Change a Password Sync configuration from the command line

Instead of using the configuration wizard, you can change the Password Sync configuration from the command line.

When can I change a Password Sync configuration from the command line?

You can change a Password Sync configuration from the command line when using:

  • Password Sync version 1.6 or later.
  • A service account for Google authentication. Learn more
  • The Password Sync application's security context to query Microsoft Active Directory.

For other configuration options, go to Configure Password Sync.

Change a Password Sync configuration from the command line

  1. Sign in to the domain controller as a domain administrator. The account must be from the domain controller’s domain.
  2. From a command prompt, navigate to the Password Sync program folder. The default location is C:\Program Files\Google\Password Sync.

    For example: cd C:\Program Files\Google\Password Sync

  3. Review the settings table below.
  4. From the command prompt on your domain controller, begin building the command.

    Start with the following command and append the arguments and parameters that you want to update. Precede each argument with 2 dashes and all lowercase letters. Enclose the parameters in quotation marks.

    PasswordSync.exe

    Note: The final version should be a single command without line breaks.

    Argument Parameter

    --admin_email

    The email address of your Google administrator.

    Example: --admin_email="[email protected]"

    --base_dn

    (Optional) Your Active Directory domain's base distinguished name (DN).

    When this parameter is omitted, Password Sync attempts to autodetect the base DN.

    Example: --base_dn="OU=users,DC=mydomain,DC=com"

    --credentials_file

    The full path to your service account JSON file.

    Note: The JSON file has a key that allows access to your Google domain. After authentication, remove the file from the system.

    Example:
    --credentials_file="c:\users\administrator\downloads\service_account.json"

    --mail_attribute

    (Optional) The Active Directory attribute that has each user's Google email address.

    When this parameter is omitted, Password Sync uses the default "mail" attribute.

    Example: --mail_attribute="mail"

    --nouse_gui

    Runs the utility from the command line, without a GUI.

    No parameter required.

    --norestart_service

    (Optional)

    When specified, Password Sync skips the service restart after saving the configuration.

    No parameter required.

    --nowait_at_exit

    (Optional)

    When specified, Password Sync closes the utility without waiting for the Enter key.

    No parameter required.

Password Sync configuration example

​In this example, the domain administrator's address is [email protected]. The Active Directory base DN is OU=users,DC=mydomain,DC=com. The service account's JSON file is located on the domain controller at c:\users\administrator\downloads\service_account.json. Each username is stored in Active Directory's mail attribute. Run this command without using the GUI.

Note: This example command is a continual single line. Any line breaks visible here are for page formatting only.

PasswordSync.exe --admin_email="[email protected]" --base_dn="OU=users,DC=mydomain,DC=com" --credentials_file="c:\users\administrator\downloads\service_account.json" --mail_attribute="mail" --nouse_gui


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
4259521094754125095
true
Search Help Center
true
true
true
true
true
73010
false
false