Set up password recovery for users

As your organization's super administrator, you can let users and non-super administrators recover their account if they forget their password:

  • Option 1 : Let users reset passwords themselves through an automated system (you need to turn on non-admin password recoveryin your Admin console).
  • Option 2 : Ask users to contact an administrator to reset their password.

Option 1: Let users reset passwords themselves

This feature isn’t available if your organization uses single sign-on (SSO) or Password Sync. It also doesn’t work for users under the age of 18. For details, go to When user password recovery isn't available .

    You can let users who aren't super admins reset their own passwords without contacting an administrator by turning on password recovery in the Admin console.

    Expand all   |   Collapse all

    Turn on password recovery

    Before you begin: Users need a recovery phone number or email address where they can get recovery instructions:

    Users who haven't added recovery information are directed to contact an administrator.

    Before you begin:If needed, learn how to  apply the setting to a department or group .

    1. Sign in to your Google Admin console .

      Sign in using your administrator account (does not end in @gmail.com).

    2. In the Admin console, go to Menu  Security Authentication Account recovery.
    3. (Optional) To apply the setting only to some users, at the side, select an organizational unit(often used for departments) or configuration  group(advanced). Show me how 

      Group settings override organizational units.  Learn more

    4. Click User account recovery.
    5. Click Allow users and non-super admins to recover their account. This setting won't apply if your organization uses single sign-on (SSO) with a third-party identity provider or Password Sync.
    6. Click Save.Or, you might click Overridefor an organizational unit  .

      To later restore the inherited value, click Inherit(or Unset for a group).

    Important:Immediately remove a user's recovery information either when they leave your organization or if their account might be hijacked (see below).

    Prevent unauthorized access to a user's account

    When non-admin password recovery is turned on, you should take precautionary action if you believe a user account may be vulnerable or compromised. For example:

    • The user is terminated or leaves your organization.
    • You suspect the account has been hijacked, and the user's recovery information has been changed.

    In these cases, removing the user's recovery information is not enough to protect the account, since the information can still be used for recovery for a period of time after being removed. You should either change the user's password and disable non-admin password recovery, or  suspend the user account to prevent all access.

    When user password recovery isn't available
    • Google Workspace for Education users under the age of 18—Younger Google Workspace for Education users aren’t permitted to add a recovery phone number or email to their account. They can't reset a forgotten password on their own.

      Note:Users of any age with primary or secondary education accounts can't supply a recovery phone number or email. The option to add a phone number or email is not available for these types of accounts.

      Only users with Higher Education accounts, administrators, and teachers using Google Workspace for Education can supply a recovery phone number or email.

    • Organizations using SSO or GSPS—If your organization uses  single sign-on (SSO) , you won't have the  enable non-admin user password recoveryoption in your Admin console.

      If your organization uses  Password Sync for Active Directory (GSPS) and you prevented users from  changing their Google passwords , users are redirected to Active Directory to reset their passwords. This keeps their Active Directory passwords in sync with Google Workspace.

    Option 2: Ask users to contact an administrator

    If a user clicks Forgot password?on the sign-in page, and you haven't turned on password recovery, they get a message to contact their administrator. Make sure you've provided a way for users to contact an administrator if they can't sign in to their account.

    See also Reset a user's password .

    Was this helpful?

    How can we improve it?
    Search
    Clear search
    Close search
    Google apps
    Main menu
    4819257897337403857
    true
    Search Help Center
    true
    true
    true
    true
    true
    73010
    false
    false
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: