Some user passwords aren't syncing

If Password Sync doesn't synchronize some passwords, follow these steps to troubleshoot.

Step 1: Ensure that Password Sync is installed correctly

Check that you successfully installed Password Sync on all of your domain's writable Microsoft Active Directory (AD) servers (domain controllers):

  1. Check which domain controllers have Password Sync installed using the Password Sync Support Tool. Follow the steps in Option 1: Automatic troubleshooting.
  2. To find the list of writable domain controllers, open a command prompt and enter the following command:

    findstr /S /C:"A:Creating" PasswordSyncSupportTool.log

    If you're not sure which domain controllers are writable, install Password Sync on all your domain controllers. Doing so won't cause any issues.

  3. Review the resulting report and check that each domain controller's folder has a service_*.txt file that shows that the service is running.

    In the folder, you can expect 2 of the files to show the service is unavailable and one file to confirm it's running.

  4. Try changing a password and verify that the tool syncs as expected. If the issue persists, go to the next step.

Step 2: Verify the user's privileges

Users can't change passwords for users with higher privileges. For example, a regular admin can't update passwords for a super admin. For details about roles, go to Assign specific admin roles.

  1. For the user that is experiencing the issue, verify that the Google Account admin privileges don't exceed the privileges of the admin that set up Password Sync.
  2. Try changing a password and verify that the tool syncs as expected. If the issue persists, go to the next step.

Step 3: Check email addresses

  1. In Password Sync, check that you added your users' email addresses in the designated Mail Attribute field. The addresses must exactly match the Google primary email addresses, including the domain part of the address. For details, go to Configure Active Directory settings.
  2. Try changing a password and verify that the tool syncs as expected. If the issue persists, go to the next step.

Step 4: Verify the password is valid

If a password doesn't sync because it contains unsupported characters, you get the following warning in the Windows Application event log:

The new password contains unsupported characters. The password can not be updated on the Google Account, and will be out of sync with AD.

  1. Find the password and change it to meet the guidelines. For details, go to Name guidelines for users and groups.
  2. Verify that the tool syncs as expected. If the issue persists, go to I still need help (next section on this page).

I still need help

If you can’t resolve the issue using the previous steps, try these steps.

Expand section  |  Collapse all & go to top

Step 1: Identify an example
  1. Locate an instance of a password change in AD that was not synced to Google.
  2. Make sure the user has not altered their AD password since the first change. 
  3. Take note of the exact time the password was changed in AD, the username, and the user's email address.
Step 2: Verify the password change

Verify that the timestamp for the attribute matches the time when the user changed their password.

  1. Use AD admin tools, such as ADSIEdit or LDIFDE, to find and copy the pwdLastSet attribute for the user. The attribute's value is the number of 100 nanosecond intervals since January 1, 1601 (UTC). For details about the attribute, go to Pwd-Last-Set attribute.
  2. Go to Google Admin Toolbox Encode/Decode.
  3. Select pwdLastSet/FILETIME Decode.
  4. For Paste the text to encode/decode below, paste the numeric attribute from AD and click Submit.

    The toolbox displays the decoded time value in your local time zone and UTC.

  5. If the timestamp doesn't match the time when the user's password was changed, AD didn't process the password update. Resolve the password issues in AD and try again.
Step 3: Verify the issue
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Reportingand thenAudit and investigationand thenAdmin log events.
  3. Search for password change events for the user to confirm whether there was a password change within 1–2 minutes of the timestamp in the pwdLastSet attribute. Remember to take time zone differences into account. For details about log events, go to Admin log events.
  4. If you verify a password change event in the log events at the correct time, check the following points:
    1. Check that the admin who changed the password matches the admin who authorized Password Sync in the logs. If the admin is the same, Password Sync is working as expected.
    2. Check whether other sources changed the Google user's password after it was synced (causing the password to go out of sync with AD). Resolve the issue before trying again.
Step 4: Create a Password Sync Support Tool report

To create the report, you need to collect Password Sync logs and details from all writable domain controllers into a single folder. To do so, complete the steps in Option 1: Automatic troubleshooting

Step 5: Locate the domain controller responsible for the password change
  1. Open a command prompt and use the cd command to navigate to the directory where you created the report in the previous step.

    Example: cd C:\Users\yourname\Desktop\PasswordSyncSupportTool_20240717_142555

  2. To search for the username in AD, use the findstr command.

    For examples, go to Examples: Using the finstr command (later on this page).

  3. If you find multiple log files with the username, select the file where the log timestamp matches the time in the pwdLastSet attribute. Remember to take the time zone differences into account.
  4. In the log, check the lines that mention the username to find an associated error message or code.

    For additional help with errors, go to Password Sync error codes & messages.

  5. If you don't find the username, make sure you installed Password Sync on all writable domain controllers. For details go to Ensure that Password Sync is installed correctly (earlier on this page).

  6. If you're still experiencing issues, contact Google Workspace support. Provide the following information:
    • Password Sync Support Tool report zip file
    • Email address of the user and the time when their password changed
    • An LDAP Data Interchange Format (LDIF) dump of the user

    For details on how to get in touch with support, go to Contact Google Workspace support.

Examples: Using the findstr command

Example 1: The following command searches for log files in the current directory and its subdirectories that contain the username (case doesn't matter). In the command prompt window, you can review the file name of the matching log files.

findstr /S /I /M /C:"username" *.log

Example 2: The following command searches for log files in the current directory and its subdirectories that contain the username (case doesn't matter). In the command prompt window, you can review the file name of the matching log files and the line number that contains the username.

findstr /S /I /N /C:"username" *.log


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
16397723056175646901
true
Search Help Center
true
true
true
true
true
73010
false
false