How to exclude some users from Password Sync

You might want to prevent certain users' Google Workspace and Cloud Identity passwords from being synchronized to your Google domain. This article explains how to exclude users from Password Sync.

Password Sync is available to Google Workspace and Cloud Identity administrators.

Important

In most cases, there's no need to exclude users from Password Sync. Doing so requires advanced expertise in setting up Active Directory permissions. Google Cloud support might not be able to assist with this setup. If you encounter any password sync issues, revert to a standard configuration to make sure the issue isn't with your Active Directory permissions.

Exclude users from a sync

This method is based on the way Password Sync retrieves users' email addresses to update the Google domain. If Password Sync can't retrieve the email address, it can't update the password in Google. To exclude users from the sync, create a service user for Password Sync that won't have access to the excluded users' email addresses.

  1. Open Active Directory Users and Computers (ADUC).
  2. Navigate to any organizational unit you use for administrative users, and create an Active Directory user for Password Sync to use. We'll refer to it as the Password Sync user.
  3. Make sure that Advanced Features is turned on under the View menu.
  4. Select any users or organizational units you wish to exclude, and right-click them.
  5. Click Properties.
  6. Click the Security tab.
  7. Click the Add button.
  8. Enter the name of the Password Sync user you created in step 2 and click OK.
  9. A new entry is added for the Password Sync user. Check the Deny / Read box.
  10. Click OK.
  11. From the Start menu, run Password Sync. 
  12. In the Active Directory step of the Password Sync configuration, enter the username and password of the Password Sync user.
  13. Complete the configuration as usual.

Once Password Sync is running with this configuration, it will not sync the passwords for any users it doesn't have access to. The Password Sync service logs show errors when trying to find these users' email addresses. This indicates the exclusion is working as expected.

Undo the exclusion

To undo the exclusion, simply remove any Deny entries you've created for the Password Sync user. To make sure you've removed every entry, you can create another Password Sync user in Active Directory. Then, set Password Sync to use it in the Active Directory step of the Password Sync configuration.

Related topic

Configure Password Sync


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
1115255484466013095
true
Search Help Center
true
true
true
true
true
73010
false
false