2-Step Filter Not Accurate

tcarter0

unread,

May 6, 2021, 12:36:18 PM5/6/21

to GAM for Google Workspace

I'm running exports every so often of users who still haven't enrolled in 2-step verification, using this command:

gam print users username query "isEnrolledIn2Sv=false isSuspended=false orgUnitPath='/some/path'" >> d:\temp\no2sv_export.csv

Every time I've run it so far, it has included some users who had already enrolled in 2-step. I sent out emails, users say they'd done it days prior, I check, and confirm that they had in fact turned it on.

The first time it happened, I ran the command, sent the emails, got feedback, ran the command again about 45 minutes later, and there were over 200 fewer users included in the first run that were not included in the second run, not because 200 users signed up in that period.

Any thoughts on why I would get users with 2-step enabled using this command?

Jay Lee

unread,

May 6, 2021, 1:10:26 PM5/6/21

to google-ap...@googlegroups.com

This is due to a lag on Google's end in terms of reporting and indexing. You should expect it to take at least a few hours (possibly 24) before a change to 2sv is properly reflected for the users in a GAM print users command.

Jay Lee

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/92957cd3-587e-4a13-ac98-647f8beac3cbn%40googlegroups.com.

Tommy Carter

unread,

May 6, 2021, 1:13:47 PM5/6/21

to google-ap...@googlegroups.com

Thanks Jay. I imagined that was the case, but we have users who claim they'd enrolled several days prior to the export. It's a short term issue in any case, so no need to spend too much time thinking about it.

You received this message because you are subscribed to a topic in the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/9R9O_wgJYmE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp9m9twdRHVCAwNUM%2BLBvTxut1adjX19qFM_DH_%3Ddfo-6Q%40mail.gmail.com.

Danny Dillon - NOAA Affiliate

unread,

May 6, 2021, 1:20:50 PM5/6/21

to google-ap...@googlegroups.com

We take our ( now short ) outlier list and run them through a "gam info user $user quick | grep -c 2-step.enrolled:.True" filter to catch the late additions.

Danny

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAOZF5eccDdq_1DAXJ%2BxfhiO52N8w%3Di4XXCLCrs1Bb1dMaM%2B5wQ%40mail.gmail.com.

Simon Smart

unread,

May 10, 2021, 1:35:42 PM5/10/21

to GAM for Google Workspace

It might be that GAM uses reports API rather than the directory API to see the user's current status it will potentially have a 3 day lag time on it:

https://support.google.com/a/answer/7061566?hl=en#:~:text=Lag%20time-,2-Step%20Verification%20Enrollment,-2-Step%20Verification

If so it will be using this API:

https://developers.google.com/admin-sdk/reports/v1/appendix/usage/user/accounts

Which has the delay mentioned. If it uses the following API it should be more up to date:

https://developers.google.com/admin-sdk/directory/reference/rest/v1/users

Fortunately, there is a simple way of obtaining near-time data that is ≤ 15 minutes old without knowing which is in play:

Visit https://admin.google.com
Select "Users"
Select the cog at the top right to "manage columns"
Ensure that "2-step verification enrollment" is selected and select "save"
Select the menu item at the top right and choose to "Download users"
Select your preferences (generally, "All users" and "Google Sheets")
The completed report / export should be up-to-date and can be used to filter down un-enrolled users to target communications to them

Hope this helps

tcarter0

unread,

May 10, 2021, 1:40:53 PM5/10/21

to GAM for Google Workspace

I imagine that's the issue. I needed a scriptable solution, so the UI version wasn't best for me. We're done with the process now, but good information nonetheless.

Thanks,

Tommy

Jay Lee

unread,

May 10, 2021, 1:55:51 PM5/10/21

to google-ap...@googlegroups.com

"gam print users" is using the Directory API, "gam report users" uses the Reports API.

I'd doubt admin console export would be closer to realtime accuracy than "gam print users" for this. If it is I'd be curious to know.

Jay Lee

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/a283fb16-075b-4a40-ae04-2cc4e44b452bn%40googlegroups.com.

Simon Smart

unread,

May 10, 2021, 1:58:56 PM5/10/21

to GAM for Google Workspace

I agree AC should be the same sort of timeframe as the Directory API call. Just intended the point-and-click as a workaround if Directory wasn't in use.

Thanks for confirming Jay

Reply all

Reply to author

Forward