Hi there, I’m Shane. I’m a Google Apps deployment expert. But today I’m a guest blogger that will be talking about how to upgrade Google Apps Password Sync (GAPS).

Google has the capability to mirror local passwords with Google Apps called Google Apps Password Sync (GAPS). This handy tool works in a Microsoft Active Directory 2003, 2008, or 2012 environment, and gives you the capability to “push” password updates that happen in active directory (AD) to the matching Google Apps account. This eases the burden on users by giving them only one password to keep track of.

All versions of GAPS prior to 1.3 will
stop working on April 20th, 2015.


The way GAPS connects to Google Apps changed with version 1.3. They use the Google Apps Provisioning API, which has been deprecated.

What does this mean for you as a domain admin using GAPS? It means that you have to update your current GAPS installs to version 1.3 before April 20th, 2015 or your passwords will stop being pushed to Google Apps. Now, this doesn’t mean everyone will be locked out on the 20th. Since password updates from GAPS only happen when a user changes their password in AD, future password changes any user will make won’t be pushed to Google.

I’m here to help get your GAPS installs up to date. Notice I said “installs”. In a proper GAPS deployment, GAPS will be running on each and every domain controller. Yup, all of them. It’s that way to make sure that it can grab the password change a user makes, before it’s encrypted and written into AD.

The catch: in the process of installing/updating GAPS, you’ll have to restart the machine you’re installing it on in order to complete the process. So I would recommend to plan acceptable times to take down domain controllers in order to minimize user impact.

Here are the steps you’ll need to follow:

Step 1.

On a domain controller, start by checking your existing GAPS install. You’ll find the Google Apps Password Sync application in your start menu > programs. Opening it will give you a page describing the process of setup, and what version you’re running. Remember that you only need to upgrade if you’re running something older than 1.3.

Step 2.

If you are running an older install than 1.3, you’ll need to start by downloading the new software. Head over to https://support.Google.com/a/answer/2611859 and download the version appropriate for your machine (x86 or x64).

Step 3.

Launch the downloaded installer, and start the installation. Once it completes the process, it will prompt you to restart the machine. You may want to schedule the reboot or be sure you’re doing this after hours.

Step 4.

Once the machine has rebooted, launch the new Google Apps Password Sync application to configure the application. Verify that the installed version is now 1.3 or greater, and hit next.

Step 5.

This will prompt you to the first of 3 steps. On this page, you need to perform your authorization with Google. You will need to use a user account with admin level permissions. I highly recommend using a separate account for this, as all actions performed by the GAPS application will appear to be actions taken by this user. You may have already setup a user specifically for this purpose. Fill in your Google Apps primary domain, and the Email ID of the admin account you wish to use, then click authorize.

Step 6.

You will be prompted to sign in with your Google account. Again, make sure this is the user you wish to be updating passwords. Check “Remember me” and continue.

Step 7.

You will be taken to a Google login page. You will be prompted to accept permissions for Apps Sync. Click “Accept”.

Step 8.

Once that’s complete, you’ll be directed back to the GAPS program, and you should now see a nice green “Authorized”. You can click “Next”.

Step 9.

You will need to fill in your AD credential information. You will need: the authorized user (administrator), the password, the base DN that GAPS should be looking for users in, and you’ll need to define the attribute in AD that contains the user’s full email address. By default, this attribute is “mail”.

Step 10.

Once you click next, you’ll see the status of the connection and the process running. If you’ve got green for both of these items, you’re ready to go. Click finish to save.

Step 11.

I recommend testing the connector before moving on. Open Active Directory Users and Computers (ADUC) on this domain controller, and change the password of a test user. It should only take a few seconds to sync to Google. Now try to log-in as that user with the new password. If it was successful, you’ve confirmed that GAPS is running correctly. If not, start this process over again.

You have to repeat this process on each of your domain controllers. If you miss any domain controllers, it is possible for users to complete a domain password update without it being pushed to Google.

If you have any questions or comments, leave them in the comments section below. Happy upgrading!