-
Notifications
You must be signed in to change notification settings - Fork 473
Organizational Units
- API documentation
- Definitions
- Special quoting
- Manage organizational units
- Add users to an organizational unit
- Synchronize users with an organizational unit
- ChromeOS device update OU error handling
- Add ChromeOS devices to an organizational unit
- Synchronize ChromeOS devices with an organizational unit
- Display organizational units
- Print organizational units
- Display organizational unit counts
- Display indented organizational unit tree
- Check organizational unit for contained items
- Delete Empty OUs
- Special case handling for large number of organizational units
<OrgUnitID> ::= id:<String>
<OrgUnitPath> ::= /|(/<String)+
<OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>
<OrgUnitList> ::= "<OrgUnitItem>(,<OrgUnitItem>)*"
<OrgUnitFieldName> ::=
description|
id|orgunitid|
inherit|blockinheritance|
name|
parentid|parentorgunitid|
parent|parentorgunitpath|
path|orgunitpath
<OrgUnitFieldNameList> ::= "<OrgUnitFieldName>(,<OrgUnitFieldName>)*"
<OrgUnitSelector> ::=
cros_ou | cros_ou_and_children|
ou | ou_ns | ou_susp|
ou_and_children | ou_and_children_ns | ou_and_children_susp
For <OrgUnitEntity>
, see: Collections of Items
For <UserTypeEntity>
, see: Collections of Users
For <CrOSTypeEntity>
, see: Collections of ChromeOS Devices
You specify a single organizational unit with org <OrgUnitPath>
and a list of organizationsl units with orgs <OrgUnitList>
.
As organizational unit paths can contain spaces, some care must be used when entering <OrgUnitPath>
and <OrgUnitList>
.
Suppose you have an organizational unit /Foo Bar
. To get information about it you enter the command: gam info org "/Foo Bar"
The shell strips the "
leaving a single argument /Foo Bar
; gam correctly processes the argument.
Suppose you enter the command: gam info orgs "/Foo Bar"
The shell strips the "
leaving a single argument /Foo Bar
; gam splits the argument on space leaving two items and then tries to process /Foo
and Bar
, not what you want.
You must enter: gam info orgs "'/Foo Bar'"
The shell strips the "
leaving a single argument '/Foo Bar'
; gam splits the argument on space while honoring the '
leaving one item /Foo Bar
and correctly processes the item.
See: List Items
Create, update and delete organization units.
gam create org|ou <OrgUnitPath> [description <String>]
[parent <OrgUnitItem>] [inherit|(blockinheritance False)]
[buildpath]
gam update org|ou <OrgUnitPath> [name <String>] [description <String>]
[parent <OrgUnitItem>] [inherit|(blockinheritance False)]
gam delete org|ou <OrgUnitPath>
gam update orgs|ous <OrgUnitEntity> [name <String>] [description <String>]
[parent <OrgUnitItem>] [inherit|(blockinheritance False)]
gam delete orgs|ous <OrgUnitEntity>
Inheritance specifies whether sub-OUs of the specified OU inherit its settings.
-
inherit|blockinheritance false
- Sub-OUs inherit settings from the specified OU; this is the default
When adding users to an OU, Gam uses a batch method to speed up processing.
For <UserTypeEntity>
, see: Collections of Users
gam update org|ou <OrgUnitPath> add|move <UserTypeEntity>
gam update orgs|ous <OrgUnitEntity> add|move <UserTypeEntity>
The batch_size
value from gam.cfg controls the number of users handled in each batch.
When adding users to an OU, Gam uses a batch method to speed up processing.
For <UserTypeEntity>
, see: Collections of Users
gam update org|ou <OrgUnitItem> sync <UserTypeEntity> [removetoou <OrgUnitItem>]
gam update orgs|ous <OrgUnitEntity> sync <UserTypeEntity> [removetoou <OrgUnitItem>]
- Users in the
OU
but not in<UserTypeEntity>
will be moved toOU
/ or theOU
specified inremovetoou <OrgUnitItem>
- Users in
<UserTypeEntity>
but not in theOU
are moved to theOU
- Users in the
OU
and in<UserTypeEntity>
are unaffected
The batch_size
value from gam.cfg controls the number of users handled in each batch.
If you get the following error when trying to update the OU of a ChromeOS device:
400: invalidInput - Invalid Input: Inconsistent Orgunit id and path in request
issue the following command to work around the Google problem causing the wrror:
gam select default config update_cros_ou_with_id true save
When adding ChromeOS devices to an OU, Gam uses a batch method to speed up processing.
For <CrOSTypeEntity>
, see: Collections of ChromeOS Devices
gam update org|ou <OrgUnitPath> add|move <CrOSTypeEntity>
[quickcrosmove [<Boolean>]]
gam update orgs|ous <OrgUnitEntity> add|move <CrOSTypeEntity>
[quickcrosmove [<Boolean>]]
Google has introduced a new, faster batch method for moving CrOS devices to a new OU. The quickcrosmove
option controls which method Gam uses.
-
quickcrosmove not specified
- use value fromquick_cros_move
ingam.cfg
to select previous/new batch method -
quickcrosmove False
- use previous batch method -
quickcrosmove True
- use new batch method -
quickcrosmove
- use new batch method
The batch_size
value from gam.cfg controls the number of deviceIds handled in each batch by either method.
In the new method, Google doesn't seem to do any error checking of the CrOS deviceIds, there is no error message given if invalid CrOS deviceIds are specified.
gam update ou /Students/2022 add cros_ou /Students/2021 quickcrosmove
Suppose you have a CSV file cros.csv with a single column: deviceId
gam update ou /Students/2022 add croscsvfile cros.csv:deviceId quickcrosmove
Suppose you have a CSV file cros.csv with a two columns: deviceId,OU
All OUs will be updated with their associated devices.
gam update ou csvkmd cros.csv keyfield OU datafield deviceId add croscsvdata deviceId quickcrosmove
When adding ChromeOS devices to an OU, Gam uses a batch method to speed up processing.
For <CrOSTypeEntity>
, see: Collections of ChromeOS Devices
gam update org|ou <OrgUnitItem> sync <CrOSTypeEntity> [removetoou <OrgUnitItem>]
[quickcrosmove [<Boolean>]]
gam update orgs|ous <OrgUnitEntity> sync <CrOSTypeEntity> [removetoou <OrgUnitItem>]
[quickcrosmove [<Boolean>]]
- Cros devices in the
OU
but not in<CrOSTypeEntity>
will be moved toOU
/ or theOU
specified in removetoou - CrOS devices in
<CrOSTypeEntity>
but not in theOU
are moved to theOU
- CrOS devices in the
OU
and in<CrOSTypeEntity>
are unaffected
Google has introduced a new, faster batch method for moving CrOS devices to a new OU. The quickcrosmove
option controls which method Gam uses.
-
quickcrosmove not specified
- use value fromquick_cros_move
ingam.cfg
to select previous/new batch method -
quickcrosmove False
- use previous batch method -
quickcrosmove True
- use new batch method -
quickcrosmove
- use new batch method
The batch_size
value from gam.cfg controls the number of deviceIds handled in each batch by either method.
In the new method, Google doesn't seem to do any error checking of the CrOS deviceIds, there is no error message given if invalid CrOS deviceIds are specified.
These commands display information as an indented list of keys and values.
gam info org|ou <OrgUnitPath> [nousers|notsuspended|suspended] [children|child]
gam info orgs|ous <OrgUnitEntity> [nousers|notsuspended|suspended] [children|child]
By default, all users of the org units are displayed:
-
nousers
- Don't display users of the org units -
notsuspended
- Display non-suspended users of the org units -
suspended
- Display suspended users of the org units -
children|child
- Display users in any child org unit
This command displays information in CSV format.
gam print orgs|ous [todrive <ToDriveAttribute>*]
[fromparent <OrgUnitItem>] [showparent [Boolean>]] [toplevelonly]
[parentselector <OrgUnitSelector> childselector <OrgUnitSelector>]
[allfields|<OrgUnitFieldName>*|(fields <OrgUnitFieldNameList>)]
[convertcrnl] [batchsuborgs [<Boolean>]]
[mincroscount <Number>] [maxcroscount <Number>]
[minusercount <Number>] [maxusercount <Number>]
By default, Gam prints all child org units of /.
-
fromparent <OrgUnitItem>
- Print all child org units of<OrgUnitItem>
. -
showparent
- Print the parent org unit, either / orfromparent <OrgUnitItem>
. -
toplevelonly
- Do not print any sub org units. -
convertcrnl
- In the description field, convert carriage return to \r and new line to \n.
Options parentselector <OrgUnitSelector>
and childselector <OrgUnitSelector>
add an additional column orgUnitSelector
to the output.
This column value can be used in subsequent gam csv
commands to appropriateley select members without duplication.
By default, all OUs are displayed. You can limit the display of OUs to those where the number of ChromeOS devices/users falls within a range. Gathering this data requires additional API calls to download information about all ChromeOS devices and users.
Additional columns are generated to display the number and status of ChromeOS devices and users in each OU.
-
mincroscount <Number>
- Display the OU if it has at leaset<Number>
ChromeOS devices -
maxcroscount <Number>
- Display the OU if it has no more than<Number>
ChromeOS devices -
minusercount <Number>
- Display the OU if it has at leaset<Number>
users -
maxusercount <Number>
- Display the OU if it has no more than<Number>
users
Show all OUs with at least one user.
gam print orgs minusercount 1
Show all OUs with no users.
gam print orgs maxusercount 0
Get file count summaries by OU; top level selector is ou, sub level selectors are ou_and_children
gam redirect csv ./TopLevelOUs.csv print ous showparent toplevelonly parentselector ou childselector ou_and_children fields orgunitpath
gam redirect csv ./FileCounts.csv multiprocess csv ./TopLevelOUs.csv gam "~orgUnitSelector" "~orgUnitPath" print filecounts excludetrashed summary only summaryuser "~orgUnitPath"
Display the number of organizational units.
gam print orgs|ous
[fromparent <OrgUnitItem>] [showparent [Boolean>]] [toplevelonly]
showitemcountonly
Example
$ gam print orgs showitemcountonly
Getting all Organizational Units, may take some time on a large Google Workspace Account...
Got 98 Organizational Units
98
The Getting
and Got
messages are written to stderr, the count is writtem to stdout.
To retrieve the count with showitemcountonly
:
Linux/MacOS
count=$(gam print orgs showitemcountonly)
Windows PowerShell
count = & gam print orgs showitemcountonly
gam show orgtree [fromparent <OrgUnitItem>] [batchsuborgs [<Boolean>]]
By default, Gam displays the organizational unit tree starting at /.
-
fromparent <OrgUnitItem>
- Display the organizational unit tree starting at<OrgUnitItem>
.
An organizational unit can be deleted only when it contains no items:
- Chrome Browsers
- ChromeOS Devices
- Shared Drives
- Sub Org Units
- Users
This command counts those items and displays a CSV file with the item counts.
- All counts are zero - A return code of 0 is returned and the
empty
column isTrue
- Some count is greater than 0 - A return code of 25 is returned and the
empty
column isFalse
Only items directly within the OU are counted, items in sub-OUs are not counted.
<OrgUnitCheckName> ::=
browsers|
devices|
shareddrives|
subous|
users
<OrgUnitCheckNameList> ::= "<OrgUnitCheckName>(,<OrgUnitCheckName>)*"
gam check org|ou <OrgUnitItem> [todrive <ToDriveAttribute>*]
[<OrgUnitCheckName>*|(fields <OrgUnitCheckNameList>)]
[filename <FileName>] [movetoou <OrgUnitItem>]
[formatjson [quotechar <Character>]]
By default, GAM checks each of the five items; you can select specfic fields
with <OrgUnitCheckName>*
or fields <OrgUnitCheckNameList>
.
By default, GAM displays the information as columns of fields; the following option causes the output to be in JSON format:
-
formatjson
- Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote "
. The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
When using the formatjson
option, double quotes are used extensively in the data resulting in hard to read/process output.
The quotechar <Character>
option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
quotechar
defaults to gam.cfg/csv_output_quote_char
. When uploading CSV files to Google, double quote "
should be used.
If movetoou <OrgUnitItem>
is specified, GAM will create a batch file of GAM commands that will move any remaining items
in ou <OrgUnitItem>
to movetoou <OrgUnitItem>
.
By default, the batch file will be named CleanOuBatch.txt
and will be created in gam.cfg/drive_dir
.
This can be overridden with filename <FileName>
.
You can inspect the file and execute it if desired; substitute actual filenames as desired.
gam redirect stdout CleanOuLog.txt multiproces redirect stderr stdout batch CleanOuBatch.txt
# Get list of OUs
gam redirect csv ./OUs.csv print ous
# Check status of each OU
gam redirect csv ./CheckOUs.csv multiprocess redirect stderr - multiprocess csv OUs.csv gam check ou "~orgUnitId"
# Delete empty OUs
gam config csv_input_row_filter "empty:boolean:true" redirect stdout ./DeleteEmptyOUs.txt multiprocess redirect stderr stdout csv CheckOUs.csv gam delete ou "~orgUnitId"
Repeat the steps until no empty OUs remain.
By default, the print orgs
and show orgtree
commands issue a single API call to get the
list of organizational units. If the number is large, greater than 5000 in an observed case, the API call may fail.
When batchsuborgs
is specified, Gam gets all of the top level org units with one API call; then Gam uses batch processing
in subsequent API calls to get the sub org units. There is no benefit to using this option unless the commands fail
without it. The number of sub org units processed in each batch is controlled by batch_size
in gam.cfg
.
Need more help? Ask on the GAM Discussion Group
Update History
Installation
- How to Install GAM7
- How to Upgrade GAMADV-XTD3 to GAM7
- How to Upgrade Legacy GAM to GAM7
- How to Update GAM7
- Verifying a GAM7 Build is Legitimate and Official
- Install GAM as Python Library
- GAM7 on Chrome OS Devices
- GAM7 on Android Devices
- Google Network Addresses
- HTTPS Proxy
- SSL Root CA Certificates
- How to Uninstall GAM7
Configuration
- Authorization
- GAM Configuration
- Running GAM7 securely on a Google Compute Engine
- Using GAM7 with a delegated admin service account
- Using GAM7 with a YubiKey
- GAM with minimal GCP rights
Notes and Information
- Upgrade Benefits
- Questions? Visit the GAM Discussion Forum
- GAM Public Chat Room
- Scripts
- Other Resources
- Drive REST API v3
- BNF Syntax
- GAM Return Codes
- Python Regular Expressions
- Rclone
Definitions
Command Processing
- Bulk Processing
- Command Line Parsing
- Command Logging and Progress
- Command data from Google Docs/Sheets/Storage
- CSV Special Characters
- CSV Input Filtering
- CSV Output Filtering
- Meta Commands and File Redirection
- Permission matches
- Tag Replace
- Todrive
Collections
Client Access
- Addresses
- Administrators
- Alert Center
- Aliases
- Calendars
- Calendars - Access
- Calendars - Events
- Chrome Auto Update Expiration Counts
- Chrome Browser Cloud Management
- Chrome Device Needs Attention Counts
- Chrome Installed Apps
- Chrome Policies
- Chrome Printers
- Chrome Profile Management
- Chrome Version Counts
- Chrome Version History
- ChromeOS Devices
- Classroom - Courses
- Classroom - Guardians
- Classroom - Invitations
- Classroom - Membership
- Cloud Channel
- Cloud Identity Devices
- Cloud Identity Groups
- Cloud Identity Groups - Membership
- Cloud Identity Policies
- Cloud Storage
- Context Aware Access Levels
- Customer
- Domains
- Domains - Verification
- Domain People - Contacts & Profiles
- Domain Shared Contacts - Global Address List
- Email Audit Monitor
- Find File Owner
- Google Data Transfers
- Groups
- Groups - Membership
- Inbound SSO
- Licenses
- Mobile Devices
- Organizational Units
- Reports
- Reseller
- Resources
- Send Email
- Schemas
- Shared Drives
- Sites
- Users
- Unmanaged Accounts
- Users - Signout and Turn off 2-Step Verification
- Vault - Takeout
- Version and Help
Special Service Account Access
Service Account Access
- Users - Analytics Admin
- Users - Application Specific Passwords
- Users - Backup Verification Codes
- Users - Calendars
- Users - Calendars - Access
- Users - Calendars - Events
- Users - Chat
- Users - Classification Labels
- Users - Classroom - Profile
- Users - Deprovision
- Users - Contacts
- Users - Contacts - Delegates
- Users - Drive - File Selection
- Users - Drive - Activity/Settings
- Users - Drive - Cleanup
- Users - Drive - Comments
- Users - Drive - Copy/Move
- Users - Drive - Files-Display
- Users - Drive - Files-Manage
- Users - Drive - Orphans
- Users - Drive - Ownership
- Users - Drive - Permissions
- Users - Drive - Query
- Users - Drive - Revisions
- Users - Drive - Shortcuts
- Users - Drive - Transfer
- Users - Forms
- Users - Gmail - Client Side Encryption
- Users - Gmail - Delegates
- Users - Gmail - Filters
- Users - Gmail - Forwarding
- Users - Gmail - Labels
- Users - Gmail - Messages/Threads
- Users - Gmail - Profile
- Users - Gmail - S/MIME
- Users - Gmail - SendAs/Signature/Vacation
- Users - Gmail - Settings
- Users - Group Membership
- Users - Keep
- Users - Looker Studio
- Users - Meet
- Users - Classroom - Profile
- Users - People - Contacts & Profiles
- Users - Photo
- Users - Profile Sharing
- Users - Shared Drives
- Users - Spreadsheets
- Users - Tasks
- Users - Tokens
- Users - YouTube
GAM Tutorials
- Account Auditing
- Calendar Settings
- Chat Bot commands
- Chrome Browser Management
- Chrome Policy Settings
- Context Aware Access levels
- Data Transfers
- Domain Verification
- Google Drive Management
- Group Settings
- Inbound SSO Settings
- Managing Admins
- Managing Classroom
- Managing Custom User Schemas
- Managing Devices
- Managing Organizations
- Managing Product Licenses
- Managing Users, Groups, Aliases, Domains, Mobile and Chrome Devices, and Resource Calendars
- OAuth Authentication Related Commands
- Print Users, Groups, Aliases, Mobile and Chrome OS devices, OUs, Licenses and Reports
- Printers
- Unmanaged Users and Invitations
- User Email Settings
- User Security Settings