- OAuth Tokens
- Application Specific Passwords
- Two Step Verification Backup Codes
- Deprovisioning A User
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users show tokens
Prints all OAuth tokens that the given users have granted access to their Google Account. OAuth tokens allow third party websites and applications to access a user's Google data.
This example shows that the admin has granted GAM access to act on the admin's behalf.
gam user [email protected] show tokens
Tokens for [email protected]:
Client ID: 380063494358.apps.googleusercontent.com
scopes:
https://www.googleapis.com/auth/admin.reports.usage.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.directory.device.chromeos
https://www.googleapis.com/auth/admin.directory.user
https://apps-apis.google.com/a/feeds/compliance/audit/
https://www.googleapis.com/auth/apps.groups.settings
https://www.googleapis.com/auth/admin.directory.device.mobile
https://www.googleapis.com/auth/plus.me
https://www.googleapis.com/auth/apps.licensing
https://www.googleapis.com/auth/calendar
https://www.googleapis.com/auth/admin.directory.orgunit
https://apps-apis.google.com/a/feeds/domain/
https://www.googleapis.com/auth/userinfo.email
https://apps-apis.google.com/a/feeds/emailsettings/2.0/
https://www.googleapis.com/auth/admin.directory.user.security
https://www.googleapis.com/auth/apps/reporting/audit.readonly
https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/admin.directory.group
https://apps-apis.google.com/a/feeds/calendar/resource/
displayText: Dito GAM
userKey: 105809295792492927768
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users show token clientid <client id>
shows if the given users have the given token allowed for their account. If they have the token, GAM says the token is present. If they don't nothing is output for that user.
This example shows which domain users have the Google Apps Sync for Microsoft Outlook app allowed for their account
gam all users show token clientid 1095133494869.apps.googleusercontent.com
Getting all users in Google Apps account (may take some time on a large account)
...
Got 32 users
done getting 32 users.
[email protected] has allowed this token
[email protected] has allowed this token
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users delete token clientid <client id>
Revokes the authentication token for the given users. This will block the website or app from connecting to the user's account until the user re-authorizes the site/app.
This example revokes Google Apps Sync for Outlook support for all users.
gam all users delete token clientid 1095133494869.apps.googleusercontent.com
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users show asps
Prints a list of Application Specific Passwords that the given users have created with the descriptive name the user has supplied. The actual password is not shown and cannot be retrieved.
This example shows the ASPs for Ryan
gam user [email protected] show asps
ID: 35
Name: Windows PC Chrome Sync
Created: 2012-11-14 12:44:04
Last Used: 2012-11-14 12:44:13
ID: 36
Name: iPhone
Created: 2013-02-14 22:10:32
Last Used: 2013-05-28 14:40:37
ID: 40
Name: Google Talk
Created: 2013-05-07 13:40:49
Last Used: 2013-05-07 13:41:27
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users delete asp <ID>
revokes the supplied application specific password ID for the given users. This will stop the password from working on whatever devices/applications it was used.
This example will revoke the ASP for Ryan's iPhone (muhahah, get an Android dude!)
gam user [email protected] delete asp 36
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users show backupcodes
lists the two step verification backup codes for the given users. Some users may not have any backup codes generated in which case nothing will be printed for them.
This example prints out the backup codes for Mike.
gam user [email protected] show backupcodes
Backup verification codes for [email protected]
1. 93964433
2. 91867555
3. 43621384
4. 06304268
5. 96022530
6. 40678584
7. 26886356
8. 27259873
9. 13882290
10. 76700736
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users update backupcodes
invalidates the users current backup codes (if any) and generates 10 new backup codes for the user. Note that this process works even if the user has not turned on 2SV yet so it's possible to generate backup codes for a new user who has 2SV enrollment required. Then they'll be able to login for the first time with the backup code and should immediately turn 2SV on for their account.
This example generates and prints backup codes for Tina, a new employee.
gam user [email protected] update backupcodes
Backup verification codes for [email protected]
1. 04840506
2. 44120560
3. 52754730
4. 25270184
5. 43229491
6. 39659107
7. 51065328
8. 10844915
9. 81131130
10. 54044421
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users delete backupcodes
Revokes the user's current backup codes if any. The backup codes will no longer work for authenticating the user and new codes will not be generated.
This example deletes all backup codes for Charles.
gam user charles delete backupcodes
gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users deprovision
Revokes all application specific passwords, 2SV Backup Codes and OAuth Tokens for the listed user. This process can be used at part of the deprovisioning process for terminated users. You may want to precede this command with a "gam update user (user email) password random" command to reset the user's password to an unknown value and/or follow this command with a "gam update user (user email) suspended on" to suspend the account or delegate it to a manager.
This example performs deprovisioning steps for Larry. We'll first reset his password to a random value. Then we'll kill all ASPs, backup codes and tokens and finally we'll delegate his mailbox to his manager Jim. We don't disable the account because we don't want mail to his address to bounce.
gam update user [email protected] password random
updating user [email protected]...
gam user [email protected] deprovision
Getting Application Specific Passwords for [email protected]
No ASPs
Invaliating 2SV Backup Codes for [email protected]
Getting tokens for [email protected]...
No Tokens
Done deprovisioning [email protected]
gam user [email protected] delegate to [email protected]