Google Workspace GAM

Why GAM

The Google admin console is fine when you need to update one user or add someone to a group. It falls apart when you're managing hundreds of users across 100+ locations and need to make bulk changes on a regular basis. Creating groups one by one, suspending departed employees individually, extracting membership lists through the UI... none of that scales.

That's where GAM comes in. GAM (Google Apps Manager) is a command-line tool that talks directly to the Google Workspace Admin API. Once it's authorized against your domain, you can script just about anything you'd do in the admin console. I built a set of scripts around it to handle the operations we ran most often.

Bulk group management

We had a lot of Google Groups. Distribution lists, security groups for Drive access, license assignment groups. When the org restructured, we needed to create dozens of new groups and clear out old ones. The Bulk Create Groups.ps1 script reads a CSV with group names and email addresses and fires off GAM commands to create each one.

Clearing groups was the more common task though. When a distribution list got stale or a project wrapped up, I'd run the clear script to strip all members rather than deleting the group entirely. That way the group address still worked if someone had it bookmarked.

# GAM command to remove a member from a group
gam update group $groupEmail remove member $memberEmail

User offboarding

The archive script was the most involved. When someone left the company, we needed to transfer their Google Drive contents to their manager, suspend the account, downgrade the license (so we stopped paying for it), and log everything. Doing that manually for each departure was a 10-minute process that happened multiple times a week.

The Python script reads a CSV of departing users, pulls their manager info, runs the Drive transfer through GAM, suspends the account, and writes a log of what it did. The whole offboarding flow for a batch of users takes about a minute now.

Membership extraction

One script that turned out to be more useful than I expected was the bulk membership extractor. It pulls all members from a set of groups and formats the output so it can be re-imported into new groups. We used this during migrations, when groups needed to be recreated under a different naming convention but with the same membership. Extract from the old groups, tweak the CSV, and import into the new ones.

Cross-platform

Most of these scripts are PowerShell because our management workstations were Windows. But I kept a macOS version of the group cleanup script in bash for when I needed to run something from my laptop. GAM works the same on both platforms, so the actual GAM commands are identical. It's just the wrapper logic that differs.

The biggest win with all of this was consistency. Before GAM, every admin did things slightly differently through the UI. With scripts, the process is the same every time, and there's a log of exactly what happened.