GSPS system requirements
Microsoft Active Directory 2008, 2012, or 2016 (AD DS, not AD LDS).
Note: GSPS currently doesn't support Additional LSA Protection with Secure Boot.
Set up your domain controllers
- GSPS must be installed on all domain controllers.
- Domain controllers need an internet connection to connect to the following sites/ports:
Purpose URL Port number Authentication https://accounts.google.com
https://www.googleapis.com443 API access https://www.googleapis.com 443 Certificate Revocation Lists / Online Certificate Status Protocol http://crl.geotrust.com/crls/secureca.crl
http://g.symcb.com/crls/gtglobal.crl
http://pki.google.com/GIAG2.crl
http://g.symcd.com
http://clients1.google.com/ocsp
http://ocsp.pki.goog/gsr280 Note: The certificate authority URLs can change at any point. For the most recent list of CRL/OCSP URLs, review the certificate information of the above API and Authentication hosts.
Download GSPS
Download the correct MSI for your server's architecture:
- 32-bit installer
- 64-bit installer
Restart the server
Always restart the server after installing or upgrading GSPS.
Configure G Suite Password Sync
Before you begin
Make sure:
- You're an administrator for your organization. Only administrators can complete the steps to set up GSPS.
- You're a domain administrator for your Active Directory domain.
Configure GSPS
- From the Start menu, open G Suite Password Sync.
- Click Next.
- Specify your primary Google domain and your Admin Email Address. This is the email address of the administrator that GSPS will use to perform the password updates. The administrator's address also appears in the audit logs in the Admin console.
Important: Make sure that this administrator has signed into the Google Admin console and accepted the terms of service before you continue.
- Configure your authentication method, Select 3-legged OAuth
- Click Authorize Now
- When prompted, sign in to your Google Account using the email address enetered earlier. Click Continue
- If prompted, provide your administrator username and password and click Sign in
- Click Allow
You should see "Authorization has been granted successfully. Please switch to your application. - Close browser and return to GSPS. The Status value should change to Authorized
Note: If the GSPS screen doesn't display Authorized, authorization has failed and you should refer to the error message at the bottom of the GSPS configuration screen. Authorization can fail for a number of reasons, typically:- The user isn't a super administrator for your Google domain.
- The time and time zone on your server aren't set correctly.
- Click Next
- Select the authorization access method for GSPS to use to query Active Directory. The options available are described below.
Authorization access method Description Application’s Security Context This is the default and recommended setting.The GSPS service runs in the security context of the NetworkService account, not a user account.
This is the only option supported on Server Core domain controllers or when you configure GSPS from the command line.
User Credentials The authorized user that GSPS acts on behalf of. The user doesn't have to be a domain administrator. But, it can be a role account with the following permissions: List Contents, Read All Properties, and Read Permissions applied to "This object and all child objects."
This user will only be used to get the email addresses of users from Active Directory. Therefore, it must have access to read the mail attribute for all the users whose passwords you want to sync.
Anonymous GSPS uses Active Directory Services Interfaces (ADSI) for authentication purposes. Anonymous access isn't recommended as it is not supported by most Active Directory configurations.
- If you selected User Credentials as your authorization access method, complete the Authorized User and Password fields.
- Enter the Base distinguished name (DN). When you configure GSPS for the first time, your Active Directory domain's default base DN is detected and added here. You can edit it, if required.
- Enter the Mail Attribute. This is your Active Directory domain's mail attribute that contains each user's Google email address. In most cases, this attribute is “mail.” The values stored here must exactly match the Google email address, including the domain part of the address.
- Click Next. The application tests the connection settings you provided and alerts you if there are any errors. Review for any error messages. The Summary screen should show the configuration is saved and the service is running.
- Click Finish.
- Repeat this section for each of the domain controllers in your domain
GSPS is now installed and running. Any password changes made to a user's Active Directory account are automatically updated for your Google users as well. However, GSPS doesn't sync your existing Active Directory passwords to Google–it only syncs password changes.
Be sure to instruct your users to change their Active Directory password (as described in step 8) to sync the password their to Google Account.
Kontrollerad 2023-10-27
Var artikeln till hjälp?
Toppen!
Tack för din feedback
Vi beklagar att det inte var till hjälp
Tack för din feedback
Feddback skickat
Vi uppskattar din feedback och uppdaterar artikeln vid behov