Password Sync can be used to update your users' Google Workspace and Cloud Identity passwords directly from Microsoft Active Directory.
Password Sync is available to Google Workspace and Cloud Identity administrators.
How it works
After Password Sync is installed and configured, it sends updated passwords to your Google Account each time an Active Directory user changes their password.
- When a user's password is changed, the update request is sent to a domain controller (DC).
- The Password Sync Dynamic Link Library (DLL) is called by Microsoft Windows on that DC with the new password and username.
- The service receives the hashed password and the username from the DLL.
- The service gets the email address for the user from Active Directory using LDAP.
- The service updates your Google Account using the Directory API. Additionally, for Google Workspace APIs to work correctly you need to open several ports and add some host names to your allowlist. Learn more
- The user can then sign in to their Google Account using their Active Directory password.
Technical details
- In Active Directory, passwords are stored as write-only. They can't be read through any interface, such as LDAP. Therefore, conventional synchronization methods (for example, Google Cloud Directory Sync) can't access them. The only way to read passwords is to capture them when they’re set or changed.
- Password Sync has a DLL named "password_sync_dll.dll" installed as an LSA Notification Package. For more information on LSA Notification Packages, consult this Microsoft article.
- When a password change occurs on a specific DC, the DLL receives the updated password and the username of the user. Password Sync must be installed on every writable DC because Windows on the DC that receives the password change triggers the password sync. The trigger occurs on every password update, whether it's done by an administrator or by the end user. For more information about the PasswordChangeNotify callback function, consult this Microsoft article.
- When the DLL receives the username and password, it hashes the password as salted SHA512, and sends it to the Password Sync service.
- The Password Sync service ("password_sync_service.exe") then finds the user's email address in Active Directory using LDAP based on the username sent by the DLL. It then updates the Google Account using the Directory API. When passwords are changed through the Directory API, some application OAuth tokens are revoked. Users might be required to sign in again to applications with their username and password.
- Password Sync follows Microsoft's password filter programming considerations. For details, consult this Microsoft article.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.