DELETE ACCESS COOKIES

726 views
Skip to first unread message

Rodrigo S

unread,
Apr 9, 2018, 11:30:19 AM4/9/18
to GAM for G Suite
Please, I need know if could DELETE ACCESS COOKIES for massive users 

Thanks 

Ross Scroggs

unread,
Apr 10, 2018, 12:14:17 AM4/10/18
to google-ap...@googlegroups.com
Rodrigo,

There is no API support for this as far as I know, thus Gam can't help you.

On Apr 9, 2018, at 7:46 AM, Rodrigo S <rsepul...@gmail.com> wrote:

Please, I need know if could DELETE ACCESS COOKIES for massive users 

Thanks 

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/4e3af546-edff-4bfb-b803-683c74c05b7d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jim Karlin

unread,
Apr 10, 2018, 2:50:15 PM4/10/18
to GAM for G Suite
Rodrigo

It has been asked for, but Google hasn't provided anything for us.

What you can do is:

gam update user changepassword on
gam update user changepassword off

It should knock off all active sessions.  Time consuming on a large population, but it did the trick for me when we needed it.

Jim

Rodrigo S

unread,
Apr 12, 2018, 8:32:00 AM4/12/18
to GAM for G Suite
Excellent!!! is working thanks very much Jim you are the best!!!

+KimNilsson

unread,
Apr 15, 2018, 2:47:27 PM4/15/18
to GAM for G Suite
@Jim, that's a great solution! :-)

@Ross, with Google Support I got some suggestions that could bring us closer to how to do it with GAM.

This is what support said (the I in the comments is the support person referring to herself).

The feature request that I submitted regarding resetting sign-in cookies for multiple users at once from the Admin Console is still being worked on but as a work around, the Engineer advised to use the following APIs:
List users: 
https://developers.google.com/admin-sdk/directory/v1/reference/users/list 
with the query field you can select which user extract, for example selecting by OrgUnitPath 
once you have the list of user, with this other API you can list what tokens are issued for each user 
https://developers.google.com/admin-sdk/directory/v1/reference/tokens/list 
and then remove tokens: 
https://developers.google.com/admin-sdk/directory/v1/reference/tokens/delete

Follow-up after workaround with tokens.

Thank you for patiently waiting while I was checking for the answer to your question when we last spoke over the phone.

Here is the explanation from the Engineer who provided the work around:
The token depends on the type of devices that you have. So if let's say you're only using Chromebooks, and you reset the sign-in cookies using the Google API, the users will be signed-out in ChromeOS devices with this error:
"
Sign-in Error
Chrome SO could not sync your data because your account sign-details are out of date
"
If the Facebook is accessed inside the Chromebook, then the user will also be signed out of Facebook.

Please check this link:
https://developers.google.com/admin-sdk/directory/v1/reference/tokens/delete
parameter to insert: userkey (user@domain) and clientid (Google Chrome) or for clientid you can use * and it will delete all tokens for that user

Using the API you have a choice to revoke only the token that you want to remove. For example, on my test user I have two tokens because I'm using two devices, one for Chrome and one for Android. I have the option to revoke only one or both of the tokens. But if it's in the Admin Console, there'll be no option to select which token to remove, so they are removed all.

Using API, you can select to revoke only one or all tokens. But in Admin console, once you "Reset Sign in cookies" it will remove all. There's no option to select.

More comments from Support.

Thank you for contacting G Suite Support and thank you for your patience while I was looking for the relevant Feature Requests for this case. As promised, here are the FRs for the settings or features that you want:
b/71990664 - [FR] Set limits for instances that a user can sign in to different devices at once
b/77569188 - [FR] Ability for Admins to reset sign-in cookies for multiple users at once        
crbug.com/805332: FR: Set limits for instances that a user can sign in to different devices at once

The first two reference tickets are FRs that were filed internally and cannot be accessed outside of Google. The third FR, this is an published publicly and you can access it by going to https://bugs.chromium.org/p/chromium/issues/detail?id=805332.

FRs b/71990664 and crbug.com/805332 is equivalent to the current session length setting as this FR aims to limit the users' sessions on multiple devices. These include sessions for Chrome devices, Windows and Mac PCs and Chrome on Mobile. Currently, crbug.com/805332 is the only one that you will be able to access and check anytime as the other two FRs were filed internally and can only be accessed by the Google Engineers.

Ross Scroggs

unread,
Apr 15, 2018, 4:48:04 PM4/15/18
to google-ap...@googlegroups.com
Kim,

These commands exist in Basic and Advanced GAM, do they do what you want?

gam <UserTypeEntity> delete token clientid <ClientID>
gam <UserTypeEntity> show tokens [clientid <ClientID>]
gam <UserTypeEntity> print tokens|token [todrive] [clientid <ClientID>]
gam print tokens [todrive] [clientid <ClientID>] [<UserTypeEntity>]

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

Kim Nilsson

unread,
Apr 15, 2018, 11:50:47 PM4/15/18
to google-ap...@googlegroups.com
Yes, I think they do.
One just has to know which token is relevant. 

✉ Kevin Melillo

unread,
Apr 16, 2018, 10:54:30 AM4/16/18
to google-ap...@googlegroups.com
GAM does have a deprovision command.  Does this handle sign-in cookies as well?

gam user <username>|group <groupname>|ou <ouname>| file <filename> | all users deprovision
Revokes all application specific passwords, 2SV Backup Codes and OAuth Tokens for the listed user. 

On Sun, Apr 15, 2018 at 11:50 PM, Kim Nilsson <there.is.no...@gmail.com> wrote:
Yes, I think they do.
One just has to know which token is relevant. 

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAGPzzFtfZ392b5xaR7aurZxebGWjrpe_HOpA3xjH70rPgT%3D6Ow%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.



--
Kevin Melillo
Electronic Communications Analyst
Information Technology
445 Hoes Lane
Piscataway, NJ 08854

Phone:732-465-6609 | Mobile: 732-609-4331

Kim Nilsson

unread,
Apr 17, 2018, 1:55:35 AM4/17/18
to Google Apps Manager
Oh, so that call just makes the account inaccessible, without disabling or deleting it? Cool.

Still, you'd have to set a new password immediately after that, and communicate it to the user. Sounds like more work for the both of you. 

Just resetting the tokens feels like less of an invasion of the workday. 

+KimNilsson

unread,
Apr 17, 2018, 2:51:43 AM4/17/18
to GAM for G Suite
@Ross, no. The delete token command seems to only revoke the Chrome profile login, not the actual Google login. So I can't use it to do what I want.

@Kevin, deprovision worked great for removing all the things you mentioned, but it doesn't log out the user either.

So, currently, nothing (I've found) but resetting the real password seems to actually kick someone off their login.

✉ Kevin Melillo

unread,
Apr 18, 2018, 7:53:37 AM4/18/18
to google-ap...@googlegroups.com
As part of our deprovisioning we have a script that does a few things when a user leaves the company.

Steps in our script:
Move the user to a DEPARTED OU, or a DEPARTED\EXTENDED OU for legal\HR users (Vault retention purposes)
Remove the user from all groups
Wipe all devices on the user's account
Randomize the users password
Delegate the account to the manager of the user
Rename the user to <username>_departed_<date>@domain.org

The script also reminds us to hit the GUI, and sign out all sessions, so we do that as well.  

We have taken to renaming the users, because we need to know we only allow a 3 month delegation period.  After that, we suspend the user, so delegation disappears. 
Renaming the users also has the added benefit of disabling them from logging in, as the account name has changed.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/7feb9ea8-6117-4ec0-a0e2-5889f008e9e7%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Kim Nilsson

unread,
Apr 18, 2018, 8:09:41 AM4/18/18
to Google Apps Manager
Nice, Kevin.
Able to share?
Replace anything sensitive with dummy information, of course.

k.melillo

unread,
Apr 18, 2018, 9:07:58 AM4/18/18
to GAM for G Suite
This is run with GAM on G Suite Shell in BASH.  I would love some feedback on ways to do it better.

Take note of the userterm path, and log file path.

userterm.csv
emailAddress,firstName,lastName,ManagerEmail,ManagerPhone


I have a display function that will display the changes to me made.  In order to process the changes, you need to include DOIT on the command line.

./termUser
this will display the changes to be made

./termUser DOIT
this will process the changes.



  1. #!/bin/bash
  2. INPUT=~/gam-data/userterm.csv
  3. OLDIFS=$IFS
  4. IFS=,
  5. timestamp=$(date +%Y-%m-%d@%I:%M%p)
  6. [ ! -f $INPUT ] && { echo "$INPUT file not found"exit 99}
  7. while read userEmail userFirst userLast managerEmail managerPhone
  8. do
  9.   domain=${userEmail/*@/ }
  10.   userId=${userEmail/@*/ }
  11.   userId="$(echo -e "${userId}" | sed -e 's/[[:space:]]*$//')"
  12.   domain="$(echo -e "${domain}" | sed -e 's/^[[:space:]]*//')"
  13.   domain="@$domain"
  14.   dateStamp=_departed_$(date +%Y%m%d)
  15.   newEmail=$userId$dateStamp$domain
  16.   if [ -z "$1" ]
  17.   then
  18.     echo -e "\e[91m\e[7mALERT:\e[0m To be used only for termination procedure"
  19.     echo -e "to process changes use \e[91m./termUser doit\e[0m"
  20.     echo -e "---[ \e[93m\e[1mPREVIEW of Changes \e[0m]--- "
  21.     echo -e "\e[1mUnsuspend:             \e[0m$userEmail"
  22.     echo -e "\e[1mRename to:             \e[0m$newEmail"
  23.     echo -e "\e[1mDelegate to:           \e[0m$managerEmail ($managerPhone)"
  24.     echo -e "\e[1mVacation Responder:    \e[0m"
  25.     echo -e "  $userFirst $userLast is no longer with COMPANY, please contact $userFirst's manager at"
  26.     echo -e "  <$managerEmail> or by telephone at $managerPhone.  \n\n  Thank You.  \n  COMPANY Support."
  27.     echo -e "\e[36mRemove from All Groups\e[0m"
  28.     echo -e "\e[36mRemove mobile devices\e[0m"
  29.     echo -e "\e[36mMove to ORG /EXEMPT/Departed Staff Hold Normal\e[0m"
  30.     echo -e "---[ \e[93m\e[1mPREVIEW END \e[0m]--"
  31.     echo
  32.   else
  33.     if [ "${1^^}" == "DOIT" ]
  34.     then
  35.       echo -e "---[ \e[93m\e[1mTermination Process for User \e[36m$userFirst $userLast \e[0m]---\e[32m"
  36.       echo -e "\e[36m- Unsuspending User\e[0m"
  37.       echo "* $timestamp * $userEmail - Termination Process Start" >> ~/gam-data/gam-data.log
  38.       ~/bin/gam/gam update user $userEmail suspended off
  39.       echo "* $timestamp * $userEmail - unsuspended" >> ~/gam-data/gam-data.log
  40.       echo -e "\e[36m- Rename User\e[0m"
  41.       ~/bin/gam/gam update user $userEmail username $newEmail
  42.       echo "* $timestamp * $userEmail - renamed to $newEmail" >> ~/gam-data/gam-data.log
  43.       echo -e "\e[36m- Remove from All Groups\e[0m"
  44.       ~/bin/gam/gam user $newEmail delete groups
  45.       echo "* $timestamp * $newEmail - all groups removed" >> ~/gam-data/gam-data.log
  46.       echo -e "\e[36m- Move to Proper ORG\e[0m"
  47.       ~/bin/gam/gam update user $newEmail org "/EXEMPT/Departed Staff Hold Normal"
  48.       echo "* $timestamp * $newEmail - Moved to Departed Staff Hold Normal" >> ~/gam-data/gam-data.log
  49.       echo -e "\e[36m- Delegate access to Manager\e[0m"
  50.       ~/bin/gam/gam user $newEmail delegate to $managerEmail
  51.       echo "* $timestamp * $newEmail - Delegated email to $managerEmail" >> ~/gam-data/gam-data.log
  52.       echo -e "\e[36m- Set Vacation Message\e[0m"
  53.       ~/bin/gam/gam user $newEmail vacation on subject "$userFirst $userLast is no longer with the COMPANY:" message "$userFirst $userLast is no longer with the COMPANY, please contact $userFirst's manager by email at <$managerEmail> or by telephone at $managerPhone\n\n Thank You, \n COMPANY Support." startdate $(date +%Y-%m-%d) enddate 2099-12-30
  54.       echo "* $timestamp * $newEmail - Set vacation responder to $managerEmail ($managerPhone)" >> ~/gam-data/gam-data.log
  55.       echo -e "\e[36m- Randomize Password for $newEmail\e[0m"
  56.       ~/bin/gam/gam update user $newEmail password random
  57.       echo "* $timestamp * $newEmail - Password Randomized" >> ~/gam-data/gam-data.log
  58.       echo -e "\e[36m- Deprovision $newEmail\e[0m"
  59.       ~/bin/gam/gam user $newEmail deprovision
  60.       echo "* $timestamp * $newEmail - Revoked all App Passwords, 2 Factor, and OAuth tokens" >> ~/gam-data/gam-data.log
  61.       echo -e "\e[36m- Dump Mobile Phones\e[0m"
  62.       ~/bin/gam/gam print mobile query "email:$userEmail" >> ~/gam-data/tmp.mobile-data.csv
  63.       echo -e "\e[36m- Wipe Account from All Mobile Devices\e[0m"
  64.       ~/bin/gam/gam csv ~/gam-data/tmp.mobile-data.csv gam update mobile ~resourceId action account_wipe
  65.       rm ~/gam-data/tmp.mobile-data.csv
  66.       echo "* $timestamp * $newEmail - Mobile Devices Wiped" >> ~/gam-data/gam-data.log
  67.       echo "* $timestamp * $userEmail - Termination Process Complete" >> ~/gam-data/gam-data.log
  68.       echo -e "\e[0m---[ \e[93m\e[1m Termination Process Complete for \e[36m$userFirst $userLast \e[0m]---"
  69.       echo
  70.       echo "Please log into Admin Console and reset sign in cookies for $newEmail"
  71.     fi
  72.   fi
  73. done < $INPUT
  74. IFS=$OLDIFS
Reply all
Reply to author
Forward
0 new messages