-
Notifications
You must be signed in to change notification settings - Fork 473
SecurityExamples
- OAuth Tokens
- Application Specific Passwords
- Two Step Verification Status
- Two Step Verification Backup Codes
- Disabling 2SV for a user
- Signing a user out
- Deprovisioning A User
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users show tokens
Prints all OAuth tokens that the given users have granted access to their Google Account. OAuth tokens allow third party websites and applications to access a user's Google data.
This example shows that the admin has granted GAM access to act on the admin's behalf.
gam user admin@acme.com show tokens
Tokens for admin@acme.com:
Client ID: 380063494358.apps.googleusercontent.com
scopes:
https://www.googleapis.com/auth/admin.reports.usage.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.directory.device.chromeos
https://www.googleapis.com/auth/admin.directory.user
https://apps-apis.google.com/a/feeds/compliance/audit/
https://www.googleapis.com/auth/apps.groups.settings
https://www.googleapis.com/auth/admin.directory.device.mobile
https://www.googleapis.com/auth/plus.me
https://www.googleapis.com/auth/apps.licensing
https://www.googleapis.com/auth/calendar
https://www.googleapis.com/auth/admin.directory.orgunit
https://apps-apis.google.com/a/feeds/domain/
https://www.googleapis.com/auth/userinfo.email
https://apps-apis.google.com/a/feeds/emailsettings/2.0/
https://www.googleapis.com/auth/admin.directory.user.security
https://www.googleapis.com/auth/apps/reporting/audit.readonly
https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/admin.directory.group
https://apps-apis.google.com/a/feeds/calendar/resource/
displayText: GAM
userKey: 105809295792492927768
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users show token clientid <client id>
shows if the given users have the given token allowed for their account. If they have the token, GAM says the token is present. If they don't nothing is output for that user.
This example shows which domain users have the Google Apps Sync for Microsoft Outlook app allowed for their account
gam all users show token clientid 1095133494869.apps.googleusercontent.com
Getting all users in Google Apps account (may take some time on a large account)
...
Got 32 users
done getting 32 users.
jon@acme.com has allowed this token
mike@acme.com has allowed this token
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users delete token clientid <client id>
Revokes the authentication token for the given users. This will block the website or app from connecting to the user's account until the user re-authorizes the site/app.
This example revokes Google Apps Sync for Outlook support for all users.
gam all users delete token clientid 1095133494869.apps.googleusercontent.com
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users show asps
Prints a list of Application Specific Passwords that the given users have created with the descriptive name the user has supplied. The actual password is not shown and cannot be retrieved.
This example shows the ASPs for Ryan
gam user ryan@acme.com show asps
ID: 35
Name: Windows PC Chrome Sync
Created: 2012-11-14 12:44:04
Last Used: 2012-11-14 12:44:13
ID: 36
Name: iPhone
Created: 2013-02-14 22:10:32
Last Used: 2013-05-28 14:40:37
ID: 40
Name: Google Talk
Created: 2013-05-07 13:40:49
Last Used: 2013-05-07 13:41:27
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users delete asp <ID>
revokes the supplied application specific password ID for the given users. This will stop the password from working on whatever devices/applications it was used.
This example will revoke the ASP for Ryan's iPhone (muhahah, get an Android dude!)
gam user ryan@acme.com delete asp 36
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users show backupcodes
lists the two step verification backup codes for the given users. Some users may not have any backup codes generated in which case nothing will be printed for them.
This example prints out the backup codes for Mike.
gam user mike@acme.com show backupcodes
Backup verification codes for mike@acme.com
1. 93964433
2. 91867555
3. 43621384
4. 06304268
5. 96022530
6. 40678584
7. 26886356
8. 27259873
9. 13882290
10. 76700736
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users update backupcodes
invalidates the users current backup codes (if any) and generates 10 new backup codes for the user. Note that this process works even if the user has not turned on 2SV yet so it's possible to generate backup codes for a new user who has 2SV enrollment required. Then they'll be able to login for the first time with the backup code and should immediately turn 2SV on for their account.
This example generates and prints backup codes for Tina, a new employee.
gam user tina@acme.com update backupcodes
Backup verification codes for tina@acme.com
1. 04840506
2. 44120560
3. 52754730
4. 25270184
5. 43229491
6. 39659107
7. 51065328
8. 10844915
9. 81131130
10. 54044421
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users delete backupcodes
Revokes the user's current backup codes if any. The backup codes will no longer work for authenticating the user and new codes will not be generated.
This example deletes all backup codes for Charles.
gam user charles delete backupcodes
gam print users is2svenrolled is2svenforced
Print all users and their respective 2-step verification status (2SV enrolled, 2SV enforced)
gam print users is2svenrolled is2svenforced
larry@acme.com,True,True
sally@acme.com,True,False
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users turnoff2sv
Turns two-step verification off for the specified users. This is only recommended when a user is unable to complete 2nd factor authentication (and admin has verified user identity) or when admin needs to take over a user account and does not have the second factor credentials.
This example turns 2sv off for Juan's account
gam user juan@example.com turnoff2sv
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users signout
Signs a user out of their account by resetting their cookies. Note that how different devices and accounts react to the cookie reset will vary and is not something GAM can control. See Google's help article for more details.
Michele checked his email on a hotel lobby kiosk computer and thinks he forgot to sign out. This command signs him out of all locations
gam user michele@example.com signout
This example signs all students out and can be scheduled to run at 10pm each night. We'll use CSV processing to speed up the signout.
gam print users query "orgUnitPath=/Students" | gam csv - gam user ~primaryEmail signout
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users deprovision
Revokes all application specific passwords, 2SV Backup Codes and OAuth Tokens for the listed user. This process can be used at part of the deprovisioning process for terminated users. You may want to precede this command with a "gam update user (user email) password random" command to reset the user's password to an unknown value and/or follow this command with a "gam update user (user email) suspended on" to suspend the account or delegate it to a manager.
This example performs deprovisioning steps for Larry. We'll first reset his password to a random value. Then we'll kill all ASPs, backup codes and tokens and finally we'll delegate his mailbox to his manager Jim. We don't disable the account because we don't want mail to his address to bounce.
gam update user larry@acme.com password random
updating user larry@acme.com...
gam user larry@acme.com deprovision
Getting Application Specific Passwords for larry@acme.com
No ASPs
Invaliating 2SV Backup Codes for larry@acme.com
Getting tokens for larry@acme.com...
No Tokens
Done deprovisioning larry@acme.com
gam user larry@acme.com delegate to jim@acme.com
Need more help? Ask on the GAM Discussion Group
GAM Basics
GAM Tutorials
- Managing Users, Groups, Aliases, Domains, Mobile and Chrome Devices, and Resource Calendars
- Group Settings
- Data Transfers
- Print Users, Groups, Aliases, Mobile and Chrome OS devices, OUs, Licenses and Reports
- Managing Custom User Schemas
- User Email Settings
- User Security Settings
- Managing Classroom
- Managing Devices
- Chrome Policy Settings
- Chrome Browser Management
- Calendar Settings
- Unmanaged Users and Invitations
- Google Drive Management
- Inbound SSO Settings
- Managing Admins
- Domain Verification
- Printers
- Managing Product Licenses
- Context Aware Access levels
- Managing Organizations
- OAuth Authentication Related Commands
- Vault / Takeout Commands
- Bulk Operations
GAM Command Reference
Resources
- Questions? Visit the GAM Discussion Forum
- How to run GAM on Chromebooks / Chrome OS and Android devices.
- Setting up GAM on Google Cloud Platform (GCP)
- Running GAM on Google Compute Engine (GCE) VMs Securly
- Using GAM with a Delegated Admin Service Account (DASA)
- Use a YubiKey for Service Account Authentication
- Verify a GAM Install is Official and Legimate