Instead of using the configuration wizard, you can install and configure Password Sync from the command line.
When can I use the command line?
You can install and configure Password Sync from the command line when using:
- Password Sync version 1.6 or later.
- A service account for Google authentication. For details, visit Choose your authentication method.
- The Password Sync application's security context to query Microsoft Active Directory.
For other configuration options, go to Configure Password Sync.
Before you begin
Make sure that you:
- Meet all system requirements.
- Complete steps 1-3 of Set up Password Sync.
Install & configure from the command line
Important: You need to install Password Sync on each of your Active Directory servers (domain controllers).
- Download the correct MSI for your server's architecture:
- Sign in to the domain controller as a domain administrator. The account must be from the domain controller’s domain.
- Copy the Password Sync software and your service account JSON file to your domain controller.
- From the command prompt on your domain controller, begin building the installation command.
Start with the following command and append the arguments and parameters specified in the table below. Enter the arguments with all uppercase letters and enclose the parameters in quotation marks.
msiexec /i passwordsync_[32|64]bit.msi /l*vx msi_log.txt /quietNote: The final version should be a single command without line breaks.
Argument Parameter ADMIN_EMAIL The email address of your Google administrator.
Example: ADMIN_EMAIL="[email protected]"
BASE_DN (Optional) Your Active Directory domain's base distinguished name (DN).
When this parameter is omitted, Password Sync attempts to autodetect the base DN.
Example: BASE_DN="OU=users,DC=mydomain,DC=com".
CREDENTIALS_FILE The full path to your service account JSON file.
Note: The JSON file has a key that allows access to your Google domain. After authentication, remove the file from the system.
Example: CREDENTIALS_FILE="c:\users\administrator\downloads\service_account.json"
MAIL_ATTRIBUTE (Optional) The Active Directory attribute that has each user's Google email address.
When this parameter is omitted, Password Sync uses the default "mail" attribute.
Example: MAIL_ATTRIBUTE="mail"
In this example, the administrator's address is [email protected]. The Active Directory base DN is OU=users,DC=mydomain,DC=com. The service account's JSON file is located on the domain controller at c:\users\administrator\downloads\service_account.json. Each username is stored in Active Directory's mail attribute.
Note: This example command is a continual single line. Any line breaks visible here are for page formatting only.
msiexec /i passwordsync_64bit.msi /l*vx msi_log.txt /quiet ADMIN_EMAIL="[email protected]" BASE_DN="OU=users,DC=mydomain,DC=com" CREDENTIALS_FILE="c:\users\administrator\downloads\service_account.json" MAIL_ATTRIBUTE="mail"
Next steps
After the command successfully runs, the domain controller automatically restarts.
- Repeat the installation process until Password Sync is installed on all of your domain's writeable domain controllers.
- Tell your users to change their Active Directory passwords so they'll be synced.
- Restart the server.
If you need help with the installation, go to Troubleshoot Password Sync.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
