Auto Update Group list but not remove manually added members

68 views
Skip to first unread message

Matthew Clark

unread,
Oct 12, 2017, 11:17:40 AM10/12/17
to GAM for G Suite
We have a process that automatically adds/updates groups every night.  The problem is that it overwrites the group membership and removes any manually added members.  Is there a way to update a group but NOT modify any manually added members?

Here is a sample of the code...

[{
    "name": "Computer Science Department",
    "description": "Computer Science All Employees - LDAP Managed Membership",
    "email": "cs-department@UNIVERSITY",
    "data_source": "ad",
    "member_query": "(memberof=CN=idmCS-EVERYONE,OU=DEPT,OU=COLLEGE,OU=PROVOST,OU=UNIVERSITY,DC=ad,DC=UNIVERSITY,DC=edu)",
    "manager_query": "",
    "owner_query": "(mail=D-Devolder@UNIVERSITY)",
    "settings": {
      "is_archived": "true",
      "allow_external_members": "false",
      "allow_web_posting": "true",
      "show_in_group_directory": "false",
      "include_in_global_address_list": "true",
      "who_can_invite": "NONE_CAN_INVITE",
      "who_can_join": "invited_can_join",
      "who_can_post_message": "all_members_can_post",
      "who_can_view_group": "all_members_can_view",
      "who_can_leave_group": "NONE_CAN_LEAVE"
    }
  }
]

Thank you!

Matthew

Jay Lee

unread,
Oct 12, 2017, 11:21:24 AM10/12/17
to google-ap...@googlegroups.com
What GAM commands are you running? Are members also removed by the automatic process? If not then you could set the GAM command to only add missing members and not sync (since that will delete members).

Jay

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/ffc569c1-ba04-4315-98f9-0d3dbf64073f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Peter Smulders

unread,
Oct 12, 2017, 5:01:40 PM10/12/17
to GAM for G Suite
It is not a very elegant way and you may run into API call volume limits, but in a pinch, you could just blindly add all the users you want added to particular groups and just ignore the warnings / errors saying that a user can not be added because they already are. ("Duplicate add something something").

--peter


Olinsky, Nicholas

unread,
Oct 12, 2017, 5:06:08 PM10/12/17
to Google Apps Manager
I used to do it that way and hit the limit a lot. Now I use powershell to compare to list of users and add the differences.

Nicholas M Olinsky                              
Sunnyside School District
IS/IT Director
Phone: 509.836.8412
FAX: 509.836.8423

"Any sufficiently advanced technology is indistinguishable from magic." - Arthur C. Clarke

Sent from G Suite for Education

On Thu, Oct 12, 2017 at 2:01 PM, Peter Smulders <peter.s...@montessoriplus.nl> wrote:
It is not a very elegant way and you may run into API call volume limits, but in a pinch, you could just blindly add all the users you want added to particular groups and just ignore the warnings / errors saying that a user can not be added because they already are. ("Duplicate add something something").

--peter


--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

Peter Smulders

unread,
Oct 12, 2017, 5:14:48 PM10/12/17
to GAM for G Suite
if you do want to actually carefully add only those users that need to be added, maybe the code below will help (if not you, then possibly some other folk with a sync headache). It is bash shell code and this routine is meant for setting up delegates, but the algorithm works like a charm (I changed some of the code to hide our peculiarities)

setup_delegation () {
  ## Sync delegation
  for role in some_role_a some_role_b; do
    # get current delegates
    unset Ds
    declare -a Ds
    for DELEGATE in $(gam user ${role} show delegates | sed -n 's/ Delegate Email: \(.*\)$/\1/p'); do
       Ds[${#Ds[*]}]=${DELEGATE};
    done
    # see which ones are not approved
    for d in "${Ds[@]}"; do
      echo "Checking if we need ${d}..."
      for u in "${Us[@]}"; do
        echo "Comparing to ${u}..."
        if [[ "${d}" == "${u}@yourdomainhere.com" ]]; then
          echo "Yep, ${d} is cool."
          continue 2
        fi
      done
      echo "Nope, ${d} needs to go."
      gam user ${role} delete delegate ${d}
    done
    # see which ones are missing
    for u in "${Us[@]}"; do
      echo "See if we have ${u}..."
      for d in "${Ds[@]}"; do
        echo "Comparing to ${d}..."
        if [[ "${d}" == "${u}@yourdomainhere.com" ]]; then
          echo "Check -- ${u} is present."
          continue 2
        fi
      done
      echo "We need to add ${u}..."
      [[ "$(gam info user ${role} | sed -n 's/^Must Change Password: \(.*\)$/\1/p')" == "False" ]] || continue # can not delegate to users with temp passwords
      [[ "$(gam info user ${u} | sed -n 's/^Must Change Password: \(.*\)$/\1/p')" == "False" ]] || continue
      gam user ${role} delegate to ${u}
    done
  done
}

The above can be amended to not execute gam in the inner loop, but instead only echo out the data seperated by comma's, then wrap the whole function in a subshell, prefix it with csv headers and pipe the output to gam csv.

hth -- Peter

Peter Smulders

unread,
Oct 12, 2017, 5:21:47 PM10/12/17
to GAM for G Suite
I forgot to mention that in this code, Us is an array with users. I lifted this code from a larger script. The loading of an array can be copied from the second loop. From then on, it is basically comparing two sets to find the differences. How you define the one set and the other is up to your local circumstances. --peter

Derek Berry at KCSD

unread,
Nov 15, 2017, 8:32:10 AM11/15/17
to GAM for G Suite
@Nicholas M Olinsky
Would you be willing to share your Powershell Code? I am having a similar issue using the GAM sync with Google Classroom.

Thanks
Derek

On Thursday, October 12, 2017 at 5:06:08 PM UTC-4, Nicholas Olinsky wrote:
I used to do it that way and hit the limit a lot. Now I use powershell to compare to list of users and add the differences.

Nicholas M Olinsky                              
Sunnyside School District
IS/IT Director
Phone: 509.836.8412
FAX: 509.836.8423

"Any sufficiently advanced technology is indistinguishable from magic." - Arthur C. Clarke

Sent from G Suite for Education

On Thu, Oct 12, 2017 at 2:01 PM, Peter Smulders <peter.s...@montessoriplus.nl> wrote:
It is not a very elegant way and you may run into API call volume limits, but in a pinch, you could just blindly add all the users you want added to particular groups and just ignore the warnings / errors saying that a user can not be added because they already are. ("Duplicate add something something").

--peter


--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages