Managing GAFE with PowerShell

Real talk. Google is taking over the education market. Sorry Apple and Microsoft, it’s the truth. Don’t stop trying though…us education customers need all the help we can get! We like free and simple, btw (that’s why Google is wining in this space).

However, with simplicity comes a lack of sophistication. As a technology professional, part of my job is automating the mundane tasks so that I can focus on the large and fun projects. You know what isn’t easy to do in GAFE? Bulk operations. This is where there is severe lack of sophistication on the management side. Keep working, Google.

A few years ago,  I began learning PowerShell and it has since become my command-line of choice. Tasked with needing to perform some bulk operations in our Google environment, I was exploring how to perform certain functions via command-line, if something like that existed. Fortunately, Google has an API, but unfortunately they do not have a propriety command-line tool, nor does their Admin Console allow for bulk operations.

Luckily, a gentleman by the name of Jay Lee, created a tool called GAM. GAM is a command line tool for Google G Suite Administrators to manage domain and user settings quickly and easily. Perfect!

The setup process is a little cumbersome at first, and you do need to be a super administrator in your Google domain, but once it’s set up, the command-line tool is pretty solid. I’m not going to go too in-depth on working in GAM, because that is what the wiki is designed for. I would advise you to get familiar with it before attempting to do any bulk operations.

Once installed you can run some basic commands that center around:

  • Managing Users, Groups, Aliases, Domains, Mobile and Chrome Devices, OUs and Resource Calendars
  • Group Settings
  • Data Transfers
  • Print Users, Groups, Aliases, Mobile and Chrome OS devices, OUs, Licenses and Reports
  • Managing Custom User Schemas
  • User Email Settings
  • User Security Settings
  • Managing Cloud Print
  • Managing Classroom
  • Calendar Settings
  • Google Drive Management
  • Managing Admins
  • Domain Verification
  • Managing Product Licenses
  • Managing Organizations

Bonus: The tool is constantly being updated by it’s creator. My hat goes off to you, sir. Thank you, and keep up the good work.

Making GAM and PowerShell work together

The scenario that I needed to accomplish was to transfer Drive documents for users who were no longer employed in our district to a central repository. We want to retain those documents in case there were files that didn’t get shared before a staff member left the district that other staff members may need.

Reading through the Bulk Operations page on the wiki, I knew I could leverage GAM to perform this action in bulk, but really wanted to streamline the process where I didn’t have to populate a CSV or do any manual work to get this done. Our provisioning system moves all inactive users to a specific container in Active Directory, so I knew which accounts I needed to transfer documents from and then delete that account in Google. From there I figured I could use PowerShell to query those accounts and then execute the GAM command on each account. The full script is below:

$users= Get-ADUser -Filter * -SearchBase "OU=Inactive Accounts,DC=sysadminedu,DC=com"
foreach ($user in $users)
 {
 $username = ($user.SamAccountName + "@google.sysadminedu.com")
 Start-Process C:\GAM\gam.exe -ArgumentList "user $username transfer drive repository@google.sysadminedu.com" -wait
 Start-Process C:\GAM\gam.exe -ArgumentList "delete user $username" -wait
 }

Digging In

$users= Get-ADUser -Filter * -SearchBase "OU=Inactive Accounts,DC=sysadminedu,DC=com"

This first line simply gets the data from the AD container and saves that data in a variable to use in the for each statement coming up.

foreach ($user in $users)
 {

This begins the loop to cycle through each account and perform the necessary actions I want on that account, without having to specify each account individually.

 $username = ($user.SamAccountName + "@google.sysadminedu.com")

This part may not be necessary for you, but for us, we have separate domains for our AD credentials and our Google credentials. This takes the SamAccountName and appends the correct Google domain so GAM can understand what action needs to be performed on the appropriate account. This is defined in the $username variable.

 Start-Process C:\GAM\gam.exe -ArgumentList "user $username transfer drive repository@google.sysadminedu.com" -wait

The Start-Process command starts GAM and the argument parameter is the actual command you want to run in GAM. Notice I used the $username variable defined earlier. I also use the -wait parameter so that PowerShell will not attempt to move on before that process is complete. Sometimes users have over 1500 documents and it might take some time to transfer. I want to ensure their account is not deleted before transferring all documents too.

 Start-Process C:\GAM\gam.exe -ArgumentList "delete user $username" -wait

This performs the delete user action after the Drive documents are transferred.

That’s it! Due to it being completely automated, you can make this a scheduled task to run once a week or so without thinking about it.

I’m going to continue to expand upon this to hopefully provide some error handling and other fancy stuff, but for my first experience in managing another service with PowerShell I thought this would help a lot of school district admins in managing two different environments.

Have suggestions to make the script better, or want to share how you accomplish something similar? Please do so in the comments below!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s