500+
Users managed with GAM
Free
Cost
<1min
For bulk operations

What is GAM?

GAM (Google Apps Manager) is an open-source command-line tool created by Jay Lee that interacts with Google Workspace APIs directly. It lets you do anything you can do in the Admin Console โ€” and a lot of things you can't โ€” from your terminal. Bulk user creation, forwarding rule setup, Drive ownership transfers, license assignments, group management, audit log exports: all scriptable, all repeatable, all fast.

I use GAM daily at Forter for everything from offboarding (setting forwarding rules, transferring Drive ownership) to routine reporting (who hasn't logged in recently, which users have 2FA disabled). It's the single most useful tool in my Google Workspace toolkit.

Installation

Step 01
Install GAMADV-XTD3 (the recommended fork)

There are two main versions: the original GAM and GAMADV-XTD3 by Ross Scroggs. Use GAMADV-XTD3 โ€” it has more features, better output formatting, and is more actively maintained. Install on macOS with:

macOS / Linux
bash <(curl -s -S -L https://gam-shortn.appspot.com/gam-install)
๐Ÿ’ก On macOS, you may need to allow the binary in System Preferences โ†’ Privacy & Security after the first run.
Step 02
Authorise with your Google Workspace super admin account

Run gam oauth create and follow the browser prompts to authorise GAM with your Super Admin account. GAM will store the OAuth token locally โ€” you won't need to re-authorise on every command. For automation scripts running unattended, you can also set up a service account with domain-wide delegation.

๐Ÿ’ก Create a dedicated Super Admin account for GAM (e.g. gam-admin@yourcompany.com) so you can audit GAM actions separately from your personal admin account.

Commands You'll Use Every Week

Offboarding
Set forwarding and transfer Drive ownership

The two most common offboarding tasks in Google Workspace. GAM handles both in seconds.

Forward all email to manager
gam user leaving@company.com forward to manager@company.com keep
Transfer all Drive files to manager
gam create datatransfer leaving@company.com gdrive manager@company.com
Bulk operations
Add all users in a group to a new group

Indispensable when reorganising groups or rolling out new tools to a department.

Add members of one group to another
gam print group-members group old-group@company.com | gam csv - gam update group new-group@company.com add member ~primaryEmail
Security & Audit
Find users without 2FA enrolled

Run this before every security review. Takes under 10 seconds for a 500-person org.

List all users with 2FA disabled
gam print users fields name,primaryemail,isenrolledIn2Sv,isenforced2Sv | grep ",False"
Reporting
Export a full user list with last login

Great for licence audits and finding stale accounts that should be suspended.

Export users with last login timestamp
gam report users fields accounts:last_login_time > users_last_login.csv
Aliases & Shared Mailboxes
Bulk-add email aliases from a CSV

When a company rebrands or merges, this saves hours of clicking through the Admin Console.

aliases.csv: primaryEmail, alias
gam csv aliases.csv gam user ~primaryEmail add alias ~alias

My Most-Used GAM Scripts

Script 01
Offboarding automation

I wrapped the most common offboarding GAM commands into a single Bash script: suspend account, set out-of-office, set forwarding, transfer Drive, remove from groups, reset sign-in cookies. Triggered by our offboarding pipeline. What used to take 30 minutes of Admin Console clicking now runs in under 2 minutes with a full log.

๐Ÿ’ก See the full offboarding automation project: Offboarding Automation โ†’
Script 02
Weekly stale account report

A cron job that runs every Monday morning: exports all active users with their last login date, filters for anyone who hasn't logged in for 60+ days, and emails the report to IT. Catches contractors and temporary accounts that slip through offboarding.

Find accounts inactive for 60+ days
gam report users fields accounts:last_login_time | awk -F',' 'NR>1 && $3 != "" {cmd="date -d \""$3"\" +%s"; cmd | getline ts; close(cmd); if (systime()-ts > 5184000) print $1","$2","$3}'
Script 03
Shared Drive audit

Lists all Shared Drives, their membership, and storage usage. Runs quarterly as part of our access review process. The output feeds into a spreadsheet that managers review to confirm their team's access is still appropriate.

Export all Shared Drives with members
gam print teamdrives fields id,name > drives.csv gam csv drives.csv gam print teamdriveacls teamdriveid ~id > drive_members.csv

Common Mistakes to Avoid

โš ๏ธ Always test commands on a single user before running against all users. GAM has no undo. A command scoped to all users runs immediately on your entire domain. Test with gam user test@company.com ... first, then expand scope when you're confident.

Use gam print before gam update. Print commands are read-only โ€” they let you see exactly what would be affected before you make changes. Make it a habit: print first, review the CSV, then run the update.

Log every automated command. Any GAM command running in a script should redirect output to a timestamped log file. When something goes wrong (and eventually it will), you want a clear record of what ran and when.

GAM has saved me hundreds of hours over the years. Once you get past the initial setup and learn the command patterns, it becomes the fastest way to manage Google Workspace at scale โ€” far faster than the Admin Console for anything involving more than a handful of users. If you're setting it up and run into issues, feel free to reach out at izzi@izzirenan.com.

IR
Izzi Renan
IT Systems Administrator at Forter. Managing Okta, Google Workspace, and Jamf Pro for 500+ users across EMEA, APAC, and Israel. 10 years in IT.