Password Sync error codes & messages

You might encounter the following error codes and messages when using Password Sync. Use the table below to troubleshoot errors.

Errors & solutions

Error code or message Explanation & troubleshooting
0x00005012 S_ADS_NOMORE_ROWS

The search operation has reached the last row

Password Sync contacted the Active Directory server and succeeded with a search. However, no results were returned that matched the query.

Here are possible causes:

  • Supplied email attribute name is incorrect
  • No users with that attribute
  • (If using User Credentials to query Active Directory) User account doesn't have access to the read attribute
0x80005008

One or more input parameters are invalid

This error can occur when the user whose password is being synced isn't included in the base DN you provided.

Try using a broader top-level base DN rather than specifying an organizational unit. For example, if you used OU=Sales,DC=altostrat,DC=corp as your base DN, try DC=altostrat,DC=corp instead.

0x80005010

The specified column in the directory was not set

Password Sync is unable to find the user's email address in Active Directory using the attribute specified during Password Sync installation (usually mail).

Confirm the user has a valid email address and you aren't using a computer account (LocalSystem account). If yes, it's possible that the user that Password Sync is using to query Active Directory (authorized user) doesn't have access to this attribute for the user. Try providing a different Active Directory user in the Password Sync configuration interface.

0x80041007

At least one user isn't an existing Google user or Password Sync can't access the user.

Find the affected user in the logs. You can search for Failed with 0x80041007. Then, verify in your Google Admin console that the user exists in your organization's Google Account.

0x8004100f

The time is incorrect on the domain controller (DC) running Password Sync.

Make sure the date, time, and time zone are correct. Then, try authorizing again.

0x80041011

The service account isn't authorized in your Google Admin console.

Create a Password Sync service account or authorize Password Sync using 3-legged OAuth.

For details, go to:

0x80041012

The service account isn't correctly authorized in your Google Admin console.

Verify that you used the correct API scope or authorize Password Sync using 3-legged OAuth.

For details, go to:

0x80041013

The JSON file provided is invalid.

Make sure you configured your service account correctly or authorize Password Sync using 3-legged OAuth.

For details, go to:

0x80070005

Access denied

If you see this error in the service logs as "SyncConfig::GetDataDirectory [...] Failed with 0x80070005," it's probably related to a change in the service "Log on as" setting. To fix this:

  1. Open a command prompt as an administrator.
  2. To update the service, enter the following command (without line breaks):

    sc config "Password Sync" obj= "NT AUTHORITY\NetworkService"

    If you're using Password Sync versions 1.6.13–1.7.6, replace Password Sync with G Suite Password Sync.

    If you're using version 1.6 or earlier, replace Password Sync with Google Apps Password Sync.

If this error appears in the configuration interface logs, make sure:

  1. You're signed in as a domain administrator, not just an administrator.
  2. The user is a member of the same domain as the domain controller, not from another domain (for example, not an Enterprise administrator from a different domain).
0x80070057

The parameter is incorrect

This error can have different meanings in different contexts. 

If you get this error on the same line with TryDecryptAndGetSecret in the Password Sync service logs, you might have turned on Windows application compatibility settings for Password Sync. Turn it off and try again.

0x8007052e

Logon failure: unknown user name or bad password

If you set up Password Sync to use Anonymous access to connect to Active Directory, this error indicates Password Sync isn't turned on. To fix the error, in the Password Sync configuration, enter an Active Directory user and password.

If you already entered a username and password, make sure they’re correct and in the domain\administrator format. If that doesn’t work, try the [email protected] format.

0x8007065e

This issue can occur if the network timeout registry entries have been created using the wrong registry data type (for example, REG_SZ instead of REG_DWORD).

Use the Registry Editor (regedit) to make sure all entries under the following paths are REG_DWORD and not any other type:

  • HKEY_LOCAL_MACHINE\Software\Google\Google Apps Password Sync\Other
  • HKEY_CURRENT_USER\Software\Google\Google Apps Password Sync\Other
0x8007200a

The specified directory service attribute or value does not exist

This error usually means the user Password Sync uses to query Active Directory (authorized user) doesn't have access to the attribute.

Provide a different Active Directory user in the Password Sync configuration interface.

0x8007202b

A referral was returned from the server

0x80072030

There is no such object on the server

These errors usually mean the base DN is incorrect. If you collected logs using the Password Sync support tool, compare the base DN in the config.xml file to the admin's DN in the PasswordSyncSupportTool.log file. Check if there are any differences in the DC= sections.

For details on the Password Sync support tool, go to Automatic troubleshooting.

0x8007203e

The search filter cannot be recognized

Password Sync contacted the Active Directory server, but a search was unsuccessful.

This error can occur if the email address attribute contains invalid characters.

0x80072ee0 There was an issue with authorization for your organization’s Google Account, usually due to an incorrect network or proxy configuration. To resolve it, go to I need help configuring proxy settings.

If this doesn't resolve the issue, try reauthorizing Password Sync in the configuration interface. If you have multiple domain controllers and you're using 3-legged OAuth for authentication, don't use the same super administrator account to authorize more than 10 DCs.

For details about Password Sync authentication, go to Choose your authentication method.

0x80072ee2 Password Sync's connection to Google is timing out. This error usually means there is a block to the connection. To troubleshoot:
  1. Allow network access.

    For details, go to Step 2: Set up your domain controllers.

  2. Confirm that a proxy server isn't blocking access.
Error 400: invalid_request: The version of the app you're using doesn't include the latest security features to keep you protected. Please make sure to download from a trusted source and update to the latest, most secure version Make sure you're using the latest version of Password Sync. For details, go to Upgrade Password Sync.
HTTP/1.1 403

You are not authorized to access this API

Two issues can trigger this error.

The domain controller isn't properly authorized with your organization’s Google Account. To resolve the issue:

  • Run the Password Sync configuration interface again and reauthorize it with your account.

The source account email address cannot be found in Google Workspace. To resolve the issue:

  • Check if the Active Directory user’s email exists in Google Workspace.
  • If the Active Directory domain is different from the Google Workspace account, update the Mail Attribute. Don't use the default "mail". The values in the attribute must exactly match the Google email address, including the domain part of the address.
RetrieveTargetEmail ... Failed with 0x80072020

An operations error occurred

Password Sync failed to open a search in Active Directory. The error appears when trying to use Anonymous access, but the Active Directory server doesn't allow it.

Try using the recommended application’s security context option instead. For details, go to Authorization access methods.

WinHttpSendRequest failed with 0x80004005 The proxy server requires authentication. Make sure all the required URLs are in the authentication bypass list of your proxy server. For details, go to Set up a Google Workspace host name allowlist.

Get help with other error codes

For other Microsoft Active Directory or LDAP-related error codes, consult the Generic ADSI Error Codes table in your Microsoft documentation.

Related topic

Use logs to troubleshoot


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
3392946775588301640
true
Search Help Center
true
true
true
true
true
73010
false
false