GAM options files

If you add some specific files to the same folder as GAM.exe (or gam.py), you can alter the behavior of GAM. Each file has to exist to do its job - there is no specific content required in the file.

nocache.txt The cache will be disabled at the cost of some performance. https://groups.google.com/d/msg/google-apps-manager/j24xT9lGYYY/bn-m4kud-hoJ

noupdatecheck.txt Update checks will be disabled. (Helpful when running GAM from an unattended batch file.) https://groups.google.com/d/msg/google-apps-manager/RAKFcr7Y7Vs/2obG5hU43hYJ

nobrowser.txt Use during initial installation and configuration on a computer without a web browser. GAM will display a link which you can copy and open from a computer running a browser in order to manually authorize.

Seeing HTTP API calls made by GAM

GAM can provide full HTTP API call details and headers. This can be useful if you are troubleshooting an issue with GAM and the APIs and Google Support would like to know the exact way GAM is talking to the Google API servers. Just create a file called debug.gam in the same folder as gam.exe (Windows) or gam.py / gam (MacOS/Linux). The file can be blank, GAM only checks for the existence of a file called debug.gam, it doesn’t care about file contents. Here’s a sample output from GAM with debug.gam in place. You can see the Admin SDK Directory API users.insert() API call is being utilized by GAM and you can see the request failed (because I tried to use a google.com domain which is not the domain I’m authenticated as). You also see exactly which API parameters GAM sent with the request.

$ gam create user [email protected] firstname Jay lastname Lee password P@ssw3rd
Creating account for [email protected]
connect: (www.googleapis.com, 443)
send: 'POST /admin/directory/v1/users?fields=primaryEmail&alt=json&prettyPrint=true HTTP/1.1\r\nHost: www.googleapis.com\r\ncontent-length: 233\r\naccept-encoding: gzip, deflate\r\naccept: application/json\r\nuser-agent: GAM 6.21 - https://github.com/GAM-team/GAM / Jay Lee <[email protected]> / Python 2.7.10 final / Linux-4.2.0-34-generic-x86_64-with-Ubuntu-15.10-wily x86_64 / google-api-python-client/1.5.0 (gzip)\r\ncontent-type: application/json\r\nauthorization: Bearer ya29.Ci4JA4DnhABG2sXcybdIJV7ALJuSRq9bvyxCIxm0vdXPchkOZGapecYozpKHOy-0\r\n\r\n{"primaryEmail": "[email protected]", "password": "$6$heoqb7mBLg0wV/xE$OTWfJtYq9/mKqtZBgtyr5J7lgtW.fANCimmioaGfcXQh7QlxiDNhv/atEm4qIaqsAsQVQBYP/q.6BSPj5V9Qf0", "hashFunction": "crypt", "name": {"givenName": "Jay", "familyName": "Lee"}}'
reply: 'HTTP/1.1 403 Forbidden\r\n'
header: Vary: Origin
header: Vary: X-Origin
header: Content-Type: application/json; charset=UTF-8
header: Content-Encoding: gzip
header: Date: Wed, 22 Jun 2016 17:48:48 GMT
header: Expires: Wed, 22 Jun 2016 17:48:48 GMT
header: Cache-Control: private, max-age=0
header: X-Content-Type-Options: nosniff
header: X-Frame-Options: SAMEORIGIN
header: X-XSS-Protection: 1; mode=block
header: Server: GSE
header: Alternate-Protocol: 443:quic
header: Alt-Svc: quic=":443"; ma=2592000; v="34,33,32,31,30,29,28,27,26,25"
header: Transfer-Encoding: chunked

ERROR: 403: Not Authorized to access this resource/api - forbidden

Here's some details on the debug logs above:

$ gam create user [email protected] firstname Jay lastname Lee password P@ssw3rd

this is the GAM command run by the admin.

POST /admin/directory/v1/users?fields=primaryEmail&alt=json&prettyPrint=true HTTP/1.1\r\nHost: www.googleapis.com

in order to create a user, GAM is making an HTTP/1.1 POST request to the URL https://www.googleapis.com/admin/directory/v1/users?fields=primaryEmail&alt=json&prettyPrint=true. HTTPS / 443 is always used by GAM and the Google APIs.

user-agent: 6.21 - https://github.com/GAM-team/GAM / Jay Lee <[email protected]> / Python 2.7.10 final / Linux-4.2.0-34-generic-x86_64-with-Ubuntu-15.10-wily x86_64 / google-api-python-client/1.5.0 (gzip)

GAM includes a User-Agent HTTP header with details about the GAM version and Python / System version in use.

authorization: Bearer ya29.Ci4JA4DnhABG2sXcybdIJV7ALJuSRq9bvyxCIxm0vdXPchkOZGapecYozpKHOy-0

GAM sends an "Authorization" HTTP header with the OAuth access token the admin authorized GAM to use to verify with Google that a G Suite admin is making this calls.

{"primaryEmail": "[email protected]", "password": "$6$heoqb7mBLg0wV/xE$OTWfJtYq9/mKqtZBgtyr5J7lgtW.fANCimmioaGfcXQh7QlxiDNhv/atEm4qIaqsAsQVQBYP/q.6BSPj5V9Qf0", "hashFunction": "crypt", "name": {"givenName": "Jay", "familyName": "Lee"}}

This is the HTTP body and POST data of the GAM request. It's in JSON format. Notice that GAM took the P@ssw3rd password the admin supplied GAM on the command line and pre-hashed it using the sha-512 crypt algorithm as recommended by Google.

HTTP/1.1 403 Forbidden

Google servers responded with a 403 Forbidden response because the admin user is in my test domain and trying to create a @google.com user account which they are forbidden from doing.