make sure that the current user's proxy settings are set up correctly by navigating to https://www.googleapis.com/ in Internet Explorer, the Chromium-based version of Edge, or the Chrome browser.
If you're redirected to a google.com page or a page saying "Not Found," your proxy settings are probably correct. If there’s an authentication prompt or certificate error, your proxy settings might not be correct.
- To import the proxy configuration, enter the following command:
netsh winhttp import proxy ie
- (Optional) If you aren't using a proxy server, but are still encountering proxy-related issues, enter the following command:
bitsadmin /util /setieproxy networkservice no_proxy
This command sets Windows to ignore any autodiscovered proxy configuration that might be present in the system.
Note:
- Password Sync supports unauthenticated proxies only. If your proxy requires authentication (Basic, Kerberos, or NTLM), you need to configure it to allow unauthenticated or direct connections from your domain controllers to the URLs and ports specified in Set up your domain controllers.
- Although Password Sync supports proxy connections, you might need to turn on a direct connection to make sure the proxy server doesn't cause issues. Since a proxy configuration depends on your local setup, Google Workspace Support cannot assist you with configuration issues. If you encounter any proxy issues, contact your network administrator.
This error indicates Password Sync couldn't verify your authorization. Check your proxy settings and make sure your network allows connections to the URLs required by Password Sync.
When you are using 3-legged OAuth to authenticate your Google domain, there’s a token limit per user account per client. If the limit is reached, creating a token automatically invalidates the oldest token without warning. For details, go to Refresh token expiration.
To avoid token limits, you should use a service account, rather than 3-legged OAuth. For details, go to Choose your authentication method.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.