4

I'm in the process of implementing Google's GSuite Password Synch on a Windows Server 2016 AD system.

I've installed the Cloud Directory Sync software which successfully creates new users in GSuite when I run it. It doesn't seem to synchronise passwords at this step.

I've also installed the GSuite Password Synch utility which successfully changes the GSuite password whenever a user changes their AD password.

So far, so good, but...

If a user logs in to the system for the first time I can get AD to force a password change (this is what we want). This also changes the password on the newly created but unused GSuite account. User now logs in to their GSuite account with the newly changed AD password (this works too) but is immediately forced to change their GSuite password by Google, thus rendering the password synch irrelevant until they next change their AD password.

How can I stop Google forcing a password change on new accounts when GSPS and Cloud Synch are in use?

CatchAsCatchCan
  • 183
  • 1
  • 12

2 Answers2

0

The other answer is correct, but specifically because you said you're using GCDS (Google Cloud Directory Sync), you can prevent this from happening by unchecking the "Force new users to change password" box in Configuration Manager > User Accounts > Additional User Attributes.

Liron
  • 61
  • 3
  • said is correct. I had the same problem, didn't see the "Force new users to change password" checkbox...uncheck > save – Lionel GUYOT Apr 13 '21 at 15:22
0

I had the same problem, are you using GAM to do some bulk operations on G Suite? GAM Wiki

We create the users with PowerShell on our own AD, then after sync with GCDS we do a reset of the passwords with PowerShell on AD. then run the command:

gam update user emailaddress changepassword off

After this command the user will be able to login with the password you set in AD

kenlukas
  • 3,101
  • 2
  • 16
  • 26
Mathieu Termote
  • 1